Pages:
Author

Topic: Should PGP keys be made mandatory for high ranks? - page 2. (Read 583 times)

legendary
Activity: 1806
Merit: 1828
Using Bitcoin keys is more difficult, you need to get people to use legacy addresses, as there's no message signing standard using segwit addresses. Awkward situation.

And what's the trouble keeping a legacy address?

Also it IS possible to sign a message with a segwit address.

Exactly. Especially since it it is probably advisable to stake an address here that you never intend on using for receiving payments.
legendary
Activity: 1484
Merit: 1491
I forgot more than you will ever know.
Using Bitcoin keys is more difficult, you need to get people to use legacy addresses, as there's no message signing standard using segwit addresses. Awkward situation.

And what's the trouble keeping a legacy address?

Also it IS possible to sign a message with a segwit address.
legendary
Activity: 3430
Merit: 3080
Using Bitcoin keys is more difficult, you need to get people to use legacy addresses, as there's no message signing standard using segwit addresses. Awkward situation.
legendary
Activity: 1484
Merit: 1491
I forgot more than you will ever know.
I don't see the point in using PGP for that specific reason. A specific bitcoin or ethereum addy is perfectly fine for that usage.
legendary
Activity: 3430
Merit: 3080
Re: SHA-1 fingerprints

does this matter for the current PGP use-case on Bitcointalk? The fingerprint need not (and AFAIU is not) be used for account recovery.
legendary
Activity: 1806
Merit: 1828
Yes, it would be very helpful, along with:
  • Requirement for a signed message with the previous key in order to register a new one


I'm not too sure that I like this idea. I ended up staking a new address because the original was controlled by coinbase. Unfortunately, coinbase disabled the ability to sign a message. I don't think the simple fact of losing a key should put a beloved account at risk of being locked out forever. I know us Bitcoiners are used to it. However, it is actually a security flaw to make access totally unrecoverable if keys are lost.
What happened to you regarding coinbase can't happen with PGP keys. These keys are yours only and can't ever be managed by anybody else, even less so exclusively by someone else. PGP keys should be backed-up and safely kept. If someone loses their PGP keys it would at least be a sign they're not very well at security.

There could be a way to set a new PGP certificate if the last one's keys were lost, but it shouldn't be easy at least. It should require some deep verification.

But this is really secondary compared to first actually having PGP keys registered into the forum, that or another standard that proves to be more secure.

Eventually losing your keys or having them compromised is the way of the universe. However, I guess for the purpose of this forum, there is no need for anyone else to gain access in the event of my death.
legendary
Activity: 3430
Merit: 3080
this was already suggested by OgNasty to theymos, and theymos thinks PGP keys are insecure and it needs a revision.

I’ve long thought there should be a spot for PGP fingerprint.

PGP fingerprints are SHA-1, which is insecure. The OpenPGP standard really needs a complete new revision...

hmmm, that means spoofing fingerprints is fairly trivial. Awkward.
legendary
Activity: 1876
Merit: 1475
Yes, it would be very helpful, along with:
  • Requirement for a signed message with the previous key in order to register a new one


I'm not too sure that I like this idea. I ended up staking a new address because the original was controlled by coinbase. Unfortunately, coinbase disabled the ability to sign a message. I don't think the simple fact of losing a key should put a beloved account at risk of being locked out forever. I know us Bitcoiners are used to it. However, it is actually a security flaw to make access totally unrecoverable if keys are lost.
What happened to you regarding coinbase can't happen with PGP keys. These keys are yours only and can't ever be managed by anybody else, even less so exclusively by someone else. PGP keys should be backed-up and safely kept. If someone loses their PGP keys it would at least be a sign they're not very well at security.

There could be a way to set a new PGP certificate if the last one's keys were lost, but it shouldn't be easy at least. It should require some deep verification.

But this is really secondary compared to first actually having PGP keys registered into the forum, that or another standard that proves to be more secure.
sr. member
Activity: 1288
Merit: 415
Bitcoin address are one of the main part in the working of the forum. If a person could not verify his BTC address by signing a message means he could not recover his account in case its locked or hacked. It is one of the important criteria to recover a account along with the original email so adding it as an filled on the Bitcointalk profile is a pretty good suggestion.

But this was already suggested by OgNasty to theymos, and theymos thinks PGP keys are insecure and it needs a revision.

I’ve long thought there should be a spot for PGP fingerprint.

PGP fingerprints are SHA-1, which is insecure. The OpenPGP standard really needs a complete new revision...
legendary
Activity: 1806
Merit: 1828
    Yes, it would be very helpful, along with:
    • Requirement for a signed message with the previous key in order to register a new one


    I'm not too sure that I like this idea. I ended up staking a new address because the original was controlled by coinbase. Unfortunately, coinbase disabled the ability to sign a message. I don't think the simple fact of losing a key should put a beloved account at risk of being locked out forever. I know us Bitcoiners are used to it. However, it is actually a security flaw to make access totally unrecoverable if keys are lost.
    legendary
    Activity: 1876
    Merit: 1475
    Yes, it would be very helpful, along with:
    • Requirement for a signed message with the previous key in order to register a new one
    • An option to encrypt any received PM, using the registered public key
    • An option to automatically verify a message was signed by somebody, using the registered public key
    Accounts could still be sold along with the private keys, but this would pretty much make impossible to hack accounts, and would definitely increase security privacy.
    legendary
    Activity: 3430
    Merit: 3080
    Maybe start out saying Legendaries must register PGP keys within a timeout that starts after their most recent login? Then move that requirement down the ranks slowly.


    It seems like PGP usage is sort of encouraged, but then again there is also a field in Profile Settings for MSN and Skype handles Roll Eyes If PGP is needed to recover accounts, why not actually make it a part of the forum? Given that Bitcoin is really a part of a wider push towards personal cryptography as a whole, I'm slightly surprised we're still at the "post your public key in this thread" stage
    Pages:
    Jump to: