On Mon, Oct 28, 2013 at 12:37:30PM -0700, Jeremy Spilman wrote: > Just an aside... > > The 1BTC bountry John references below is a 1BTC P2SH output, where the > redeemScript he provided does hash to the expected value, and is itself a > 2-of-3 multisig, with the following pubkeys, expressed as addresses: > > 1BrufViLKnSWtuWGkryPsKsxonV2NQ7Tcj > 1FCYd7j4CThTMzts78rh6iQJLBRGPW9fWv > 1GMaxweLLbo8mdXvnnC19Wt2wigiYUKgEB > > By comparison, the signatories for the 4BTC bountry are: > > 1L9p6QiWs2nfinyF4CnbqysWijMvvcsnxe > 1FCYd7j4CThTMzts78rh6iQJLBRGPW9fWv > 1GMaxweLLbo8mdXvnnC19Wt2wigiYUKgEB > > On the one hand, the vanity address makes it easy to guess who one of the > signatories is, on the other hand, is it bad form to reuse keys for > signing? It's a bit more risky from a cryptography perspective, but provided your wallet implementation is done correctly the extra risk is pretty much theoretical. However this has caused real-world coin loss in the past in the case of the Android PRNG flaw - re-using nonces in ECC signing causes the private key to be revealed. I think the real issue here is that John doesn't appear to have asked any of the people whose signatures can release the funds if they were willing to take part. If he had done that, he could have, and should have, gotten separate pubkeys for the purpose of the bounty like was done for Gregory Maxwell's CoinJoin bounty. Instead by not asking he is in reality if not in theory placing demands on people who haven't consented, particularly for the 1BTC bounty where he doesn't control any of the private keys required to release the funds. IMO this is rude and I encourage people not to do this. > John, you mentioned wanting to disambiguate bounties, perhaps through a > bounty-specific pubkey. I'm not sure I follow, how is that better than > just referencing the address of the output, or the TxID, in a 'Table of > Bounties'? Or you want to embed a hash of your signed message announcing > the bounty? Well, the issue with not disambiguating bounties is that if further funds are sent to the bounty address it's unclear how do you handle those funds. Note how he specified a specific txout for the 1BTC bounty, but specified an address for the 4BTC bounty. > Out of curiosity, I suppose right now you just keep pubkeys for the > signatories you want to appoint and reuse the same pubkey to create these > multi-sigs, or you have to ask for a new one each time? > > From the signatories perspective, I imagine we're a long way off from a > wallet receiving or importing the p2sh, tracking that these outputs as > "yours", and even more, which contract/bounty they correspond to, and > finally a usable way to accumulate signatures and ultimately spend the > output to the bounty winner. We're not that far off: I could cook up a Python script to do the signature accumulation and signing in a few hours. There's just not all that much demand yet to fully polish the UI's, and in any case, it'll differ for every specific application. FWIW blockchain.info added multisig escrow support ages ago, then removed it not long after because usage was near zero. -- 'peter'[:-1]@petertodd.org 0000000000000001daf527009e07f452eee5dca920d3a9253b682d8bd26783ff