On Tue, Dec 18, 2018 at 03:08:26AM +0800, Johnson Lau via bitcoin-dev wrote:
> >> If it's not safer in practice, we've spent a little extra complexity
> >> committing to a subset of the script in each signature to no gain. If
> >> it is safer in practice, we've prevented people from losing funds. I'm
> >> all for less complexity, but not for that tradeoff.
> > 
> > There are many complexities we could add, each of which would prevent
> > loss of funds in some theoretical case.
> 
> Every security measures are overkill, until someone get burnt. If these security measures are really effective, no one will get burnt. The inevitable conclusion is: every effective security measures are overkill.

This isn't really a security issue, it's a software reliability issue. And
you're making a trade-off between complexity of the core protocol and
complexity of wallet software.

A core protocol failure has high costs for every single Bitcoin user; a wallet
software failure affects a much smaller number of people. So I'd be inclined to
prioritise core protocol simplicity rather than stamping out one of many, many,
ways that wallet software can screw up and lose money.

-- 
https://petertodd.org 'peter'[:-1]@petertodd.org