* [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key?
@ 2014-09-13 13:55 Peter Todd
2014-09-13 14:03 ` Jeff Garzik
0 siblings, 1 reply; 18+ messages in thread
From: Peter Todd @ 2014-09-13 13:55 UTC (permalink / raw)
To: Bitcoin Dev
[-- Attachment #1: Type: text/plain, Size: 280 bytes --]
So far I have zero evidence that the common claim that "Satoshi PGP
signed everything" was true; I have no evidence he ever
cryptographically signed any communications at all.
--
'peter'[:-1]@petertodd.org
00000000000000000ce4f740fb700bb8a9ed859ac96ac9871567a20fca07f76a
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 650 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key?
2014-09-13 13:55 [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key? Peter Todd
@ 2014-09-13 14:03 ` Jeff Garzik
2014-09-14 6:28 ` Peter Todd
0 siblings, 1 reply; 18+ messages in thread
From: Jeff Garzik @ 2014-09-13 14:03 UTC (permalink / raw)
To: Peter Todd; +Cc: Bitcoin Dev
That claim is horse manure :) He never signed private emails sent to
me, nor the forum posts.
He -might- have signed the occasional thing related to releases, I'm not sure.
On Sat, Sep 13, 2014 at 9:55 AM, Peter Todd <pete@petertodd•org> wrote:
> So far I have zero evidence that the common claim that "Satoshi PGP
> signed everything" was true; I have no evidence he ever
> cryptographically signed any communications at all.
>
> --
> 'peter'[:-1]@petertodd.org
> 00000000000000000ce4f740fb700bb8a9ed859ac96ac9871567a20fca07f76a
>
> ------------------------------------------------------------------------------
> Want excitement?
> Manually upgrade your production database.
> When you want reliability, choose Perforce
> Perforce version control. Predictably reliable.
> http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists•sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
--
Jeff Garzik
Bitcoin core developer and open source evangelist
BitPay, Inc. https://bitpay.com/
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key?
2014-09-13 14:03 ` Jeff Garzik
@ 2014-09-14 6:28 ` Peter Todd
2014-09-15 7:23 ` Thomas Zander
0 siblings, 1 reply; 18+ messages in thread
From: Peter Todd @ 2014-09-14 6:28 UTC (permalink / raw)
To: Jeff Garzik; +Cc: Bitcoin Dev
[-- Attachment #1: Type: text/plain, Size: 1525 bytes --]
On Sat, Sep 13, 2014 at 10:03:20AM -0400, Jeff Garzik wrote:
> That claim is horse manure :) He never signed private emails sent to
> me, nor the forum posts.
That's consistent with what everyone else is saying:
https://twitter.com/petertoddbtc/status/509614729879642113
> He -might- have signed the occasional thing related to releases, I'm not sure.
Doesn't seem like there's any evidence of that either. For instance the
archive.org Jan 31st 2009 capture of bitcoin.org with v1.3 has a link to
his PGP key, but the release itself is unsigned:
https://web.archive.org/web/20090131115053/http://bitcoin.org/
Similarly the Nov 29 2009 capture of the sourceforge download directory
has releases v0.1.0, v0.1.2, v0.1.3, and v0.1.5, none of which have
signatures:
https://web.archive.org/web/20091129231630/http://sourceforge.net/projects/bitcoin/files/Bitcoin/
The earliest signature I can find is from v0.3.20 from Gavin Andresen:
https://web.archive.org/web/20110502125522/http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.3.20/
Earliest sig in the git commit history is the v0.3.21 tag, again from
Gavin.
My best guess is Satoshi only created the PGP key in case
someone needed to send him a security-related bug report. Which leads to
a related question:
Do we have any evidence Satoshi ever even had access to that key? Did he
ever use PGP at all for anything?
--
'peter'[:-1]@petertodd.org
00000000000000000ce4f740fb700bb8a9ed859ac96ac9871567a20fca07f76a
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 650 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key?
2014-09-14 6:28 ` Peter Todd
@ 2014-09-15 7:23 ` Thomas Zander
2014-09-15 9:49 ` Melvin Carvalho
2014-09-15 13:08 ` Jeff Garzik
0 siblings, 2 replies; 18+ messages in thread
From: Thomas Zander @ 2014-09-15 7:23 UTC (permalink / raw)
To: bitcoin-development
On Sunday 14. September 2014 08.28.27 Peter Todd wrote:
> Do we have any evidence Satoshi ever even had access to that key? Did he
> ever use PGP at all for anything?
Any and all PGP related howtos will tell you that you should not trust or sign
a formerly-untrusted PGP (or GPG for that matter) key without seeing that
person in real life, verifying their identity etc.
I think that kind of disqualifies pgp for identity purposes wrt Satoshi :-)
--
Thomas Zander
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key?
2014-09-15 7:23 ` Thomas Zander
@ 2014-09-15 9:49 ` Melvin Carvalho
2014-09-15 13:08 ` Jeff Garzik
1 sibling, 0 replies; 18+ messages in thread
From: Melvin Carvalho @ 2014-09-15 9:49 UTC (permalink / raw)
To: Thomas Zander; +Cc: Bitcoin Dev
[-- Attachment #1: Type: text/plain, Size: 1255 bytes --]
On 15 September 2014 09:23, Thomas Zander <thomas@thomaszander•se> wrote:
> On Sunday 14. September 2014 08.28.27 Peter Todd wrote:
> > Do we have any evidence Satoshi ever even had access to that key? Did he
> > ever use PGP at all for anything?
>
> Any and all PGP related howtos will tell you that you should not trust or
> sign
> a formerly-untrusted PGP (or GPG for that matter) key without seeing that
> person in real life, verifying their identity etc.
>
> I think that kind of disqualifies pgp for identity purposes wrt Satoshi :-)
>
But I presume that if the key is on bitcoin.org, you can probably infer
that the owner of the key and the original owner of bitcoin.org are one and
the same ...
>
> --
> Thomas Zander
>
>
> ------------------------------------------------------------------------------
> Want excitement?
> Manually upgrade your production database.
> When you want reliability, choose Perforce
> Perforce version control. Predictably reliable.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists•sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
[-- Attachment #2: Type: text/html, Size: 2303 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key?
2014-09-15 7:23 ` Thomas Zander
2014-09-15 9:49 ` Melvin Carvalho
@ 2014-09-15 13:08 ` Jeff Garzik
2014-09-15 13:32 ` Brian Hoffman
` (2 more replies)
1 sibling, 3 replies; 18+ messages in thread
From: Jeff Garzik @ 2014-09-15 13:08 UTC (permalink / raw)
To: Thomas Zander; +Cc: Bitcoin Dev
On Mon, Sep 15, 2014 at 3:23 AM, Thomas Zander <thomas@thomaszander•se> wrote:
> Any and all PGP related howtos will tell you that you should not trust or sign
> a formerly-untrusted PGP (or GPG for that matter) key without seeing that
> person in real life, verifying their identity etc.
Such guidelines are a perfect example of why PGP WoT is useless and
stupid geek wanking.
A person's behavioural signature is what is relevant. We know how
Satoshi coded and wrote. It was the online Satoshi with which we
interacted. The online Satoshi's PGP signature would be fine...
assuming he established a pattern of use.
As another example, I know the code contributions and PGP key signed
by the online entity known as "sipa." At a bitcoin conf I met a
person with photo id labelled "Pieter Wuille" who claimed to be sipa,
but that could have been an actor. Absent a laborious and boring
signed challenge process, for all we know, "sipa" is a supercomputing
cluster of 500 gnomes.
The point is, the "online entity known as Satoshi" is the relevant
fingerprint. That is easily established without any in-person
meetings.
--
Jeff Garzik
Bitcoin core developer and open source evangelist
BitPay, Inc. https://bitpay.com/
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key?
2014-09-15 13:08 ` Jeff Garzik
@ 2014-09-15 13:32 ` Brian Hoffman
2014-09-15 14:33 ` Jeff Garzik
` (2 more replies)
2014-09-15 14:44 ` Venzen
2014-09-15 18:06 ` Justus Ranvier
2 siblings, 3 replies; 18+ messages in thread
From: Brian Hoffman @ 2014-09-15 13:32 UTC (permalink / raw)
To: Jeff Garzik; +Cc: Bitcoin Dev
I would agree that the in person aspect of the WoT is frustrating, but to dismiss this as "geek wanking" is the pot calling the kettle.
The value of in person vetting of identity is undeniable. Just because your risk acceptance is difference doesn't make it wanking. Please go see if you can get any kind of governmental clearance of credential without in-person vetting. Ask them if they accept your behavioral signature.
I know there is a lot of PGP hating these days but this comment doesn't necessarily apply to every situation.
> On Sep 15, 2014, at 9:08 AM, Jeff Garzik <jgarzik@bitpay•com> wrote:
>
>> On Mon, Sep 15, 2014 at 3:23 AM, Thomas Zander <thomas@thomaszander•se> wrote:
>> Any and all PGP related howtos will tell you that you should not trust or sign
>> a formerly-untrusted PGP (or GPG for that matter) key without seeing that
>> person in real life, verifying their identity etc.
>
> Such guidelines are a perfect example of why PGP WoT is useless and
> stupid geek wanking.
>
> A person's behavioural signature is what is relevant. We know how
> Satoshi coded and wrote. It was the online Satoshi with which we
> interacted. The online Satoshi's PGP signature would be fine...
> assuming he established a pattern of use.
>
> As another example, I know the code contributions and PGP key signed
> by the online entity known as "sipa." At a bitcoin conf I met a
> person with photo id labelled "Pieter Wuille" who claimed to be sipa,
> but that could have been an actor. Absent a laborious and boring
> signed challenge process, for all we know, "sipa" is a supercomputing
> cluster of 500 gnomes.
>
> The point is, the "online entity known as Satoshi" is the relevant
> fingerprint. That is easily established without any in-person
> meetings.
>
> --
> Jeff Garzik
> Bitcoin core developer and open source evangelist
> BitPay, Inc. https://bitpay.com/
>
> ------------------------------------------------------------------------------
> Want excitement?
> Manually upgrade your production database.
> When you want reliability, choose Perforce
> Perforce version control. Predictably reliable.
> http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists•sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key?
2014-09-15 13:32 ` Brian Hoffman
@ 2014-09-15 14:33 ` Jeff Garzik
2014-09-15 14:49 ` Brian Hoffman
2014-09-15 14:38 ` ThomasZander.se
2014-09-15 15:10 ` Thomas Zander
2 siblings, 1 reply; 18+ messages in thread
From: Jeff Garzik @ 2014-09-15 14:33 UTC (permalink / raw)
To: Brian Hoffman; +Cc: Bitcoin Dev
It applies to OP, bitcoin community development and Satoshi.
"value of in person vetting of identity is undeniable"... no it is
quite deniable. Satoshi is the quintessential example. We value brain
output, code. The real world identity is irrelevant to whether or not
bitcoin continues to function.
The currency of bitcoin development is code, and electronic messages
describing cryptographic theses. _That_ is the relevant fingerprint.
Governmental id is second class, can be forged or simply present a
different individual from that who is online. PGP WoT wanking does
not solve that problem at all.
On Mon, Sep 15, 2014 at 9:32 AM, Brian Hoffman <brianchoffman@gmail•com> wrote:
> I would agree that the in person aspect of the WoT is frustrating, but to dismiss this as "geek wanking" is the pot calling the kettle.
>
> The value of in person vetting of identity is undeniable. Just because your risk acceptance is difference doesn't make it wanking. Please go see if you can get any kind of governmental clearance of credential without in-person vetting. Ask them if they accept your behavioral signature.
>
> I know there is a lot of PGP hating these days but this comment doesn't necessarily apply to every situation.
>
>
>
>> On Sep 15, 2014, at 9:08 AM, Jeff Garzik <jgarzik@bitpay•com> wrote:
>>
>>> On Mon, Sep 15, 2014 at 3:23 AM, Thomas Zander <thomas@thomaszander•se> wrote:
>>> Any and all PGP related howtos will tell you that you should not trust or sign
>>> a formerly-untrusted PGP (or GPG for that matter) key without seeing that
>>> person in real life, verifying their identity etc.
>>
>> Such guidelines are a perfect example of why PGP WoT is useless and
>> stupid geek wanking.
>>
>> A person's behavioural signature is what is relevant. We know how
>> Satoshi coded and wrote. It was the online Satoshi with which we
>> interacted. The online Satoshi's PGP signature would be fine...
>> assuming he established a pattern of use.
>>
>> As another example, I know the code contributions and PGP key signed
>> by the online entity known as "sipa." At a bitcoin conf I met a
>> person with photo id labelled "Pieter Wuille" who claimed to be sipa,
>> but that could have been an actor. Absent a laborious and boring
>> signed challenge process, for all we know, "sipa" is a supercomputing
>> cluster of 500 gnomes.
>>
>> The point is, the "online entity known as Satoshi" is the relevant
>> fingerprint. That is easily established without any in-person
>> meetings.
>>
>> --
>> Jeff Garzik
>> Bitcoin core developer and open source evangelist
>> BitPay, Inc. https://bitpay.com/
>>
>> ------------------------------------------------------------------------------
>> Want excitement?
>> Manually upgrade your production database.
>> When you want reliability, choose Perforce
>> Perforce version control. Predictably reliable.
>> http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Bitcoin-development mailing list
>> Bitcoin-development@lists•sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
--
Jeff Garzik
Bitcoin core developer and open source evangelist
BitPay, Inc. https://bitpay.com/
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key?
2014-09-15 13:32 ` Brian Hoffman
2014-09-15 14:33 ` Jeff Garzik
@ 2014-09-15 14:38 ` ThomasZander.se
2014-09-15 15:10 ` Thomas Zander
2 siblings, 0 replies; 18+ messages in thread
From: ThomasZander.se @ 2014-09-15 14:38 UTC (permalink / raw)
To: Bitcoin Dev
The reason it is in fact wanking is because pgp tried to solve a problem that can't be solved.
It tried to provide distributed trust to a system of identity, while still depending on the local government (i.e centralized) for the upstream ID...
It's a marriage that has no benefit.
What we really want is (decentralized) identity management that allows me to create a new anonymous ID and use that as something more secure than trusting a behavior pattern to proof it's me.
Sent on the go. Excuse the brevity.
Original Message
From: Brian Hoffman
Sent: 15:35 mandag 15. september 2014
To: Jeff Garzik
Cc: Thomas Zander; Bitcoin Dev
Subject: Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key?
I would agree that the in person aspect of the WoT is frustrating, but to dismiss this as "geek wanking" is the pot calling the kettle.
The value of in person vetting of identity is undeniable. Just because your risk acceptance is difference doesn't make it wanking. Please go see if you can get any kind of governmental clearance of credential without in-person vetting. Ask them if they accept your behavioral signature.
I know there is a lot of PGP hating these days but this comment doesn't necessarily apply to every situation.
> On Sep 15, 2014, at 9:08 AM, Jeff Garzik <jgarzik@bitpay•com> wrote:
>
>> On Mon, Sep 15, 2014 at 3:23 AM, Thomas Zander <thomas@thomaszander•se> wrote:
>> Any and all PGP related howtos will tell you that you should not trust or sign
>> a formerly-untrusted PGP (or GPG for that matter) key without seeing that
>> person in real life, verifying their identity etc.
>
> Such guidelines are a perfect example of why PGP WoT is useless and
> stupid geek wanking.
>
> A person's behavioural signature is what is relevant. We know how
> Satoshi coded and wrote. It was the online Satoshi with which we
> interacted. The online Satoshi's PGP signature would be fine...
> assuming he established a pattern of use.
>
> As another example, I know the code contributions and PGP key signed
> by the online entity known as "sipa." At a bitcoin conf I met a
> person with photo id labelled "Pieter Wuille" who claimed to be sipa,
> but that could have been an actor. Absent a laborious and boring
> signed challenge process, for all we know, "sipa" is a supercomputing
> cluster of 500 gnomes.
>
> The point is, the "online entity known as Satoshi" is the relevant
> fingerprint. That is easily established without any in-person
> meetings.
>
> --
> Jeff Garzik
> Bitcoin core developer and open source evangelist
> BitPay, Inc. https://bitpay.com/
>
> ------------------------------------------------------------------------------
> Want excitement?
> Manually upgrade your production database.
> When you want reliability, choose Perforce
> Perforce version control. Predictably reliable.
> http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists•sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key?
2014-09-15 13:08 ` Jeff Garzik
2014-09-15 13:32 ` Brian Hoffman
@ 2014-09-15 14:44 ` Venzen
2014-09-15 18:06 ` Justus Ranvier
2 siblings, 0 replies; 18+ messages in thread
From: Venzen @ 2014-09-15 14:44 UTC (permalink / raw)
To: bitcoin-development
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Funny that you should describe WoT that way. According to some
psycho-analysts the act of making love to a partner is actually a
realization of our subconscious desire to make love to ourselves.
So, in this sense, WoT geeks are indeed masturbating, but it's with
the good purpose of ensuring that it's being done via the intended
recipient and not some imposter or unsuspecting bystander.
That's a valid concern, especially as Bitcoin development ranks grow
and branch beyond a small core team.
On 09/15/2014 08:08 PM, Jeff Garzik wrote:
> On Mon, Sep 15, 2014 at 3:23 AM, Thomas Zander
> <thomas@thomaszander•se> wrote:
>> Any and all PGP related howtos will tell you that you should not
>> trust or sign a formerly-untrusted PGP (or GPG for that matter)
>> key without seeing that person in real life, verifying their
>> identity etc.
>
> Such guidelines are a perfect example of why PGP WoT is useless
> and stupid geek wanking.
>
> A person's behavioural signature is what is relevant. We know how
> Satoshi coded and wrote. It was the online Satoshi with which we
> interacted. The online Satoshi's PGP signature would be fine...
> assuming he established a pattern of use.
>
> As another example, I know the code contributions and PGP key
> signed by the online entity known as "sipa." At a bitcoin conf I
> met a person with photo id labelled "Pieter Wuille" who claimed to
> be sipa, but that could have been an actor. Absent a laborious and
> boring signed challenge process, for all we know, "sipa" is a
> supercomputing cluster of 500 gnomes.
>
> The point is, the "online entity known as Satoshi" is the relevant
> fingerprint. That is easily established without any in-person
> meetings.
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJUFvsyAAoJENQRrA3m8xlAwkAH/iRekS+Q0jIzaMPFJjD9Qh2e
TTpnQ5MyceeWaEQ9BIS9Lp92k/KlhYUmdaHRmmgOuUQZ6VlOmLSyveMe2qpX3igb
jZX3ydZe2hs1D3Z48MFyNBz06eufApSi5LC8BvN4bYotOD+/qrrxag+jaU3NjDu3
yCaSF563ZQ9xXkfh5JoZ3SGBcRmR5bS6QAoR29OQXBubriPwJuVxUBB37cfaL2Nf
rc67q2KgpU/vOyucxMFZgoP0vDjxUzXTc2ONrEHGJUfdypMADFwXjxeA8ikOt4ik
GIB69wMGQiMeE5e3H337yJxYaZJK4R1KnrSLF0j+Vkl3Yy25duBYAbFUGayeTw0=
=xR8K
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key?
2014-09-15 14:33 ` Jeff Garzik
@ 2014-09-15 14:49 ` Brian Hoffman
2014-09-15 14:55 ` Pieter Wuille
0 siblings, 1 reply; 18+ messages in thread
From: Brian Hoffman @ 2014-09-15 14:49 UTC (permalink / raw)
To: Jeff Garzik; +Cc: Bitcoin Dev
[-- Attachment #1: Type: text/plain, Size: 4518 bytes --]
In the context of Bitcoin I will concede that perhaps it holds true for now.
I also never said the actual credential you receive from a government
agency is trustable. I completely agree that they are forgeable and not
necessarily reliable. That was not my point. I was referring to the vetting
process before issuance.
Just as you have behavioral characteristics online that contribute to
trusting an "identity" you also exhibit in person attributes, such as
physically being in a specific location at a certain time or blue eyes or
biometrics, that are valuable. You simply cannot capture those in an
online-only world. I don't see how you can deny the value there.
You are most certainly and undeniably the expert in the Bitcoin context
here so I will not even attempt to argue with you on that, but I just think
it's not realistic to ignore the value of an in-person network in other
contexts. You called it "geek wanking" with no qualifier "in the Bitcoin
context" so excuse me if I misunderstood your intent.
On Mon, Sep 15, 2014 at 10:33 AM, Jeff Garzik <jgarzik@bitpay•com> wrote:
> It applies to OP, bitcoin community development and Satoshi.
>
> "value of in person vetting of identity is undeniable"... no it is
> quite deniable. Satoshi is the quintessential example. We value brain
> output, code. The real world identity is irrelevant to whether or not
> bitcoin continues to function.
>
> The currency of bitcoin development is code, and electronic messages
> describing cryptographic theses. _That_ is the relevant fingerprint.
>
> Governmental id is second class, can be forged or simply present a
> different individual from that who is online. PGP WoT wanking does
> not solve that problem at all.
>
>
>
>
>
>
> On Mon, Sep 15, 2014 at 9:32 AM, Brian Hoffman <brianchoffman@gmail•com>
> wrote:
> > I would agree that the in person aspect of the WoT is frustrating, but
> to dismiss this as "geek wanking" is the pot calling the kettle.
> >
> > The value of in person vetting of identity is undeniable. Just because
> your risk acceptance is difference doesn't make it wanking. Please go see
> if you can get any kind of governmental clearance of credential without
> in-person vetting. Ask them if they accept your behavioral signature.
> >
> > I know there is a lot of PGP hating these days but this comment doesn't
> necessarily apply to every situation.
> >
> >
> >
> >> On Sep 15, 2014, at 9:08 AM, Jeff Garzik <jgarzik@bitpay•com> wrote:
> >>
> >>> On Mon, Sep 15, 2014 at 3:23 AM, Thomas Zander <thomas@thomaszander•se>
> wrote:
> >>> Any and all PGP related howtos will tell you that you should not trust
> or sign
> >>> a formerly-untrusted PGP (or GPG for that matter) key without seeing
> that
> >>> person in real life, verifying their identity etc.
> >>
> >> Such guidelines are a perfect example of why PGP WoT is useless and
> >> stupid geek wanking.
> >>
> >> A person's behavioural signature is what is relevant. We know how
> >> Satoshi coded and wrote. It was the online Satoshi with which we
> >> interacted. The online Satoshi's PGP signature would be fine...
> >> assuming he established a pattern of use.
> >>
> >> As another example, I know the code contributions and PGP key signed
> >> by the online entity known as "sipa." At a bitcoin conf I met a
> >> person with photo id labelled "Pieter Wuille" who claimed to be sipa,
> >> but that could have been an actor. Absent a laborious and boring
> >> signed challenge process, for all we know, "sipa" is a supercomputing
> >> cluster of 500 gnomes.
> >>
> >> The point is, the "online entity known as Satoshi" is the relevant
> >> fingerprint. That is easily established without any in-person
> >> meetings.
> >>
> >> --
> >> Jeff Garzik
> >> Bitcoin core developer and open source evangelist
> >> BitPay, Inc. https://bitpay.com/
> >>
> >>
> ------------------------------------------------------------------------------
> >> Want excitement?
> >> Manually upgrade your production database.
> >> When you want reliability, choose Perforce
> >> Perforce version control. Predictably reliable.
> >>
> http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
> >> _______________________________________________
> >> Bitcoin-development mailing list
> >> Bitcoin-development@lists•sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
>
>
> --
> Jeff Garzik
> Bitcoin core developer and open source evangelist
> BitPay, Inc. https://bitpay.com/
>
[-- Attachment #2: Type: text/html, Size: 6104 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key?
2014-09-15 14:49 ` Brian Hoffman
@ 2014-09-15 14:55 ` Pieter Wuille
0 siblings, 0 replies; 18+ messages in thread
From: Pieter Wuille @ 2014-09-15 14:55 UTC (permalink / raw)
To: Brian Hoffman; +Cc: Bitcoin Dev
[-- Attachment #1: Type: text/plain, Size: 5482 bytes --]
WoT is a perfectly reasonable way to establish trust about the link between
an online identity and a real world identity.
In the case of a developer with an existing reputation for his online
identity, that link is just irrelevant.
On Sep 15, 2014 4:52 PM, "Brian Hoffman" <brianchoffman@gmail•com> wrote:
> In the context of Bitcoin I will concede that perhaps it holds true for
> now.
>
> I also never said the actual credential you receive from a government
> agency is trustable. I completely agree that they are forgeable and not
> necessarily reliable. That was not my point. I was referring to the vetting
> process before issuance.
>
> Just as you have behavioral characteristics online that contribute to
> trusting an "identity" you also exhibit in person attributes, such as
> physically being in a specific location at a certain time or blue eyes or
> biometrics, that are valuable. You simply cannot capture those in an
> online-only world. I don't see how you can deny the value there.
>
> You are most certainly and undeniably the expert in the Bitcoin context
> here so I will not even attempt to argue with you on that, but I just think
> it's not realistic to ignore the value of an in-person network in other
> contexts. You called it "geek wanking" with no qualifier "in the Bitcoin
> context" so excuse me if I misunderstood your intent.
>
>
> On Mon, Sep 15, 2014 at 10:33 AM, Jeff Garzik <jgarzik@bitpay•com> wrote:
>
>> It applies to OP, bitcoin community development and Satoshi.
>>
>> "value of in person vetting of identity is undeniable"... no it is
>> quite deniable. Satoshi is the quintessential example. We value brain
>> output, code. The real world identity is irrelevant to whether or not
>> bitcoin continues to function.
>>
>> The currency of bitcoin development is code, and electronic messages
>> describing cryptographic theses. _That_ is the relevant fingerprint.
>>
>> Governmental id is second class, can be forged or simply present a
>> different individual from that who is online. PGP WoT wanking does
>> not solve that problem at all.
>>
>>
>>
>>
>>
>>
>> On Mon, Sep 15, 2014 at 9:32 AM, Brian Hoffman <brianchoffman@gmail•com>
>> wrote:
>> > I would agree that the in person aspect of the WoT is frustrating, but
>> to dismiss this as "geek wanking" is the pot calling the kettle.
>> >
>> > The value of in person vetting of identity is undeniable. Just because
>> your risk acceptance is difference doesn't make it wanking. Please go see
>> if you can get any kind of governmental clearance of credential without
>> in-person vetting. Ask them if they accept your behavioral signature.
>> >
>> > I know there is a lot of PGP hating these days but this comment doesn't
>> necessarily apply to every situation.
>> >
>> >
>> >
>> >> On Sep 15, 2014, at 9:08 AM, Jeff Garzik <jgarzik@bitpay•com> wrote:
>> >>
>> >>> On Mon, Sep 15, 2014 at 3:23 AM, Thomas Zander <
>> thomas@thomaszander•se> wrote:
>> >>> Any and all PGP related howtos will tell you that you should not
>> trust or sign
>> >>> a formerly-untrusted PGP (or GPG for that matter) key without seeing
>> that
>> >>> person in real life, verifying their identity etc.
>> >>
>> >> Such guidelines are a perfect example of why PGP WoT is useless and
>> >> stupid geek wanking.
>> >>
>> >> A person's behavioural signature is what is relevant. We know how
>> >> Satoshi coded and wrote. It was the online Satoshi with which we
>> >> interacted. The online Satoshi's PGP signature would be fine...
>> >> assuming he established a pattern of use.
>> >>
>> >> As another example, I know the code contributions and PGP key signed
>> >> by the online entity known as "sipa." At a bitcoin conf I met a
>> >> person with photo id labelled "Pieter Wuille" who claimed to be sipa,
>> >> but that could have been an actor. Absent a laborious and boring
>> >> signed challenge process, for all we know, "sipa" is a supercomputing
>> >> cluster of 500 gnomes.
>> >>
>> >> The point is, the "online entity known as Satoshi" is the relevant
>> >> fingerprint. That is easily established without any in-person
>> >> meetings.
>> >>
>> >> --
>> >> Jeff Garzik
>> >> Bitcoin core developer and open source evangelist
>> >> BitPay, Inc. https://bitpay.com/
>> >>
>> >>
>> ------------------------------------------------------------------------------
>> >> Want excitement?
>> >> Manually upgrade your production database.
>> >> When you want reliability, choose Perforce
>> >> Perforce version control. Predictably reliable.
>> >>
>> http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
>> >> _______________________________________________
>> >> Bitcoin-development mailing list
>> >> Bitcoin-development@lists•sourceforge.net
>> >> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>>
>>
>>
>> --
>> Jeff Garzik
>> Bitcoin core developer and open source evangelist
>> BitPay, Inc. https://bitpay.com/
>>
>
>
>
> ------------------------------------------------------------------------------
> Want excitement?
> Manually upgrade your production database.
> When you want reliability, choose Perforce
> Perforce version control. Predictably reliable.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists•sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
>
[-- Attachment #2: Type: text/html, Size: 7533 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key?
2014-09-15 13:32 ` Brian Hoffman
2014-09-15 14:33 ` Jeff Garzik
2014-09-15 14:38 ` ThomasZander.se
@ 2014-09-15 15:10 ` Thomas Zander
2014-09-15 15:51 ` Matt Whitlock
2 siblings, 1 reply; 18+ messages in thread
From: Thomas Zander @ 2014-09-15 15:10 UTC (permalink / raw)
To: Bitcoin Dev
The reason it is in fact geek wanking is because pgp tried to solve a problem
that can't be solved.
It tried to provide distributed trust to a system of identity, while still
depending on the local governments (i.e. centralization) for the upstream ID.
Its a marriage that has no benefits.
What we really want is a (decentralized) identity management that allows me to
create a new anonymous ID and use that as something more secure when needed
that I have to proof its me.
So for instance I start including a bitcoin public key in my email signature.
I don't sign the emails or anything like that, just to establish that everyone
has my public key many times in their email archives.
Then when I need to proof its me, I can provide a signature on the content
that the requester wants me to sign.
All the overhead of PGP and the WoT is really completely unneeded and just
means that less people use it.
Consider this; people create accounts on GitHub or Reddit and those have in
fact more value than your pgp key! Because they got the anonymous part right.
On Monday 15. September 2014 09.32.03 Brian Hoffman wrote:
> I would agree that the in person aspect of the WoT is frustrating, but to
> dismiss this as "geek wanking" is the pot calling the kettle.
>
> The value of in person vetting of identity is undeniable. Just because your
> risk acceptance is difference doesn't make it wanking. Please go see if you
> can get any kind of governmental clearance of credential without in-person
> vetting. Ask them if they accept your behavioral signature.
>
> I know there is a lot of PGP hating these days but this comment doesn't
> necessarily apply to every situation.
> > On Sep 15, 2014, at 9:08 AM, Jeff Garzik <jgarzik@bitpay•com> wrote:
> >> On Mon, Sep 15, 2014 at 3:23 AM, Thomas Zander <thomas@thomaszander•se>
> >> wrote: Any and all PGP related howtos will tell you that you should not
> >> trust or sign a formerly-untrusted PGP (or GPG for that matter) key
> >> without seeing that person in real life, verifying their identity etc.
> >
> > Such guidelines are a perfect example of why PGP WoT is useless and
> > stupid geek wanking.
> >
> > A person's behavioural signature is what is relevant. We know how
> > Satoshi coded and wrote. It was the online Satoshi with which we
> > interacted. The online Satoshi's PGP signature would be fine...
> > assuming he established a pattern of use.
> >
> > As another example, I know the code contributions and PGP key signed
> > by the online entity known as "sipa." At a bitcoin conf I met a
> > person with photo id labelled "Pieter Wuille" who claimed to be sipa,
> > but that could have been an actor. Absent a laborious and boring
> > signed challenge process, for all we know, "sipa" is a supercomputing
> > cluster of 500 gnomes.
> >
> > The point is, the "online entity known as Satoshi" is the relevant
> > fingerprint. That is easily established without any in-person
> > meetings.
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key?
2014-09-15 15:10 ` Thomas Zander
@ 2014-09-15 15:51 ` Matt Whitlock
2014-09-15 16:07 ` Thomas Zander
2014-09-15 16:10 ` Gregory Maxwell
0 siblings, 2 replies; 18+ messages in thread
From: Matt Whitlock @ 2014-09-15 15:51 UTC (permalink / raw)
To: Thomas Zander; +Cc: bitcoin-development
On Monday, 15 September 2014, at 5:10 pm, Thomas Zander wrote:
> So for instance I start including a bitcoin public key in my email signature.
> I don't sign the emails or anything like that, just to establish that everyone
> has my public key many times in their email archives.
> Then when I need to proof its me, I can provide a signature on the content
> that the requester wants me to sign.
That would not work. You would need to sign your messages. If you were merely attaching your public key to them, then the email server could have been systematically replacing your public key with some other public key, and then, when you would later try to provide a signature, your signature would not verify under the public key that everyone else had been seeing attached to your messages.
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key?
2014-09-15 15:51 ` Matt Whitlock
@ 2014-09-15 16:07 ` Thomas Zander
2014-09-15 16:10 ` Gregory Maxwell
1 sibling, 0 replies; 18+ messages in thread
From: Thomas Zander @ 2014-09-15 16:07 UTC (permalink / raw)
To: bitcoin-development
On Monday 15. September 2014 11.51.35 Matt Whitlock wrote:
> If you were merely attaching your public key to them, then the email server
> could have been systematically replacing your public key with some other
> public key,
The beauty of publicly archived mailinglists make it impossible to get away
with this without detection.
I recall reading the awesome book "The inmates are running the asylum" which
states that solutions created by software engineers typically suffer from the
flaw of absolutes. (find the part where he describes homo-digitalus for more)
I think this applies to PGP and your objection; in order to make it absolutely
correct, you need to introduce loads of things. Signatures, WoT, etc.
PGP&GPG do this. But each change of the normal workflow means you loose about
50% of your audience...
So, my silly example is not perfect. But I bet its good enough for most. In
the end the value of the imperfect solution is higher than the perfect one.
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key?
2014-09-15 15:51 ` Matt Whitlock
2014-09-15 16:07 ` Thomas Zander
@ 2014-09-15 16:10 ` Gregory Maxwell
2014-09-15 16:20 ` Peter Todd
1 sibling, 1 reply; 18+ messages in thread
From: Gregory Maxwell @ 2014-09-15 16:10 UTC (permalink / raw)
To: Matt Whitlock; +Cc: Bitcoin Development
On Mon, Sep 15, 2014 at 3:51 PM, Matt Whitlock <bip@mattwhitlock•name> wrote:
> On Monday, 15 September 2014, at 5:10 pm, Thomas Zander wrote:
>> So for instance I start including a bitcoin public key in my email signature.
>> I don't sign the emails or anything like that, just to establish that everyone
>> has my public key many times in their email archives.
>> Then when I need to proof its me, I can provide a signature on the content
>> that the requester wants me to sign.
>
> That would not work. You would need to sign your messages. If you were merely attaching your public key to them, then the email server could have been systematically replacing your public key with some other public key, and then, when you would later try to provide a signature, your signature would not verify under the public key that everyone else had been seeing attached to your messages.
If the server could replace the public key, it could replace the
signature in all the same places.
Please, can this stuff move to another list? It's offtopic.
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key?
2014-09-15 16:10 ` Gregory Maxwell
@ 2014-09-15 16:20 ` Peter Todd
0 siblings, 0 replies; 18+ messages in thread
From: Peter Todd @ 2014-09-15 16:20 UTC (permalink / raw)
To: Gregory Maxwell, Matt Whitlock; +Cc: Bitcoin Development
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 15 September 2014 17:10:14 BST, Gregory Maxwell <gmaxwell@gmail•com> wrote:
>If the server could replace the public key, it could replace the
>signature in all the same places.
>
>Please, can this stuff move to another list? It's offtopic.
+1
My original post was OT really, although obviously this was the right venue to be sure the required audience saw it and settle the question.
-----BEGIN PGP SIGNATURE-----
Version: APG v1.1.1
iQFQBAEBCAA6BQJUFxHcMxxQZXRlciBUb2RkIChsb3cgc2VjdXJpdHkga2V5KSA8
cGV0ZUBwZXRlcnRvZGQub3JnPgAKCRAZnIM7qOfwhfCtCACLNgMrxRQ4YlX4Tkyt
CIlqRh4AOLVRXeh6ER+BJJhJA+hbunNfH6kkROIinpBsFxlRfoHwrv2ax6GIlegO
s1+MSLFAoOob3tLQY/LrVF0PMTbKybdQRqQopzu81hbLTCjpnrnN2sDpAOA/bDsV
xDTHNVbOWS7UapkZf7AjueDfuyW3yhvcgsq1Tuc4r7pdKCEQA/HjBzIqyFT2K9hp
uahaENzCfsCVsEiTmAu+p9EvXhLWmMRfRz15z7D/KtOBTI83/t/WR7UnWlSRHn4i
Xyhj/iDv+kPj/vsGXZClCUZ7T/64ovVvoeY9Pk+1fc6okWWXmTHsH+R72szkhgEu
O4QP
=C27J
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key?
2014-09-15 13:08 ` Jeff Garzik
2014-09-15 13:32 ` Brian Hoffman
2014-09-15 14:44 ` Venzen
@ 2014-09-15 18:06 ` Justus Ranvier
2 siblings, 0 replies; 18+ messages in thread
From: Justus Ranvier @ 2014-09-15 18:06 UTC (permalink / raw)
To: bitcoin-development
[-- Attachment #1.1: Type: text/plain, Size: 908 bytes --]
On 09/15/2014 03:08 PM, Jeff Garzik wrote:
> Such guidelines are a perfect example of why PGP WoT is useless and
> stupid geek wanking.
>
> A person's behavioural signature is what is relevant. We know how
> Satoshi coded and wrote. It was the online Satoshi with which we
> interacted. The online Satoshi's PGP signature would be fine...
> assuming he established a pattern of use.
I wrote up an example of how the WoT and the behavior signature might be
combined via a game:
http://bitcoinism.blogspot.ch/2013/09/building-pgp-web-of-trust-that-people.html
tl;dr: "Identity" is not a name - it's a set of shared experiences with
other people. Identity systems that want to be successful should focus
on those shared experiences rather than names.
--
Support online privacy by using email encryption whenever possible.
Learn how here: http://www.youtube.com/watch?v=bakOKJFtB-k
[-- Attachment #1.2: 0x38450DB5.asc --]
[-- Type: application/pgp-keys, Size: 14265 bytes --]
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 455 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
end of thread, other threads:[~2014-09-15 18:06 UTC | newest]
Thread overview: 18+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-09-13 13:55 [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key? Peter Todd
2014-09-13 14:03 ` Jeff Garzik
2014-09-14 6:28 ` Peter Todd
2014-09-15 7:23 ` Thomas Zander
2014-09-15 9:49 ` Melvin Carvalho
2014-09-15 13:08 ` Jeff Garzik
2014-09-15 13:32 ` Brian Hoffman
2014-09-15 14:33 ` Jeff Garzik
2014-09-15 14:49 ` Brian Hoffman
2014-09-15 14:55 ` Pieter Wuille
2014-09-15 14:38 ` ThomasZander.se
2014-09-15 15:10 ` Thomas Zander
2014-09-15 15:51 ` Matt Whitlock
2014-09-15 16:07 ` Thomas Zander
2014-09-15 16:10 ` Gregory Maxwell
2014-09-15 16:20 ` Peter Todd
2014-09-15 14:44 ` Venzen
2014-09-15 18:06 ` Justus Ranvier
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox