On 14 May 2013 20:41, Peter Todd wrote: > report: https://bitcointalk.org/index.php?topic=205349.0 > > Every talk will be widely witnessed and videotaped so we can get some > reasonably good security by simply putting out PGP fingerprints in our > slides. Yeah, some fancy attacker could change the videos after the > fact, but the talks themselves will have wide audiences and a lot of > opportunities for fraud to be discovered. That means it'd also be > reasonable for people to sign those keys too if you are present and are > convinced you aren't looking at some impostor. (of course, presenters, > check that your PGP fingerprints are correct...) > > > Remember that PGP depends on the web-of-trust. No single measure in a > web-of-trust is needs to be absolutely perfect; it's the sum of the > verifications that matter. I don't think it matters much if you have, > say, seen Jeff Garzik's drivers license as much as it matters that you > have seen him in a public place with dozens of witnesses that would > recognize him and call out any attempt at fraud. > > Secondly remember that many of us are working on software where an > attacker can steal from huge numbers of users at once if they manage to > sneak some wallet stealing code in. We need better code signing > practices, but they don't help without some way of being sure the keys > signing the code are valid. SSL and certificate authorities have > advantages, and so does the PGP WoT, so use both. > > > FWIW I take this stuff pretty seriously myself. I generated my key > securely in the first place, I use a hardware smartcard to store my PGP > key, and I keep the master signing key - the key with the ability to > sign other keys - separate from my day-to-day signing subkeys. I also > PGP sign emails regularly, which means anyone can get a decent idea of > if they have the right key by looking at bitcoin-development mailing > list archives and checking the signatures. A truly dedicated attacker > could probably sign something without my knowledge, but I've certainly > raised the bar. > Just out of curiosity, could PGP keyservers suffer from a similar 51% attack as the bitcoin network? > > -- > 'peter'[:-1]@petertodd.org > 000000000000016be577c0f0ce4c04a05fdbfc8e0b6f69053659f32aeea3a518 > > > ------------------------------------------------------------------------------ > AlienVault Unified Security Management (USM) platform delivers complete > security visibility with the essential security capabilities. Easily and > efficiently configure, manage, and operate all of your security controls > from a single console and one unified framework. Download a free trial. > http://p.sf.net/sfu/alienvault_d2d > _______________________________________________ > Bitcoin-development mailing list > Bitcoin-development@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development > >