Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key?

2014-09-15 Thread Melvin Carvalho
On 15 September 2014 09:23, Thomas Zander tho...@thomaszander.se wrote:

 On Sunday 14. September 2014 08.28.27 Peter Todd wrote:
  Do we have any evidence Satoshi ever even had access to that key? Did he
  ever use PGP at all for anything?

 Any and all PGP related howtos will tell you that you should not trust or
 sign
 a formerly-untrusted PGP (or GPG for that matter) key without seeing that
 person in real life, verifying their identity etc.

 I think that kind of disqualifies pgp for identity purposes wrt Satoshi :-)


But I presume that if the key is on bitcoin.org,  you can probably infer
that the owner of the key and the original owner of bitcoin.org are one and
the same ...



 --
 Thomas Zander


 --
 Want excitement?
 Manually upgrade your production database.
 When you want reliability, choose Perforce
 Perforce version control. Predictably reliable.

 http://pubads.g.doubleclick.net/gampad/clk?id=157508191iu=/4140/ostg.clktrk
 ___
 Bitcoin-development mailing list
 Bitcoin-development@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/bitcoin-development

--
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191iu=/4140/ostg.clktrk___
Bitcoin-development mailing list
Bitcoin-development@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-development


Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key?

2014-09-15 Thread Jeff Garzik
On Mon, Sep 15, 2014 at 3:23 AM, Thomas Zander tho...@thomaszander.se wrote:
 Any and all PGP related howtos will tell you that you should not trust or sign
 a formerly-untrusted PGP (or GPG for that matter) key without seeing that
 person in real life, verifying their identity etc.

Such guidelines are a perfect example of why PGP WoT is useless and
stupid geek wanking.

A person's behavioural signature is what is relevant.  We know how
Satoshi coded and wrote.  It was the online Satoshi with which we
interacted.  The online Satoshi's PGP signature would be fine...
assuming he established a pattern of use.

As another example, I know the code contributions and PGP key signed
by the online entity known as sipa.  At a bitcoin conf I met a
person with photo id labelled Pieter Wuille who claimed to be sipa,
but that could have been an actor.  Absent a laborious and boring
signed challenge process, for all we know, sipa is a supercomputing
cluster of 500 gnomes.

The point is, the online entity known as Satoshi is the relevant
fingerprint.  That is easily established without any in-person
meetings.

-- 
Jeff Garzik
Bitcoin core developer and open source evangelist
BitPay, Inc.  https://bitpay.com/

--
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191iu=/4140/ostg.clktrk
___
Bitcoin-development mailing list
Bitcoin-development@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-development


Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key?

2014-09-15 Thread Brian Hoffman
I would agree that the in person aspect of the WoT is frustrating, but to 
dismiss this as geek wanking is the pot calling the kettle. 

The value of in person vetting of identity is undeniable. Just because your 
risk acceptance is difference doesn't make it wanking. Please go see if you can 
get any kind of governmental clearance of credential without in-person vetting. 
Ask them if they accept your behavioral signature. 

I know there is a lot of PGP hating these days but this comment doesn't 
necessarily apply to every situation. 



 On Sep 15, 2014, at 9:08 AM, Jeff Garzik jgar...@bitpay.com wrote:
 
 On Mon, Sep 15, 2014 at 3:23 AM, Thomas Zander tho...@thomaszander.se 
 wrote:
 Any and all PGP related howtos will tell you that you should not trust or 
 sign
 a formerly-untrusted PGP (or GPG for that matter) key without seeing that
 person in real life, verifying their identity etc.
 
 Such guidelines are a perfect example of why PGP WoT is useless and
 stupid geek wanking.
 
 A person's behavioural signature is what is relevant.  We know how
 Satoshi coded and wrote.  It was the online Satoshi with which we
 interacted.  The online Satoshi's PGP signature would be fine...
 assuming he established a pattern of use.
 
 As another example, I know the code contributions and PGP key signed
 by the online entity known as sipa.  At a bitcoin conf I met a
 person with photo id labelled Pieter Wuille who claimed to be sipa,
 but that could have been an actor.  Absent a laborious and boring
 signed challenge process, for all we know, sipa is a supercomputing
 cluster of 500 gnomes.
 
 The point is, the online entity known as Satoshi is the relevant
 fingerprint.  That is easily established without any in-person
 meetings.
 
 -- 
 Jeff Garzik
 Bitcoin core developer and open source evangelist
 BitPay, Inc.  https://bitpay.com/
 
 --
 Want excitement?
 Manually upgrade your production database.
 When you want reliability, choose Perforce
 Perforce version control. Predictably reliable.
 http://pubads.g.doubleclick.net/gampad/clk?id=157508191iu=/4140/ostg.clktrk
 ___
 Bitcoin-development mailing list
 Bitcoin-development@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/bitcoin-development

--
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191iu=/4140/ostg.clktrk
___
Bitcoin-development mailing list
Bitcoin-development@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-development


Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key?

2014-09-15 Thread Jeff Garzik
It applies to OP, bitcoin community development and Satoshi.

value of in person vetting of identity is undeniable...  no it is
quite deniable. Satoshi is the quintessential example. We value brain
output, code.  The real world identity is irrelevant to whether or not
bitcoin continues to function.

The currency of bitcoin development is code, and electronic messages
describing cryptographic theses.  _That_ is the relevant fingerprint.

Governmental id is second class, can be forged or simply present a
different individual from that who is online.  PGP WoT wanking does
not solve that problem at all.






On Mon, Sep 15, 2014 at 9:32 AM, Brian Hoffman brianchoff...@gmail.com wrote:
 I would agree that the in person aspect of the WoT is frustrating, but to 
 dismiss this as geek wanking is the pot calling the kettle.

 The value of in person vetting of identity is undeniable. Just because your 
 risk acceptance is difference doesn't make it wanking. Please go see if you 
 can get any kind of governmental clearance of credential without in-person 
 vetting. Ask them if they accept your behavioral signature.

 I know there is a lot of PGP hating these days but this comment doesn't 
 necessarily apply to every situation.



 On Sep 15, 2014, at 9:08 AM, Jeff Garzik jgar...@bitpay.com wrote:

 On Mon, Sep 15, 2014 at 3:23 AM, Thomas Zander tho...@thomaszander.se 
 wrote:
 Any and all PGP related howtos will tell you that you should not trust or 
 sign
 a formerly-untrusted PGP (or GPG for that matter) key without seeing that
 person in real life, verifying their identity etc.

 Such guidelines are a perfect example of why PGP WoT is useless and
 stupid geek wanking.

 A person's behavioural signature is what is relevant.  We know how
 Satoshi coded and wrote.  It was the online Satoshi with which we
 interacted.  The online Satoshi's PGP signature would be fine...
 assuming he established a pattern of use.

 As another example, I know the code contributions and PGP key signed
 by the online entity known as sipa.  At a bitcoin conf I met a
 person with photo id labelled Pieter Wuille who claimed to be sipa,
 but that could have been an actor.  Absent a laborious and boring
 signed challenge process, for all we know, sipa is a supercomputing
 cluster of 500 gnomes.

 The point is, the online entity known as Satoshi is the relevant
 fingerprint.  That is easily established without any in-person
 meetings.

 --
 Jeff Garzik
 Bitcoin core developer and open source evangelist
 BitPay, Inc.  https://bitpay.com/

 --
 Want excitement?
 Manually upgrade your production database.
 When you want reliability, choose Perforce
 Perforce version control. Predictably reliable.
 http://pubads.g.doubleclick.net/gampad/clk?id=157508191iu=/4140/ostg.clktrk
 ___
 Bitcoin-development mailing list
 Bitcoin-development@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/bitcoin-development



-- 
Jeff Garzik
Bitcoin core developer and open source evangelist
BitPay, Inc.  https://bitpay.com/

--
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191iu=/4140/ostg.clktrk
___
Bitcoin-development mailing list
Bitcoin-development@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-development


Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key?

2014-09-15 Thread Venzen
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Funny that you should describe WoT that way. According to some
psycho-analysts the act of making love to a partner is actually a
realization of our subconscious desire to make love to ourselves.

So, in this sense, WoT geeks are indeed masturbating, but it's with
the good purpose of ensuring that it's being done via the intended
recipient and not some imposter or unsuspecting bystander.

That's a valid concern, especially as Bitcoin development ranks grow
and branch beyond a small core team.



On 09/15/2014 08:08 PM, Jeff Garzik wrote:
 On Mon, Sep 15, 2014 at 3:23 AM, Thomas Zander
 tho...@thomaszander.se wrote:
 Any and all PGP related howtos will tell you that you should not
 trust or sign a formerly-untrusted PGP (or GPG for that matter)
 key without seeing that person in real life, verifying their
 identity etc.
 
 Such guidelines are a perfect example of why PGP WoT is useless
 and stupid geek wanking.
 
 A person's behavioural signature is what is relevant.  We know how 
 Satoshi coded and wrote.  It was the online Satoshi with which we 
 interacted.  The online Satoshi's PGP signature would be fine... 
 assuming he established a pattern of use.
 
 As another example, I know the code contributions and PGP key
 signed by the online entity known as sipa.  At a bitcoin conf I
 met a person with photo id labelled Pieter Wuille who claimed to
 be sipa, but that could have been an actor.  Absent a laborious and
 boring signed challenge process, for all we know, sipa is a
 supercomputing cluster of 500 gnomes.
 
 The point is, the online entity known as Satoshi is the relevant 
 fingerprint.  That is easily established without any in-person 
 meetings.
 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBAgAGBQJUFvsyAAoJENQRrA3m8xlAwkAH/iRekS+Q0jIzaMPFJjD9Qh2e
TTpnQ5MyceeWaEQ9BIS9Lp92k/KlhYUmdaHRmmgOuUQZ6VlOmLSyveMe2qpX3igb
jZX3ydZe2hs1D3Z48MFyNBz06eufApSi5LC8BvN4bYotOD+/qrrxag+jaU3NjDu3
yCaSF563ZQ9xXkfh5JoZ3SGBcRmR5bS6QAoR29OQXBubriPwJuVxUBB37cfaL2Nf
rc67q2KgpU/vOyucxMFZgoP0vDjxUzXTc2ONrEHGJUfdypMADFwXjxeA8ikOt4ik
GIB69wMGQiMeE5e3H337yJxYaZJK4R1KnrSLF0j+Vkl3Yy25duBYAbFUGayeTw0=
=xR8K
-END PGP SIGNATURE-

--
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191iu=/4140/ostg.clktrk
___
Bitcoin-development mailing list
Bitcoin-development@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-development


Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key?

2014-09-15 Thread Brian Hoffman
In the context of Bitcoin I will concede that perhaps it holds true for now.

I also never said the actual credential you receive from a government
agency is trustable. I completely agree that they are forgeable and not
necessarily reliable. That was not my point. I was referring to the vetting
process before issuance.

Just as you have behavioral characteristics online that contribute to
trusting an identity you also exhibit in person attributes, such as
physically being in a specific location at a certain time or blue eyes or
biometrics, that are valuable. You simply cannot capture those in an
online-only world. I don't see how you can deny the value there.

You are most certainly and undeniably the expert in the Bitcoin context
here so I will not even attempt to argue with you on that, but I just think
it's not realistic to ignore the value of an in-person network in other
contexts. You called it geek wanking with no qualifier in the Bitcoin
context so excuse me if I misunderstood your intent.


On Mon, Sep 15, 2014 at 10:33 AM, Jeff Garzik jgar...@bitpay.com wrote:

 It applies to OP, bitcoin community development and Satoshi.

 value of in person vetting of identity is undeniable...  no it is
 quite deniable. Satoshi is the quintessential example. We value brain
 output, code.  The real world identity is irrelevant to whether or not
 bitcoin continues to function.

 The currency of bitcoin development is code, and electronic messages
 describing cryptographic theses.  _That_ is the relevant fingerprint.

 Governmental id is second class, can be forged or simply present a
 different individual from that who is online.  PGP WoT wanking does
 not solve that problem at all.






 On Mon, Sep 15, 2014 at 9:32 AM, Brian Hoffman brianchoff...@gmail.com
 wrote:
  I would agree that the in person aspect of the WoT is frustrating, but
 to dismiss this as geek wanking is the pot calling the kettle.
 
  The value of in person vetting of identity is undeniable. Just because
 your risk acceptance is difference doesn't make it wanking. Please go see
 if you can get any kind of governmental clearance of credential without
 in-person vetting. Ask them if they accept your behavioral signature.
 
  I know there is a lot of PGP hating these days but this comment doesn't
 necessarily apply to every situation.
 
 
 
  On Sep 15, 2014, at 9:08 AM, Jeff Garzik jgar...@bitpay.com wrote:
 
  On Mon, Sep 15, 2014 at 3:23 AM, Thomas Zander tho...@thomaszander.se
 wrote:
  Any and all PGP related howtos will tell you that you should not trust
 or sign
  a formerly-untrusted PGP (or GPG for that matter) key without seeing
 that
  person in real life, verifying their identity etc.
 
  Such guidelines are a perfect example of why PGP WoT is useless and
  stupid geek wanking.
 
  A person's behavioural signature is what is relevant.  We know how
  Satoshi coded and wrote.  It was the online Satoshi with which we
  interacted.  The online Satoshi's PGP signature would be fine...
  assuming he established a pattern of use.
 
  As another example, I know the code contributions and PGP key signed
  by the online entity known as sipa.  At a bitcoin conf I met a
  person with photo id labelled Pieter Wuille who claimed to be sipa,
  but that could have been an actor.  Absent a laborious and boring
  signed challenge process, for all we know, sipa is a supercomputing
  cluster of 500 gnomes.
 
  The point is, the online entity known as Satoshi is the relevant
  fingerprint.  That is easily established without any in-person
  meetings.
 
  --
  Jeff Garzik
  Bitcoin core developer and open source evangelist
  BitPay, Inc.  https://bitpay.com/
 
 
 --
  Want excitement?
  Manually upgrade your production database.
  When you want reliability, choose Perforce
  Perforce version control. Predictably reliable.
 
 http://pubads.g.doubleclick.net/gampad/clk?id=157508191iu=/4140/ostg.clktrk
  ___
  Bitcoin-development mailing list
  Bitcoin-development@lists.sourceforge.net
  https://lists.sourceforge.net/lists/listinfo/bitcoin-development



 --
 Jeff Garzik
 Bitcoin core developer and open source evangelist
 BitPay, Inc.  https://bitpay.com/

--
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191iu=/4140/ostg.clktrk___
Bitcoin-development mailing list
Bitcoin-development@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-development


Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key?

2014-09-15 Thread ThomasZander.se
‎The reason it is in fact wanking is because pgp tried to solve a problem that 
can't be solved.
It tried to provide distributed trust to a system of identity, while still 
depending on the local government (i.e centralized) for the upstream ID...

It's a marriage that has no benefit.

What we really want is (decentralized) identity management that allows me to 
create a new anonymous ID and use that as something more secure than trusting a 
behavior pattern to proof it's me. 

Sent on the go. Excuse the brevity.
  Original Message  
From: Brian Hoffman
Sent: 15:35 mandag 15. september 2014
To: Jeff Garzik
Cc: Thomas Zander; Bitcoin Dev
Subject: Re: [Bitcoin-development] Does anyone have anything at all signed by 
Satoshi's PGP key?

I would agree that the in person aspect of the WoT is frustrating, but to 
dismiss this as geek wanking is the pot calling the kettle. 

The value of in person vetting of identity is undeniable. Just because your 
risk acceptance is difference doesn't make it wanking. Please go see if you can 
get any kind of governmental clearance of credential without in-person vetting. 
Ask them if they accept your behavioral signature. 

I know there is a lot of PGP hating these days but this comment doesn't 
necessarily apply to every situation. 



 On Sep 15, 2014, at 9:08 AM, Jeff Garzik jgar...@bitpay.com wrote:
 
 On Mon, Sep 15, 2014 at 3:23 AM, Thomas Zander tho...@thomaszander.se 
 wrote:
 Any and all PGP related howtos will tell you that you should not trust or 
 sign
 a formerly-untrusted PGP (or GPG for that matter) key without seeing that
 person in real life, verifying their identity etc.
 
 Such guidelines are a perfect example of why PGP WoT is useless and
 stupid geek wanking.
 
 A person's behavioural signature is what is relevant. We know how
 Satoshi coded and wrote. It was the online Satoshi with which we
 interacted. The online Satoshi's PGP signature would be fine...
 assuming he established a pattern of use.
 
 As another example, I know the code contributions and PGP key signed
 by the online entity known as sipa. At a bitcoin conf I met a
 person with photo id labelled Pieter Wuille who claimed to be sipa,
 but that could have been an actor. Absent a laborious and boring
 signed challenge process, for all we know, sipa is a supercomputing
 cluster of 500 gnomes.
 
 The point is, the online entity known as Satoshi is the relevant
 fingerprint. That is easily established without any in-person
 meetings.
 
 -- 
 Jeff Garzik
 Bitcoin core developer and open source evangelist
 BitPay, Inc. https://bitpay.com/
 
 --
 Want excitement?
 Manually upgrade your production database.
 When you want reliability, choose Perforce
 Perforce version control. Predictably reliable.
 http://pubads.g.doubleclick.net/gampad/clk?id=157508191iu=/4140/ostg.clktrk
 ___
 Bitcoin-development mailing list
 Bitcoin-development@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/bitcoin-development


--
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191iu=/4140/ostg.clktrk
___
Bitcoin-development mailing list
Bitcoin-development@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-development


Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key?

2014-09-15 Thread Thomas Zander
On Monday 15. September 2014 11.51.35 Matt Whitlock wrote:
  If you were merely attaching your public key to them, then the email server
 could have been systematically replacing your public key with some other
 public key,

The beauty of publicly archived mailinglists make it impossible to get away 
with this without detection.

I recall reading the awesome book The inmates are running the asylum which 
states that solutions created by software engineers typically suffer from the 
flaw of absolutes. (find the part where he describes homo-digitalus for more)

I think this applies to PGP and your objection; in order to make it absolutely 
correct, you need to introduce loads of things. Signatures, WoT, etc.
PGPGPG do this. But each change of the normal workflow means you loose about 
50% of your audience...

So, my silly example is not perfect. But I bet its good enough for most. In 
the end the value of the imperfect solution is higher than the perfect one.

--
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191iu=/4140/ostg.clktrk
___
Bitcoin-development mailing list
Bitcoin-development@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-development


Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key?

2014-09-15 Thread Gregory Maxwell
On Mon, Sep 15, 2014 at 3:51 PM, Matt Whitlock b...@mattwhitlock.name wrote:
 On Monday, 15 September 2014, at 5:10 pm, Thomas Zander wrote:
 So for instance I start including a bitcoin public key in my email signature.
 I don't sign the emails or anything like that, just to establish that 
 everyone
 has my public key many times in their email archives.
 Then when I need to proof its me, I can provide a signature on the content
 that the requester wants me to sign.

 That would not work. You would need to sign your messages. If you were merely 
 attaching your public key to them, then the email server could have been 
 systematically replacing your public key with some other public key, and 
 then, when you would later try to provide a signature, your signature would 
 not verify under the public key that everyone else had been seeing attached 
 to your messages.

If the server could replace the public key, it could replace the
signature in all the same places.

Please, can this stuff move to another list? It's offtopic.

--
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191iu=/4140/ostg.clktrk
___
Bitcoin-development mailing list
Bitcoin-development@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-development


Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key?

2014-09-15 Thread Peter Todd
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256



On 15 September 2014 17:10:14 BST, Gregory Maxwell gmaxw...@gmail.com wrote:
If the server could replace the public key, it could replace the
signature in all the same places.

Please, can this stuff move to another list? It's offtopic.

+1

My original post was OT really, although obviously this was the right venue to 
be sure the required audience saw it and settle the question.
-BEGIN PGP SIGNATURE-
Version: APG v1.1.1

iQFQBAEBCAA6BQJUFxHcMxxQZXRlciBUb2RkIChsb3cgc2VjdXJpdHkga2V5KSA8
cGV0ZUBwZXRlcnRvZGQub3JnPgAKCRAZnIM7qOfwhfCtCACLNgMrxRQ4YlX4Tkyt
CIlqRh4AOLVRXeh6ER+BJJhJA+hbunNfH6kkROIinpBsFxlRfoHwrv2ax6GIlegO
s1+MSLFAoOob3tLQY/LrVF0PMTbKybdQRqQopzu81hbLTCjpnrnN2sDpAOA/bDsV
xDTHNVbOWS7UapkZf7AjueDfuyW3yhvcgsq1Tuc4r7pdKCEQA/HjBzIqyFT2K9hp
uahaENzCfsCVsEiTmAu+p9EvXhLWmMRfRz15z7D/KtOBTI83/t/WR7UnWlSRHn4i
Xyhj/iDv+kPj/vsGXZClCUZ7T/64ovVvoeY9Pk+1fc6okWWXmTHsH+R72szkhgEu
O4QP
=C27J
-END PGP SIGNATURE-


--
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191iu=/4140/ostg.clktrk
___
Bitcoin-development mailing list
Bitcoin-development@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-development


Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key?

2014-09-15 Thread Justus Ranvier
On 09/15/2014 03:08 PM, Jeff Garzik wrote:
 Such guidelines are a perfect example of why PGP WoT is useless and
 stupid geek wanking.
 
 A person's behavioural signature is what is relevant.  We know how
 Satoshi coded and wrote.  It was the online Satoshi with which we
 interacted.  The online Satoshi's PGP signature would be fine...
 assuming he established a pattern of use.

I wrote up an example of how the WoT and the behavior signature might be
combined via a game:

http://bitcoinism.blogspot.ch/2013/09/building-pgp-web-of-trust-that-people.html

tl;dr: Identity is not a name - it's a set of shared experiences with
other people. Identity systems that want to be successful should focus
on those shared experiences rather than names.

-- 
Support online privacy by using email encryption whenever possible.
Learn how here: http://www.youtube.com/watch?v=bakOKJFtB-k


0x38450DB5.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
--
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191iu=/4140/ostg.clktrk___
Bitcoin-development mailing list
Bitcoin-development@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-development


Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key?

2014-09-14 Thread Peter Todd
On Sat, Sep 13, 2014 at 10:03:20AM -0400, Jeff Garzik wrote:
 That claim is horse manure :)  He never signed private emails sent to
 me, nor the forum posts.

That's consistent with what everyone else is saying:
https://twitter.com/petertoddbtc/status/509614729879642113

 He -might- have signed the occasional thing related to releases, I'm not sure.

Doesn't seem like there's any evidence of that either. For instance the
archive.org Jan 31st 2009 capture of bitcoin.org with v1.3 has a link to
his PGP key, but the release itself is unsigned:
https://web.archive.org/web/20090131115053/http://bitcoin.org/

Similarly the Nov 29 2009 capture of the sourceforge download directory
has releases v0.1.0, v0.1.2, v0.1.3, and v0.1.5, none of which have
signatures:

https://web.archive.org/web/20091129231630/http://sourceforge.net/projects/bitcoin/files/Bitcoin/

The earliest signature I can find is from v0.3.20 from Gavin Andresen:

https://web.archive.org/web/20110502125522/http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.3.20/

Earliest sig in the git commit history is the v0.3.21 tag, again from
Gavin.


My best guess is Satoshi only created the PGP key in case
someone needed to send him a security-related bug report. Which leads to
a related question:

Do we have any evidence Satoshi ever even had access to that key? Did he
ever use PGP at all for anything?

-- 
'peter'[:-1]@petertodd.org
0ce4f740fb700bb8a9ed859ac96ac9871567a20fca07f76a


signature.asc
Description: Digital signature
--
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191iu=/4140/ostg.clktrk___
Bitcoin-development mailing list
Bitcoin-development@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-development


[Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key?

2014-09-13 Thread Peter Todd
So far I have zero evidence that the common claim that Satoshi PGP
signed everything was true; I have no evidence he ever
cryptographically signed any communications at all.

-- 
'peter'[:-1]@petertodd.org
0ce4f740fb700bb8a9ed859ac96ac9871567a20fca07f76a


signature.asc
Description: Digital signature
--
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191iu=/4140/ostg.clktrk___
Bitcoin-development mailing list
Bitcoin-development@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-development