Author: Mike Hearn 2013-04-25 14:31:16
Published on: 2013-04-25T14:31:16+00:00
In an email thread from 2013, Mike Caldwell suggested signing Bitcoin addresses with PGP in advance to prevent substitution if the server was compromised. However, this assumption is flawed as someone would need to obtain his PGP key beforehand or know that he signed it. This raises the question of how people obtain cryptographic identities through secure channels, which are often nonexistent. While survivability against web server hacks is attractive, for most businesses, their website is their identity, and a hacker controlling it makes it hard for anyone to know when something goes wrong. There are some simple mitigations, such as wallets counting how many times you paid to addresses signed by a particular certificate. If a repeat customer receives a message stating that they have never paid this recipient before, instead of acknowledging previous payments, it may indicate suspicious activity. With time, more complex solutions may be available, such as extensions to X.509/CA infrastructure, alternative PKIs like DNSSEC or ePassport PKI, or signing the key list under one's legal identity. For Mike, as an individual trader, signing the key list under his legal identity is the best solution but is not easily available at present.
Updated on: 2023-06-06T15:33:21.889617+00:00