Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1Vplgh-0004bN-R2 for bitcoin-development@lists.sourceforge.net; Sun, 08 Dec 2013 21:14:51 +0000 Received-SPF: pass (sog-mx-4.v43.ch3.sourceforge.com: domain of gmail.com designates 209.85.160.41 as permitted sender) client-ip=209.85.160.41; envelope-from=gmaxwell@gmail.com; helo=mail-pb0-f41.google.com; Received: from mail-pb0-f41.google.com ([209.85.160.41]) by sog-mx-4.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1Vplgg-0000lX-2o for bitcoin-development@lists.sourceforge.net; Sun, 08 Dec 2013 21:14:51 +0000 Received: by mail-pb0-f41.google.com with SMTP id jt11so4129209pbb.14 for ; Sun, 08 Dec 2013 13:14:44 -0800 (PST) MIME-Version: 1.0 X-Received: by 10.68.232.3 with SMTP id tk3mr16914952pbc.121.1386537284150; Sun, 08 Dec 2013 13:14:44 -0800 (PST) Received: by 10.70.81.170 with HTTP; Sun, 8 Dec 2013 13:14:44 -0800 (PST) In-Reply-To: References: <52A3C8A5.7010606@gmail.com> <1795f3067ba3fcdd0caf978cc59ff024.squirrel@fruiteater.riseup.net> <52A435EA.7090405@gmail.com> <201312081237.24473.luke@dashjr.org> Date: Sun, 8 Dec 2013 13:14:44 -0800 Message-ID: From: Gregory Maxwell To: Drak Content-Type: text/plain; charset=UTF-8 X-Spam-Score: -1.6 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: zikula.org] -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (gmaxwell[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1Vplgg-0000lX-2o Cc: Bitcoin Dev Subject: Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts? X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Dec 2013 21:14:52 -0000 On Sun, Dec 8, 2013 at 1:07 PM, Drak wrote: > Simple verification relies on being able to answer the email sent to the > person in the whois records, or standard admin/webmaster@ addresses to prove > ownership of the domain Godaddy and many other CA's are verified from nothing other than a http fetch, no email involved. As I said, I'm willing to demonstrate if you have a domain. > You cannot MITM SSL connections You can, once you've obtained a certificate. > Anyway, I take your points, but this is an area I am quite passionate about > so it's important for me to be clear. As I warned before, you're making my reconsider my position about the downloads being SSL. If people are so convinced that SSL provides protection it does not that even with an explanation and and an offer to demonstrate then perhaps providing SSL will reduce people's security. ... the _only_ reason I don't yet hold that position now is that I know objectively that almost no one tests the signatures. On Sun, Dec 8, 2013 at 1:11 PM, Drak wrote: > It's not just about trust, there is the robustness factor: what if he > becomes sick, unavailable, hit by a bus? Others need the ability to pickup > and run with it. The control over the domain (including ability to renew > registration, alter nameservers) needs to be with more than one person. > That's why I suggest using the same people who have control over the > software project at sf,github. My understanding is that the domain is already controlled by more than one person. You're not the first person to think of these things. :)