path: root/b7/7f4a54d4fc18c4950d3cbc5837348ba367758a

Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191]
	helo=mx.sourceforge.net)
	by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
	(envelope-from <drak@zikula.org>) id 1Vtfos-0001XJ-82
	for bitcoin-development@lists.sourceforge.net;
	Thu, 19 Dec 2013 15:47:26 +0000
Received-SPF: pass (sog-mx-1.v43.ch3.sourceforge.com: domain of zikula.org
	designates 209.85.212.181 as permitted sender)
	client-ip=209.85.212.181; envelope-from=drak@zikula.org;
	helo=mail-wi0-f181.google.com; 
Received: from mail-wi0-f181.google.com ([209.85.212.181])
	by sog-mx-1.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
	(Exim 4.76) id 1Vtfoq-0008DP-Uq
	for bitcoin-development@lists.sourceforge.net;
	Thu, 19 Dec 2013 15:47:26 +0000
Received: by mail-wi0-f181.google.com with SMTP id hq4so2380529wib.2
	for <bitcoin-development@lists.sourceforge.net>;
	Thu, 19 Dec 2013 07:47:18 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:mime-version:in-reply-to:references:from:date
	:message-id:subject:to:cc:content-type;
	bh=t80I+3YlBMYe/heHJSwpts5oFyoDg0TQ5AGB71a7S4E=;
	b=X5s3uPEgvnxiCuo9dvhs3aHX72ENGR9UWfjCwnlnZg+hVY+ES3EknvTgFYImtfiIhA
	YBv1Ymm6ijvV9d5pmIvgW9LNINV6/joI0zLiC4iEYTKvxu0mX9oFB2midzKKj2hWWetW
	Nhk2VLUIvBacloFDQFHhz/LGhIu0zcvsUeVFTsMjU9OXWdIEnN1SRcXMBCrFxyG64eFR
	nfBp3r51z/+aiv0PmwPXqvAIu7ToJeE2D2KIw+TGncl7y3snTe3B8PKeCaNgfLX6BIpe
	+CY6sGlc1/sQDQLoCYsNQk2Q62OwttXfVC3jr3OgygPSiqv/wH+Iv7EDgLbWzMwa2CAP
	TMmQ==
X-Gm-Message-State: ALoCoQmyswNnFcbOHcun3ZzhDXLo9TJ4KdLG7nWSVoYV3joUEZXGeWUZyN4LuRcke/JQ5vZMUo9M
X-Received: by 10.194.206.5 with SMTP id lk5mr2126534wjc.46.1387468038660;
	Thu, 19 Dec 2013 07:47:18 -0800 (PST)
MIME-Version: 1.0
Received: by 10.194.93.105 with HTTP; Thu, 19 Dec 2013 07:46:58 -0800 (PST)
In-Reply-To: <20131219131706.GA21179@savin>
References: <20131219131706.GA21179@savin>
From: Drak <drak@zikula.org>
Date: Thu, 19 Dec 2013 15:46:58 +0000
Message-ID: <CANAnSg3G431rdPdq=mtqSUJvjqeu0NaV1KvOVdntoPVTcBZWRw@mail.gmail.com>
To: Peter Todd <pete@petertodd.org>
Content-Type: multipart/alternative; boundary=047d7b874c4294f96a04ede513e4
X-Spam-Score: -0.5 (/)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
	See http://spamassassin.org/tag/ for more details.
	-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
	sender-domain
	-0.0 SPF_PASS               SPF: sender matches SPF record
	0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
	See
	http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
	for more information. [URIs: petertodd.org]
	1.0 HTML_MESSAGE           BODY: HTML included in message
X-Headers-End: 1Vtfoq-0008DP-Uq
Cc: unsystem@lists.dyne.org,
	Bitcoin Dev <bitcoin-development@lists.sourceforge.net>,
	Amir Taaki <genjix@riseup.net>
Subject: Re: [Bitcoin-development] DarkWallet Best Practices
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Thu, 19 Dec 2013 15:47:26 -0000

--047d7b874c4294f96a04ede513e4
Content-Type: text/plain; charset=UTF-8

On 19 December 2013 13:17, Peter Todd <pete@petertodd.org> wrote:

> ** Fees
>
> Wallets MUST give users the ability to set the fee per KB they are
> willing to pay for their transactions. Wallets SHOULD allow users to
> change that fee after the fact via transction replacement.


Can you add a part about SHOULD/MUST warn users if the fee is unusually
high to avoid sob-stories of people sending 20BTC fees with for the
0.002BTC sandwich.

Sourcecode MUST be PGP signed on a regular basis. Releases MUST be
> signed - in git this is accomplished by signing the release tag.
> Individual commits SHOULD be signed, particularly if source-code used in
>

"SHOULD be cryptographically signed" I assume.


> ** SSL/Certificate authorties
>
> While certificate authorities are notoriously bad at the job they are
> supposed to be doing the CA system is still better than nothing - use it
> where appropriate. For instance if you have a website advertising your
> software, use https rather than http.
>

Once could make efforts to publish (maybe even as signed commits in the git
repo etc the current valid certificate fingerprints and which CA signed
it). This would go some way to exposing
MITM either by CA or in workplaces where browsers are loaded with bogus CAs
for the purpose
of deep packet inspection.


> ** Multi-factor spend authorization, AKA multisig wallets
>
> <mainly discussed at the conference in terms of multiple individuals
> controlling funds, which is out of scope for this document>
>
> Assuming any individual device is uncompromised is risky; wallet
> software SHOULD support some form of multi-factor protection of some or
> all wallet funds. Note that this is a weak "should"; mainly we want to
>

According to RFC 2119 <http://www.ietf.org/rfc/rfc2119.txt> language, you
might be better using the word RECOMMENDED or MAY over SHOULD here.

Additionally, at the beginning of the spec I would put :

"The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC
2119<http://www.ietf.org/rfc/rfc2119.txt>
."

Regards

Drak

--047d7b874c4294f96a04ede513e4
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_extra"><div class=3D"gmail_quote">On 1=
9 December 2013 13:17, Peter Todd <span dir=3D"ltr">&lt;<a href=3D"mailto:p=
ete@petertodd.org" target=3D"_blank">pete@petertodd.org</a>&gt;</span> wrot=
e:<br><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;b=
order-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:s=
olid;padding-left:1ex">

** Fees<br>
<br>Wallets MUST give users the ability to set the fee per KB they are<br>
willing to pay for their transactions. Wallets SHOULD allow users to<br>
change that fee after the fact via transction replacement. </blockquote><di=
v><br></div><div>Can you add a part about SHOULD/MUST warn users if the fee=
 is unusually high to avoid sob-stories of people sending 20BTC fees with f=
or the 0.002BTC sandwich.</div>

<div><br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0p=
x 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-lef=
t-style:solid;padding-left:1ex">Sourcecode MUST be PGP signed on a regular =
basis. Releases MUST be<br>


signed - in git this is accomplished by signing the release tag.<br>
Individual commits SHOULD be signed, particularly if source-code used in<br=
></blockquote><div><br></div><div>&quot;SHOULD be cryptographically signed&=
quot; I assume.</div><div>=C2=A0</div><blockquote class=3D"gmail_quote" sty=
le=3D"margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(=
204,204,204);border-left-style:solid;padding-left:1ex">

** SSL/Certificate authorties<br>
<br>
While certificate authorities are notoriously bad at the job they are<br>
supposed to be doing the CA system is still better than nothing - use it<br=
>
where appropriate. For instance if you have a website advertising your<br>
software, use https rather than http.<br></blockquote><div><br></div><div>O=
nce could make efforts to publish (maybe even as signed commits in the git =
repo etc the current valid certificate fingerprints and which CA signed it)=
. This would go some way to exposing=C2=A0</div>

<div>MITM either by CA or in workplaces where browsers are loaded with bogu=
s CAs for the purpose</div><div>of deep packet inspection.</div><div>=C2=A0=
</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;b=
order-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:s=
olid;padding-left:1ex">


** Multi-factor spend authorization, AKA multisig wallets<br>
<br>
&lt;mainly discussed at the conference in terms of multiple individuals<br>
controlling funds, which is out of scope for this document&gt;<br>
<br>
Assuming any individual device is uncompromised is risky; wallet<br>
software SHOULD support some form of multi-factor protection of some or<br>
all wallet funds. Note that this is a weak &quot;should&quot;; mainly we wa=
nt to<br></blockquote><div><br></div><div>According to <a href=3D"http://ww=
w.ietf.org/rfc/rfc2119.txt">RFC 2119</a> language, you might be better usin=
g the word RECOMMENDED or MAY over SHOULD here.=C2=A0</div>

<div><br></div><div>Additionally, at the beginning of the spec I would put =
:</div><div><br></div><div><font face=3D"courier new, monospace" size=3D"1"=
>&quot;<span style=3D"color:rgb(102,102,102);line-height:22px;background-co=
lor:rgb(250,250,250)">The key words &quot;MUST&quot;, &quot;MUST NOT&quot;,=
 &quot;REQUIRED&quot;, &quot;SHALL&quot;, &quot;SHALL NOT&quot;, &quot;SHOU=
LD&quot;, &quot;SHOULD NOT&quot;, &quot;RECOMMENDED&quot;, &quot;MAY&quot;,=
 and &quot;OPTIONAL&quot; in this document are to be interpreted as describ=
ed in=C2=A0</span><a href=3D"http://www.ietf.org/rfc/rfc2119.txt" style=3D"=
margin:0px;padding:0px;border:0px;line-height:22px;vertical-align:baseline;=
color:rgb(40,121,208);text-decoration:none;background-color:rgb(250,250,250=
)">RFC 2119</a><span style=3D"color:rgb(102,102,102);line-height:22px;backg=
round-color:rgb(250,250,250)">.</span>&quot;</font></div>

<div>=C2=A0</div><div>Regards</div><div><br></div><div>Drak=C2=A0</div></di=
v></div></div>

--047d7b874c4294f96a04ede513e4--