Today, at 4pm PST. Today’s topics: community review of dCBOR libraries, and requirements for crypto-requests to sign more that PSBTs, such as legacy Bitcoin messages, multisig coordination/FROST, sign-in with Bitcoin.

Wed Mar 01 15:59:37 +0000 2023

RT @FOUNDATIONdvcs: We at Foundation are grateful for the work on interoperable standards by @BlockchainComns, as it helps us (and others!)…

Wed Mar 01 18:45:41 +0000 2023

@Ledger Are you supporting our Animated QRs for PSBTs or using URs for NFC in your new wallet? Who is the technical contact person now for wallet interoperability standards?

Wed Mar 01 19:10:18 +0000 2023

Replying to @jamie_donald

Sorry, just saw that, best place is either in discussion at or as an issue in the source repo: We are planning a major rev in Q2.

Wed Mar 01 20:16:25 +0000 2023

The drawbacks of cryptographic agility include high implementation and support costs, bad interactions, and downgrade attacks. Each new cryptographic option explodes the cost of implementation, the attack surface, and ultimately the chance of some sort of problem. [3/11]

Wed Mar 08 10:37:35 +0000 2023

Many people still believe that cryptographic agility is still the preferred way to design software, and that it is the best solution for possible futures when an algorithm needs to be deprecated, such as when quantum computing arrives. But instead, it causes more problems! [2/11]

Wed Mar 08 10:37:35 +0000 2023

My latest Musings of a Trust Architect post talks about the problems of cryptographic agility. In the 90’s it was a solution for when weak algorithms like RC4 & MD5 caused vulnerabilities. But the legacy of this approach causes problems today! 🧵 [1/11]

Wed Mar 08 10:37:35 +0000 2023

Modern protocols like TLS 1.3 have demonstrated how limiting cryptographic options leads to greater security, as they have given room for more thorough testing and review rather than patching over old problems. [7/11]

Wed Mar 08 10:37:36 +0000 2023

Alternatives to crypto agility include limited cipher suites, specific methods for use in different ecosystems, and clean and well-separated layers. These allow for thorough testing & code review and reduce the risk of security vulnerabilities arising from interactions. [6/11]

Wed Mar 08 10:37:36 +0000 2023

In addition, cryptographic agility has often resulted in downgrade attacks. Hackers can force systems to use older cryptography, something we saw happen with the TLS Poodle attack. [5/11]

Wed Mar 08 10:37:36 +0000 2023

If you have 5 different options, there might be as many as 125 different variants that need to be reviewed. With seven up to 5040! It is an n-factorial problem! You need to know how each work together, and that’s impossible! [4/11]

Wed Mar 08 10:37:36 +0000 2023

The current practice of offering high numbers of crypto-agile options actually decreases our security in the name of improving it. My article talks about this all more. I’d love to hear your thoughts! [10/11]

Wed Mar 08 10:37:37 +0000 2023

I believe that as new projects and standardization efforts emerge, we need to ensure that they’re dealing with their cryptographic choices in a secure, forward-looking way. Limiting options can allow us to thoughtfully offer alternatives to full-on cryptographic agility. [9/11]

Wed Mar 08 10:37:37 +0000 2023

Other approaches, such an “opinionated” crypto suite such as Wireguard offers, or restricting use to a single suite but having a 2nd one prepared and set aside for the future, can also be improvements over legacy cryptographic agility. [8/11]

Wed Mar 08 10:37:37 +0000 2023

This is an example of the kind of design problems we strive to resolve at Blockchain Commons, as we work to create self-sovereign, interoperable infrastructures. If this is important to you, support us as Patrons. [11/11]

Wed Mar 08 10:37:38 +0000 2023

If you like my past game design and collaborative pattern efforts, I’ve got a new collaborative #TTRPG storytelling game based on them on its way via Kickstarter. Sign up for the pre-launch announcement!

Wed Mar 15 06:16:52 +0000 2023

Replying to @csuwildcat, @DarioUTXO, @Ledger, @Trezor and @paullinator

I am skeptical too. This is a typical Linux Foundation “let’s get money to have others do all the work, which only big companies can afford, so we’ll actually focus on them”

Thu Mar 16 20:53:55 +0000 2023

Replying to @csuwildcat, @DarioUTXO, @Ledger, @Trezor and @paullinator

As someone who actually is getting wallet interoperability actually happening, their approach is too HyperLedger for me.

Thu Mar 16 20:55:31 +0000 2023

Replying to @csuwildcat, @DarioUTXO, @Ledger, @Trezor and @paullinator

See this wallet interop list for PSBT for QRs we led (and dedicated architecture & developers too) at

Thu Mar 16 20:57:04 +0000 2023

Replying to @csuwildcat, @DarioUTXO, @Ledger, @Trezor and @paullinator

All funded by members through github.

Thu Mar 16 20:57:25 +0000 2023

Replying to @BitcoinErrorLog, @DarioUTXO, @csuwildcat, @Ledger, @Trezor, @paullinator and @bitkitwallet

You should get involved with the Gordian Developer Community.

Thu Mar 16 20:59:59 +0000 2023

Replying to @BitcoinErrorLog, @DarioUTXO, @csuwildcat, @Ledger, @Trezor, @paullinator and @bitkitwallet

It all on the Gordian Developer Community page.

Sat Mar 18 01:06:24 +0000 2023

Replying to @BitcoinErrorLog, @DarioUTXO, @csuwildcat, @Ledger, @Trezor, @paullinator and @bitkitwallet

Next regular meeting is April 5th. Sign up for announcements to mailing list, or watch discussions it GitHub repo, or join signal group.

Sat Mar 18 01:08:31 +0000 2023

Replying to @BitcoinErrorLog, @DarioUTXO, @csuwildcat, @Ledger, @Trezor, @paullinator and @bitkitwallet

We also periodically have special meetings, like last month’s meeting on airgapped signing of messages, for instance Sign-in With Bitcoin. Some of the more recent meetings are archived at (older ones are in progress).

Sat Mar 18 01:11:38 +0000 2023

Replying to @Truthcoin, @fiatjaf and @csuwildcat

Details on our proposal, called Collaborative Seed Recovery, with multiple wallet companies involved:

Sat Mar 18 01:14:06 +0000 2023

Replying to @Truthcoin, @fiatjaf and @csuwildcat

See also videos past meetings on this topic (reverse order):

Sat Mar 18 01:16:11 +0000 2023

Replying to @OR13b, @Truthcoin, @fiatjaf and @csuwildcat

Our CSR project doesn’t use mnemonics, but can import them. Problem is today the seed is not enough, for instance with newer bitcoin you also need descriptors. With Lightning channels. With Musig2 or Frost, channels to your quorum parters. Private…

Sat Mar 18 02:26:14 +0000 2023

Replying to @windley, @adam3us, @fiatjaf, @Truthcoin and @csuwildcat

We are working on rotatable keys for Bitcoin. The very first DID method, did:btcr offered this functionality. Unfortunately it only worked with legacy Bitcoin transactions but there is a 2.0 in the works. Other DID methods could use similar techniques.

Sat Mar 18 22:37:35 +0000 2023

Replying to @WolfMcNally

My CompuServe address was 72135,250. Those first 5 digits were a status symbol, as I recall, it meant I had some administrative privileges. Oldest ref I’ve found is “MS Basic Capture Bootstrap Terminal” that I wrote in ‘84 so you could download real app:

Sun Mar 19 23:53:45 +0000 2023

Victory! @GovernorGordon of #Wyoming recently signed into law two crucial digital-asset laws: one on private-key protection and another on digital-asset registration. @BlockchainComns played a key role in advocating for these new laws. 🧵… [1/11].

Thu Mar 23 19:04:30 +0000 2023

I presented the idea of WRDAs to Wyoming in 2022 because digital assets needed legal codification and judicial clarity. [4/11]

Thu Mar 23 19:04:31 +0000 2023

This new Wyoming law HB86 grants strong protections to private keys, letting courts know their inappropriate usage isn’t OK! [3/11]

Thu Mar 23 19:04:31 +0000 2023

I’ve been fighting for special protection of private keys since 2018. The biggest problem? Courts were granting them in discovery for informational reasons, putting digital assets and digital identity at risk. [2/11]

Thu Mar 23 19:04:31 +0000 2023

Mark your calendars: the private-key protection act goes into effect on July 1st, the digital-asset registration act on December 1st. [8/11]

Thu Mar 23 19:04:32 +0000 2023

Registering a digital asset in Wyoming also gives you access to their new Chancery Courts, offering resolution of commercial, business and trust cases, and now judicial clarity on digital assets, available on a more swift schedule than other courts. [7/11]

Thu Mar 23 19:04:32 +0000 2023

However, this was only available for Wyoming residents and corporations. In this year’s SF76, the “Wyoming Digital Asset Registration Act”, gives non-residents, who can prove “control” of their digital assets, access to this judicial clarity! [6/11]

Thu Mar 23 19:04:32 +0000 2023

You want to “perfect” a digital asset so that you can use it as collateral? An prior amendment to Wyoming’s digital assets laws in 2021-HB43 in §34‑29‑103 defines “perfection of a security interest in digital securities may be achieved by control”. [5/11]

Thu Mar 23 19:04:32 +0000 2023

Support @BlockchainComns to ensure that this critical advocacy work can continue! [11/11]

Thu Mar 23 19:04:33 +0000 2023

Our respect & appreciation goes out to the legislators in #Wyoming who are shaping the future of digital assets, in particular co-chair @Rothfuss and the rest of the Select Committee members. They are creating a model for the rest of the world! [10/11]

Thu Mar 23 19:04:33 +0000 2023

Successes like this are why Blockchain Commons has advocated to various governments for over five years: we believe that it’s crucial to create a new foundation for identity and property in the digital world that protects the rights of individuals. [9/11]

Thu Mar 23 19:04:33 +0000 2023

Replying to @kanzure and @BlockchainComns

Specific to registration, you either have to register them yourself, risking anonymity, or use an agent to do so under your principal authority with duty of fiduciary responsibility to your digital identity (possible under the new digital identity law):

Thu Mar 23 19:29:27 +0000 2023

Replying to @kanzure and @BlockchainComns

I am hoping to work with the #Wyoming Select Committee on draft legislation to further strengthen that opportunity. Some other protections are currently only for Wyoming “persons”, which is both residents and corporations. So you can use a Wyoming LLC for that.

Thu Mar 23 19:31:31 +0000 2023

Replying to @kanzure and @BlockchainComns

In particular, the private key legislation only protects you from Wyoming courts. If you have a Wyoming LLC with assets, you may be able argue that any case against you needs to be held under its laws and its courts. Harder for an individual (unless you are a Wyoming resident).

Thu Mar 23 19:32:46 +0000 2023

Replying to @kanzure and @BlockchainComns

I’m hoping that we can spread these concepts into more states, under federal law, as well as some international jurisdictions, so we can protect more people. Know legislators interested? And of course, more sustained funding of @BlockchainComns will help us do that.

Thu Mar 23 19:34:35 +0000 2023

RT @kanzure: @ChristopherA @BlockchainComns Could you spell out the benefits or why everyone should be rushing to do this? It sounds like a…

Thu Mar 23 19:34:58 +0000 2023

RT @ChristopherA: @kanzure @BlockchainComns Specific to registration, you either have to register them yourself, risking anonymity, or use…

Thu Mar 23 19:35:25 +0000 2023

RT @Tyler_Lindholm: Two big wins in Wyoming that have a huge impact 💪

Fri Mar 24 00:17:58 +0000 2023

Many of you know that I also design collaborative games. I am getting ready to launch next Friday a new card-based storytelling system called Tableau. Sign up now on Kickstarter for the pre-launch!

Sat Mar 25 00:49:56 +0000 2023

Today is the 80th anniversary of the bombing of the Dutch Civil Archives. We need to learn lessons from the past — J.L. Lentz’s mission in the 1930s “To Record Is To Serve”, and goals for a “Paper Man” are far too parallel today for my comfort. #Foremembrance

Mon Mar 27 17:23:58 +0000 2023

I have a #foremembrance video from a few years ago that describes how efficient collection of Dutch data for good purposes during the Depression was used by Nazi’s in WWII to kill the largest percentage of Jews of any nation.

Mon Mar 27 17:26:13 +0000 2023

A missing part of my story about the tragedy caused by centralized data in the Netherlands, are the efforts of René Carmille to deny similar efforts by the Nazis in France.

Mon Mar 27 17:29:54 +0000 2023

The Dutch governments today a trusted by its citizens. That this is something increasingly rare worldwide. Despite that, we still need to defend ourselves against possible future tyranny in which governments, corporations, and other entities convert human beings into data.

Mon Mar 27 17:32:59 +0000 2023

We must begin by looking at the past, when identity was weaponized and 6 million and more died as a result. But we also need to operationalize that learning by transforming it from a reflection into a vision for the present and the future. A #foremembrance.

Mon Mar 27 17:35:21 +0000 2023

The Dutch Holocaust statistics reveal the dangers of centralized identity systems. 75% of Dutch Jews fell victim to the Holocaust compared to 23% in France. This tragedy was in part due to the misuse of identity data collected by the Dutch and used by the Nazis.

Mon Mar 27 18:00:02 +0000 2023

We must defend ourselves against possible future tyranny and entities that convert human beings into data. The ability to collect and analyze big data brings potential harm. Our best defense is to maintain sovereignty over our own identity so that we can control our own data.

Mon Mar 27 18:06:01 +0000 2023

As nationalism, tribalism, and xenophobia rise worldwide, we must learn to be heroes and resist a world in which our sovereignty over our identity is threatened (e.g. #Turkey #Hungary #Ukraine #Taiwan) Trust-minimized identity solutions are crucial for protecting human rights.

Mon Mar 27 18:06:01 +0000 2023

Let us honor the 80th anniversary of the bombing of the Dutch Civil Archives by committing to a future where identity is protected, and human rights are preserved. We must learn from the past to build a better, safer world for all. #foremembrance #anniversary

Mon Mar 27 18:06:02 +0000 2023

Here is more today on that 80th anniversary of the bombing of the Dutch Civil Archives, in particular about Lau Mazirel, a lost hero who fought for privacy in the 30s. From @nrc (and translated to English using Google):

Mon Mar 27 18:32:33 +0000 2023

RT @ChristopherA: Here is more today on that 80th anniversary of the bombing of the Dutch Civil Archives, in particular about Lau Mazirel,…

Mon Mar 27 18:32:45 +0000 2023

BTW, I’m currently working on a book about the intersection of identity and digital privacy, drawing lessons from this history. But I am challenged with some of the research, in particular in France (Carmille) & Belgium (Came). If you have interest in helping research, DM me.

Mon Mar 27 19:09:12 +0000 2023

An example of the use of misinformation: “This stuff should not be allowed to happen—that some dictator or his consultants decide for their own reasons to target citizens of a democracy and ruin their lives, without any kind of process whatsoever.”

Mon Mar 27 19:54:04 +0000 2023

@esthergaarlandt are you the author of ?

Mon Mar 27 20:36:18 +0000 2023

Replying to @ValleyAtRisk and @WebDevLaw

I’ve been trying to find original sources for Carmille’s ethical hacking, and am not finding what some people claim. Have you found any? Do you know French, I don’t, which is part of my challenge.

Mon Mar 27 21:28:32 +0000 2023

RT @shaunbconway: With our recent @ixoworld chain upgrade we DID it!

Mon Mar 27 23:35:09 +0000 2023