Today, at 4pm PST. Today’s topics: community review of dCBOR libraries, and requirements for crypto-requests to sign more that PSBTs, such as legacy Bitcoin messages, multisig coordination/FROST, sign-in with Bitcoin. https://twitter.com/ChristopherA/status/1630745808764284928
RT @FOUNDATIONdvcs: We at Foundation are grateful for the work on interoperable standards by @BlockchainComns, as it helps us (and others!)…
@Ledger Are you supporting our Animated QRs for PSBTs or using URs for NFC in your new wallet? Who is the technical contact person now for wallet interoperability standards? https://twitter.com/ChristopherA/status/1630960995505164288
Replying to @jamie_donald
Sorry, just saw that, best place is either in discussion at https://github.com/BlockchainCommons/Gordian/discussions or as an issue in the source repo: https://github.com/BlockchainCommons/GordianSeedTool-iOS/issues We are planning a major rev in Q2.
The drawbacks of cryptographic agility include high implementation and support costs, bad interactions, and downgrade attacks. Each new cryptographic option explodes the cost of implementation, the attack surface, and ultimately the chance of some sort of problem. [3/11]
Many people still believe that cryptographic agility is still the preferred way to design software, and that it is the best solution for possible futures when an algorithm needs to be deprecated, such as when quantum computing arrives. But instead, it causes more problems! [2/11]
My latest Musings of a Trust Architect post talks about the problems of cryptographic agility. In the 90’s it was a solution for when weak algorithms like RC4 & MD5 caused vulnerabilities. But the legacy of this approach causes problems today! 🧵 [1/11] https://www.blockchaincommons.com/musings/musings-agility/
Modern protocols like TLS 1.3 have demonstrated how limiting cryptographic options leads to greater security, as they have given room for more thorough testing and review rather than patching over old problems. [7/11]
Alternatives to crypto agility include limited cipher suites, specific methods for use in different ecosystems, and clean and well-separated layers. These allow for thorough testing & code review and reduce the risk of security vulnerabilities arising from interactions. [6/11]
In addition, cryptographic agility has often resulted in downgrade attacks. Hackers can force systems to use older cryptography, something we saw happen with the TLS Poodle attack. [5/11] https://www.cisa.gov/news-events/alerts/2014/10/17/ssl-30-protocol-vulnerability-and-poodle-attack
If you have 5 different options, there might be as many as 125 different variants that need to be reviewed. With seven up to 5040! It is an n-factorial problem! You need to know how each work together, and that’s impossible! [4/11]
The current practice of offering high numbers of crypto-agile options actually decreases our security in the name of improving it. My article talks about this all more. I’d love to hear your thoughts! [10/11] https://www.blockchaincommons.com/musings/musings-agility/
I believe that as new projects and standardization efforts emerge, we need to ensure that they’re dealing with their cryptographic choices in a secure, forward-looking way. Limiting options can allow us to thoughtfully offer alternatives to full-on cryptographic agility. [9/11]
Other approaches, such an “opinionated” crypto suite such as Wireguard offers, or restricting use to a single suite but having a 2nd one prepared and set aside for the future, can also be improvements over legacy cryptographic agility. [8/11]
This is an example of the kind of design problems we strive to resolve at Blockchain Commons, as we work to create self-sovereign, interoperable infrastructures. If this is important to you, support us as Patrons. [11/11] https://github.com/sponsors/BlockchainCommons
If you like my past game design and collaborative pattern efforts, I’ve got a new collaborative #TTRPG storytelling game based on them on its way via Kickstarter. Sign up for the pre-launch announcement! https://twitter.com/DyversHands/status/1635877909926924289
Replying to @csuwildcat, @DarioUTXO, @Ledger, @Trezor and @paullinator
I am skeptical too. This is a typical Linux Foundation “let’s get money to have others do all the work, which only big companies can afford, so we’ll actually focus on them”
Replying to @csuwildcat, @DarioUTXO, @Ledger, @Trezor and @paullinator
As someone who actually is getting wallet interoperability actually happening, their approach is too HyperLedger for me.
Replying to @csuwildcat, @DarioUTXO, @Ledger, @Trezor and @paullinator
See this wallet interop list for PSBT for QRs we led (and dedicated architecture & developers too) at https://github.com/BlockchainCommons/Gordian-Developer-Community#urs
Replying to @csuwildcat, @DarioUTXO, @Ledger, @Trezor and @paullinator
All funded by members through github.
Replying to @BitcoinErrorLog, @DarioUTXO, @csuwildcat, @Ledger, @Trezor, @paullinator and @bitkitwallet
You should get involved with the Gordian Developer Community. https://github.com/BlockchainCommons/Gordian-Developer-Community
Replying to @BitcoinErrorLog, @DarioUTXO, @csuwildcat, @Ledger, @Trezor, @paullinator and @bitkitwallet
It all on the Gordian Developer Community page. https://github.com/BlockchainCommons/Gordian-Developer-Community
Replying to @BitcoinErrorLog, @DarioUTXO, @csuwildcat, @Ledger, @Trezor, @paullinator and @bitkitwallet
Next regular meeting is April 5th. Sign up for announcements to mailing list, or watch discussions it GitHub repo, or join signal group.
Replying to @BitcoinErrorLog, @DarioUTXO, @csuwildcat, @Ledger, @Trezor, @paullinator and @bitkitwallet
We also periodically have special meetings, like last month’s meeting on airgapped signing of messages, for instance Sign-in With Bitcoin. Some of the more recent meetings are archived at https://github.com/BlockchainCommons/Gordian-Developer-Community (older ones are in progress).
Replying to @Truthcoin, @fiatjaf and @csuwildcat
Details on our proposal, called Collaborative Seed Recovery, with multiple wallet companies involved: https://github.com/BlockchainCommons/Gordian/blob/master/CSR/README.md
Replying to @Truthcoin, @fiatjaf and @csuwildcat
See also videos past meetings on this topic (reverse order): https://youtube.com/playlist?list=PLCkrqxOY1Fbp-P1Yv-7gmu75i2QS2Z6vk
Replying to @OR13b, @Truthcoin, @fiatjaf and @csuwildcat
Our CSR project doesn’t use mnemonics, but can import them. Problem is today the seed is not enough, for instance with newer bitcoin you also need descriptors. With Lightning channels. With Musig2 or Frost, channels to your quorum parters. Private https://github.com/BlockchainCommons/Gordian/blob/master/CSR/README.md…
Replying to @windley, @adam3us, @fiatjaf, @Truthcoin and @csuwildcat
We are working on rotatable keys for Bitcoin. The very first DID method, did:btcr offered this functionality. Unfortunately it only worked with legacy Bitcoin transactions but there is a 2.0 in the works. Other DID methods could use similar techniques.
Replying to @WolfMcNally
My CompuServe address was 72135,250. Those first 5 digits were a status symbol, as I recall, it meant I had some administrative privileges. Oldest ref I’ve found is “MS Basic Capture Bootstrap Terminal” that I wrote in ‘84 so you could download real app: https://archive.org/stream/mac_The_Complete_Macintosh_Sourcebook_1985/The_Complete_Macintosh_Sourcebook_1985_djvu.txt
Victory! @GovernorGordon of #Wyoming recently signed into law two crucial digital-asset laws: one on private-key protection and another on digital-asset registration. @BlockchainComns played a key role in advocating for these new laws. 🧵… [1/11]. https://www.blockchaincommons.com/news/PrivateKeyWRDABills/
I presented the idea of WRDAs to Wyoming in 2022 because digital assets needed legal codification and judicial clarity. [4/11] https://wyoleg.gov/InterimCommittee/2022/S19-2022061408-03WyomingWRDASlides.pdf
This new Wyoming law HB86 grants strong protections to private keys, letting courts know their inappropriate usage isn’t OK! [3/11] https://wyoleg.gov/Legislation/2023/HB0086
I’ve been fighting for special protection of private keys since 2018. The biggest problem? Courts were granting them in discovery for informational reasons, putting digital assets and digital identity at risk. [2/11] https://bitcoinmagazine.com/legal/saving-bitcoin-private-keys-from-courts
Mark your calendars: the private-key protection act goes into effect on July 1st, the digital-asset registration act on December 1st. [8/11]
Registering a digital asset in Wyoming also gives you access to their new Chancery Courts, offering resolution of commercial, business and trust cases, and now judicial clarity on digital assets, available on a more swift schedule than other courts. [7/11] https://www.wyomingnews.com/wyomingbusinessreport/industry_news/economy_and_labor/state-chancery-court-marks-one-year-of-handling-business-law/article_4d70ca70-7a48-11ed-9742-2feece272735.html
However, this was only available for Wyoming residents and corporations. In this year’s SF76, the “Wyoming Digital Asset Registration Act”, gives non-residents, who can prove “control” of their digital assets, access to this judicial clarity! [6/11] https://wyoleg.gov/Legislation/2023/SF0076
You want to “perfect” a digital asset so that you can use it as collateral? An prior amendment to Wyoming’s digital assets laws in 2021-HB43 in §34‑29‑103 defines “perfection of a security interest in digital securities may be achieved by control”. [5/11] https://wyoleg.gov/Legislation/2021/HB0043
Support @BlockchainComns to ensure that this critical advocacy work can continue! [11/11] https://github.com/sponsors/BlockchainCommons
Our respect & appreciation goes out to the legislators in #Wyoming who are shaping the future of digital assets, in particular co-chair @Rothfuss and the rest of the Select Committee members. They are creating a model for the rest of the world! [10/11] https://www.wyoleg.gov/Committees/2022/S19
Successes like this are why Blockchain Commons has advocated to various governments for over five years: we believe that it’s crucial to create a new foundation for identity and property in the digital world that protects the rights of individuals. [9/11] https://advocacy.blockchaincommons.com/testimony/
Replying to @kanzure and @BlockchainComns
Specific to registration, you either have to register them yourself, risking anonymity, or use an agent to do so under your principal authority with duty of fiduciary responsibility to your digital identity (possible under the new digital identity law): https://www.blockchaincommons.com/articles/Principal-Authority/
Replying to @kanzure and @BlockchainComns
I am hoping to work with the #Wyoming Select Committee on draft legislation to further strengthen that opportunity. Some other protections are currently only for Wyoming “persons”, which is both residents and corporations. So you can use a Wyoming LLC for that.
Replying to @kanzure and @BlockchainComns
In particular, the private key legislation only protects you from Wyoming courts. If you have a Wyoming LLC with assets, you may be able argue that any case against you needs to be held under its laws and its courts. Harder for an individual (unless you are a Wyoming resident).
Replying to @kanzure and @BlockchainComns
I’m hoping that we can spread these concepts into more states, under federal law, as well as some international jurisdictions, so we can protect more people. Know legislators interested? And of course, more sustained funding of @BlockchainComns will help us do that.
RT @kanzure: @ChristopherA @BlockchainComns Could you spell out the benefits or why everyone should be rushing to do this? It sounds like a…
RT @ChristopherA: @kanzure @BlockchainComns Specific to registration, you either have to register them yourself, risking anonymity, or use…
RT @Tyler_Lindholm: Two big wins in Wyoming that have a huge impact 💪
Many of you know that I also design collaborative games. I am getting ready to launch next Friday a new card-based storytelling system called Tableau. Sign up now on Kickstarter for the pre-launch! https://www.kickstarter.com/projects/christophera/tableau-twilight-road-and-gate-watch-playsets-quickstarter https://twitter.com/DyversHands/status/1639428340624031744
Today is the 80th anniversary of the bombing of the Dutch Civil Archives. We need to learn lessons from the past — J.L. Lentz’s mission in the 1930s “To Record Is To Serve”, and goals for a “Paper Man” are far too parallel today for my comfort. #Foremembrance https://twitter.com/ChristopherA/status/1243434431903219712
I have a #foremembrance video from a few years ago that describes how efficient collection of Dutch data for good purposes during the Depression was used by Nazi’s in WWII to kill the largest percentage of Jews of any nation. https://www.youtube.com/watch?v=isanNSDoSnE
A missing part of my story about the tragedy caused by centralized data in the Netherlands, are the efforts of René Carmille to deny similar efforts by the Nazis in France. https://twitter.com/WebDevLaw/status/957256426392494080
The Dutch governments today a trusted by its citizens. That this is something increasingly rare worldwide. Despite that, we still need to defend ourselves against possible future tyranny in which governments, corporations, and other entities convert human beings into data.
We must begin by looking at the past, when identity was weaponized and 6 million and more died as a result. But we also need to operationalize that learning by transforming it from a reflection into a vision for the present and the future. A #foremembrance.
The Dutch Holocaust statistics reveal the dangers of centralized identity systems. 75% of Dutch Jews fell victim to the Holocaust compared to 23% in France. This tragedy was in part due to the misuse of identity data collected by the Dutch and used by the Nazis.
We must defend ourselves against possible future tyranny and entities that convert human beings into data. The ability to collect and analyze big data brings potential harm. Our best defense is to maintain sovereignty over our own identity so that we can control our own data.
As nationalism, tribalism, and xenophobia rise worldwide, we must learn to be heroes and resist a world in which our sovereignty over our identity is threatened (e.g. #Turkey #Hungary #Ukraine #Taiwan) Trust-minimized identity solutions are crucial for protecting human rights.
Let us honor the 80th anniversary of the bombing of the Dutch Civil Archives by committing to a future where identity is protected, and human rights are preserved. We must learn from the past to build a better, safer world for all. #foremembrance #anniversary
Here is more today on that 80th anniversary of the bombing of the Dutch Civil Archives, in particular about Lau Mazirel, a lost hero who fought for privacy in the 30s. From @nrc (and translated to English using Google): https://www-nrc-nl.translate.goog/nieuws/2023/03/26/lau-mazirel-bleef-altijd-strijden-voor-privacy-en-tegen-dataregistratie-a4160510?_x_tr_sl=nl&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp
RT @ChristopherA: Here is more today on that 80th anniversary of the bombing of the Dutch Civil Archives, in particular about Lau Mazirel,…
BTW, I’m currently working on a book about the intersection of identity and digital privacy, drawing lessons from this history. But I am challenged with some of the research, in particular in France (Carmille) & Belgium (Came). If you have interest in helping research, DM me.
An example of the use of misinformation: “This stuff should not be allowed to happen—that some dictator or his consultants decide for their own reasons to target citizens of a democracy and ruin their lives, without any kind of process whatsoever.” https://apple.news/Ae1PNgKweTpGzjL40zPGMlQ
@esthergaarlandt are you the author of https://www-nrc-nl.translate.goog/nieuws/2023/03/26/lau-mazirel-bleef-altijd-strijden-voor-privacy-en-tegen-dataregistratie-a4160510?_x_tr_sl=nl&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp ?
Replying to @ValleyAtRisk and @WebDevLaw
I’ve been trying to find original sources for Carmille’s ethical hacking, and am not finding what some people claim. Have you found any? Do you know French, I don’t, which is part of my challenge.
RT @shaunbconway: With our recent @ixoworld chain upgrade we DID it!