Check the Multi-sig !!!!!!

Just wanted to point out that amongst all the chaos we need to learn from mistakes made in the past.

HNSA did not have transparent multisig and from what I can tell TR doesn't either.

From what I understand you need to put in the Redeem code into coin.in and make sure it matches your public key and the vendors, as well as the market.(2of3)

Without manually verifying the vendor's multisig key by asking them via message aren't we just trusting that the website wont substitute both signatures for their own? Unless I am missing something ?

Thanks


Comments


[2 Points] ice_cream4breakfast:

Yes, the vendor should post a pgp signed message with their multi sig public key, the buyer should send their multi sig public key with their address, once the market creates the transaction, thr vendor needs to verify the transaction.


[1 Points] Sourcery_Market:

You hit the nail on the head with this. I wrote about this when we first launched I think and also have a follow up on how to avoid getting scammed with Multisig.

https://www.reddit.com/r/SourceryMarket/comments/6u7b4i/how_to_not_get_ripped_off_in_a_multisig/

You are correct. The one "sticking" point is how to establish control over the BTC addresses used in a transaction. We launched with this solution: The vendor batch signs addresses uses his vendor PGP key. When you enter into a contract with a vendor on Sourcery, you are presented with the needed elements: Redeem script, the three addresses involved, plus an currently optional PGP signed message of the BTC address from the vendor to prove he has control over that address. We call it "Batch Signing Addresses". Essentially, the vendor takes the addresses in the Electrum wallet and PGP signs with their key. The buyer should then PGP verify this when they are presented with the multisig address. We are working on another solution to this problem as well. But this is a sticking point and right now this is how we mitigate it. Unfortunately when we launched, hardly anyone understood the significance of the signed address. We have a few vendors who have done this. But many have not. We want to educate our userbase and eventually make this a requirement. Also, buyer's will need to do this side as well so a vendor can do the verification as well. That way, as long as you trust the vendor's PGP key, you can verify that the address used in the transaction actually belongs and is controlled by the vendor.


[0 Points] C_Lana_Zepamo:

I honestly don't understand MS so well. I only use GCMC right now, and they have a pretty transparent system I think. But what you are saying makes sense to me.