Major Announcement: Bitcoin Association to Become Decentralized

[BruceFenton]

The Bitcoin Association industry group focused on Bitcoin and related technologies will move to a decentralized model with open and transparent voting system.

http://bitcoinassociation.org/about-us/bitcoin-association-to-become-decentralized/

Please read and provide your thoughts.

Thank you

[franky1]

The Bitcoin Association industry group focused on Bitcoin and related technologies will move to a decentralized model with open and transparent voting system.

http://bitcoinassociation.org/about-us/bitcoin-association-to-become-decentralized/

Please read and provide your thoughts.

Thank you

imagine the registration process as only requiring a username and email address.

the registration script on the server uses a brain wallet code to make a random privkey+public keypair.

it then only saves the username email and PUBLIC key to the registration database. and emails the private key to the user.

(hope your following so far)

now when a user logs in, he types in his email. and private key does not go into any database. a script simply validates the public key saved, to then grant entry.

now inside the system admin cannot see private keys (because they are not saved) making the system safer from hacking making admin unable to say that the website hacked and passwords were compromised. as there are no passwords saved.

i know that website should already be only saving encrypted passwords. but we know that many dont. and i find it a better use of private/public keys to not even need to save a password encrypted or cleartext

[BruceFenton]

Thank you

[birr]

Franky,
Your idea for a scheme where the server

emails the private key to the user

might not be the best way.
The security community has well established techniques for password verification which do not require sending passwords, keys or such things through channels which may not be secure.  A password can be hashed on the client side (concatenated with salt sent from the server), and never leave the browser.
Check out
http://en.m.wikipedia.org/wiki/Cryptographic_hash_function
Go to the Applications section and the paragraph on "password verification"

[BruceFenton]

We can also separate the tokens and the site -- hopefully it will be fairly easy for people to vote though

[franky1]

Franky,
Your idea for a scheme where the server

emails the private key to the user

might not be the best way.
The security community has well established techniques for password verification which do not require sending passwords, keys or such things through channels which may not be secure.  A password can be hashed on the client side (concatenated with salt sent from the server), and never leave the browser.
Check out
http://en.m.wikipedia.org/wiki/Cryptographic_hash_function
Go to the Applications section and the paragraph on "password verification"

+1
there we go. taking my 30 second brainfart of an idea, and improving on it.

so instead of the server forming and emailing the priv/public key. the client side page makes a random privkey/public key. asks the user to save the privkey. and then only sends username email and public key to the server.

the reason i suggested prikey/public key of an alt is because the next stage would be that because the privkey never touches the server. then its safe for the system to give users x amount coins each, to their public address of this registration altcoin. and people can use those coins to vote. by sending 1 coin to the candidates address of whatever topic is being voted for

[BruceFenton]

Do you have any ideas on issuance?

Some options:

One human, one token
Weighting for activity, tenure, meansuremenrs of activity in the organization, votes by members, donations

We want a system which is fair, open and clear --- but also which is simple but also not easy to game and not something which becomes unfair over time.