Invitation to comment

[christoph2806]

This is an empty pull request to collect all your ideas & proposals. Please simply add comments below!

[hughkarp]

@kpii asked me for some comments.
I don't have anything of note to add on the technical specifications and security aspects of hardware etc, more in terms of what is being insured.
In general I think it is very hard, perhaps impossible, to provide insurance for private key loss. No matter what multi-sig set ups you have, if the parties collude they can send funds to a friendly address (or even just claim they can't access the keys anymore) and then claim there was a breach. It is very hard to disprove this with any certainty, so therefore you probably have to exclude it from coverage.
If you agree with the above, then insurance is limited to coverage against any bugs in either the multi-sig contract (like the Parity issues) or in the hardware wallets. The primary issue here from an insurance perspective is diversification, if there is an issue it is likely to be in all devices or all multi-sig contracts. This is very hard to manage as insurance relies on pooling of events that are independent (or close to it).
I may well have misunderstood something in the technical specs though. if so please enlighten me!

[christoph2806]

Hugh, of course you can't insure loss of a single key. The idea is that the loss of a single key won't damage the funds. So if one key is lost, we just redeploy the wallet with new keys, move funds with the remaining keys and then we reach the safe state again. So as long as the customer reports loss of a single key and follows the procedure to regain safe state, insurance protection will be intact. Best, Christoph

…

-- etherisc GmbH Zeller Weg 35a DE-82057 Icking Phone +49 160 9083 3392 Mail christoph@etherisc.com Web etherisc.com

On 8 February 2018 at 17:34, Hugh Karp ***@***.***> wrote: @kpii <https://github.com/kpii> asked me for some comments. I don't have anything of note to add on the technical specifications and security aspects of hardware etc, more in terms of what is being insured. In general I think it is very hard, perhaps impossible, to provide insurance for private key loss. No matter what multi-sig set ups you have, if the parties collude they can send funds to a friendly address (or even just claim they can't access the keys anymore) and then claim there was a breach. It is very hard to disprove this with any certainty, so therefore you probably have to exclude it from coverage. If you agree with the above, then insurance is limited to coverage against any bugs in either the multi-sig contract (like the Parity issues) or in the hardware wallets. The primary issue here from an insurance perspective is diversification, if there is an issue it is likely to be in all devices or all multi-sig contracts. This is very hard to manage as insurance relies on pooling of events that are independent (or close to it). I may well have misunderstood something in the technical specs though. if so please enlighten me! — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#2 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAaTp_1PawSapeBnEriP3kVFEaBmabcNks5tSyH_gaJpZM4Q5_gJ> .