Good things to practice when using Multisig

Never store bitcoin in addresses who's public keys are used for Multisig address generation on markets.
The reason for this is, if a market allows you to give them the private key to that wallet to sign with your key, the markets keys, and broadcast for you. You have to trust that the market isnt storing private keys, either maliciously or accidently. Thus compromising the bitcoin address and any coin that ever sits in it. Not to mention any party involved in the transaction can monitor that address and follow coin and trace coin by using the public key.


Cycle public keys from time to time.
incase a market or sites like coinb.in are maliciously storing private keys. No one but you remains in control of your transactions and addresses.


Keep Redeem Scripts in a safe place
the beauty of 2of3 multisig markets is vendor and buyer can complete transaction together without needing the market up and running 24/7
both parties should keep a copy of the redeem script so the party recieving the funds from the multsig address can create a transaction to a desired wallet, sign it, pass it to the other to sign and broadcast. Wouldn't trust the other person to put in the address, you want your money to go into, in the transaction for you right?


Always verify Multisig addresses with the Redeem Script BEFORE placing coins into it.
This is to prevent sending coin to an address 1 person has complete control over. Coinb.in will tell you what public keys were used and what the multisig address generated from them is. For extra security ask the vendor to validate his public key. easiest way is to message vendor and ask "Is one of your Public keys in your pool XXXXXXX?"


Comments


[2 Points] The_fire_bird:

if a market allows you to give them the private key to that wallet

"allows"? I'd never give a market my private key! If they tried to enforce it I'd find a new market pronto.


[1 Points] None:

If possible, as long as you know how to keep one piece of data safe it's not a horrible idea to use a master public key as opposed to a standard address public key if supported in a market.


[1 Points] returnoftentacle:

  1. No site or other person should ever have any chance to get ur signing privkey. Run coinbin offline. Dont use multisigs where markets tell u to give them ur privkey. Giving privkey to any site defeats the whole point of multisig. But agree that ur signing wallet shouldnt be used to send / receive btc. Strictly dedicate it for signing.
  2. I dont see much value in cycling ur pubkey too much. My opinion is that people should have one pgp pubkey and one multisig signing pubkey published in their profiles. This goes towards helping validate using the redeemscript without constant messaging requesting vendors pubkey. Pgp sign ur pubkey and put in ur profile. Cycle every year or so like ur pgp encryption pubkey. Why cycle more often? 3 and 4. Yes keep redeemscripts and yes you need to know the non-market party pubkey. This goes to my above point that having one pubkey per user in their profile makes workflow so much easier to validate.

And one more thing: 5. Establish offline contact method for non timelocked tx to be finallzed. Email address works. So profile should have pgp encryption pubkey, multisig sign wallet pubkey (signed with pgp key) and off-market finalization contact info such as email addy (or have proper email addy in ur pgp key email field)