This reddit thread discusses a user who lost some coins and is trying to prove that he owns that address.
There was a question in how he signed, and what he signed in the message fields, since it's easy to become an imposter the way he did it.
Question
What should (and should not) be written in the message field to prove ownership of a particular address?
Examples might include: - Date - Nonce? - ID such as Username, email address, full name, pgp public key, etc. - To
The problem stated here is that the message signed was only four uppercase letters: "DJFC." Apparently this is the person's Reddit username, but it's also a very tiny amount of data which can often be problematic. Mathematically speaking, the more entropy in your signed message the greater confidence it inspires. Simply signing your username is also not typically enough to reasonably prove that the poster and the signer are the same person.
I would personally take a hint from the sorts of cryptographic handshakes that automated systems use. Typically these involve a server-side nonce and a client-side nonce. Each of you should choose a large chunk of random data from a good entropy source (random.org, etc), publish those nonces publicly and then sign a message which includes both nonces as well as your intended message.
Having another entity provide a nonce for you to sign is known as a "challenge" and ensures the validity of the signature by providing a large amount of input entropy that the signer can have no prior knowledge of. Including your own nonce and publishing it publicly alongside the signed message proves that the person signing the message also controls the posting account. For example:
The challenge:
twentyseventy: DJFC, please sign the following nonce in addition to a nonce of your choosing:
ff 44 45 1a 5d 78 3a 19 a8 45 cf 83 05 cf 86 a1
64 1b 1e cf 8e ad 69 3a f2 5f 6e 12 12 2e af 76
The response:
TheDJFC: I have chosen the following nonce:
96 c4 41 1a 5e 27 22 0c 64 15 6d 3e 02 ea bd e4
99 dc 47 82 ba 30 2c db 49 e2 7a bb 87 c4 5f 32
---- BEGIN SIGNED TEXT ----
ff 44 45 1a 5d 78 3a 19 a8 45 cf 83 05 cf 86 a1
64 1b 1e cf 8e ad 69 3a f2 5f 6e 12 12 2e af 76
96 c4 41 1a 5e 27 22 0c 64 15 6d 3e 02 ea bd e4
99 dc 47 82 ba 30 2c db 49 e2 7a bb 87 c4 5f 32
---- END SIGNED TEXT ----
<insert signature here>
If security is less paramount, one could perhaps forego the complexities of a nonce-based system and simply sign a much more detailed message. For example, instead of:
Message: DJFC
One could sign a message like:
Message: 2014-06-02 11:43AM PST. I, TheDJFC, in response to a request to be found at the
specified URL, sign this message as proof of ownership of the specified Bitcoin address.
Address: 1P6iT6SJe4fZkKdzZBvMGoNj4KLnpSgNSp
URL: http://www.reddit.com/r/Bitcoin/comments/273vi2/if_you_just_received_800_bitcoin_out_of_the_blue/chx4wjc
Why all this drama? Well, I can think of a half-dozen ways off the top of my head to trick someone else into signing an arbitrary message with their Bitcoin address. Without the context of a Reddit user named "TheDJFC" that four letter "DJFC" string just looks like random letters, easily confusable with a nonce. It's also worth noting that the message was only signed with one of the input addresses, while the transaction in question references multiple addresses. In such cases, signatures from all addresses used would be preferable, especially where such large amounts of money are involved.
In this particular instance, I think you could say:
2014-06-02 20:08 UTC I am Reddit user TheDJFC, who posted http://www.reddit.com/r/Bitcoin/comments/273vi2/if_you_just_received_800_bitcoin_out_of_the_blue/ and am requesting a refund to 1P6iT6SJe4fZkKdzZBvMGoNj4KLnpSgNSp of my 800 BTC that I accidentally sent to an unknown party with transaction 4c1c085b39a64bcbdc8e651d5ffc3cddbb212d43c455c14d652c4600aa751fd6
And sign it with all 5 input addresses (signing it with 1 of them only really tells me that the sender of 200 of those BTC signed it, not the owner of all 800.00197476). And if I wish to challenge him with a nonce by saying, "I have the 800 BTC, send me the same message but include nonce 18291312", then he should be able to sign (again with all 5 input addresses)
2014-06-02 20:08 UTC I am Reddit user TheDJFC, who posted http://www.reddit.com/r/Bitcoin/comments/273vi2/if_you_just_received_800_bitcoin_out_of_the_blue/ and am requesting a refund to 1P6iT6SJe4fZkKdzZBvMGoNj4KLnpSgNSp of my 800 BTC that I accidentally sent to an unknown party with transaction 4c1c085b39a64bcbdc8e651d5ffc3cddbb212d43c455c14d652c4600aa751fd6 nonce 18291312
In other scenarios, including other things you mention (date, email address, full name, PGP public key) would be a good idea. E.g. if someone wanted to send an email to me, I might sign a message saying
2014-06-02 20:08 UTC My PGP public key fingerprint is a1b2c3a1b2c3a1b2c3a1b2c3 and my email address is [email protected]
The above examples don't really need a date, IMO: the Reddit thread has its own date (and really, I don't care whether he signed this message 5 minutes after or 2 minutes ago), and the PGP fingerprint refers to a dated public key (which can be expired if need be, I think). But, it never hurts, and it might help clarify and solidify things.
What's the point?
Here are some ways I could twist a simple signature like his (just "DJFC" from one of the addresses) to my benefit:
