[maaku]

> You cannot automate a cold-wallet scheme.

Yes, you can. You can have the hot wallet only deal with multi-signature outputs, and have these approved by separately locked down servers running behind TOR, for example, using out-of-band mechanisms for approving transactions.

[dragontamer]

>You can have the hot wallet only deal with multi-signature outputs

Then you don't have a cold-wallet scheme. You have a hot wallet scheme.

[TylerE]

You can do anything if you allow massive handwaving. ("out-of-band mechanisms for approving transactions")

[maaku]

Do I have to spell it out? The machine could be under physical control of its operators, with rate limiting restrictions lifted only by manual intervention via a GUI interface, making the low bandwidth TOR connection the only link to the outside world (and a simple one at that). Or the the verification and signing steps done via TPM so as to prevent key theft. There are other possibilities too.

This isn't handwavery. It's basic security engineering.

[TylerE]

Yes, but the whole debate was how to it automatically. Once you have someone physically intervening, your solution fails to meet the problem criteria.

[maaku]

Having people involved to resolve edge cases and possible fraud/theft is kinda the point...