Message-ID: <55AB8785.4080201@electrum.org>
Date: Sun, 19 Jul 2015 13:18:29 +0200
From: Thomas Voegtlin <thomasv@electrum.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
	rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
CC: bitcoin-dev@lists.linuxfoundation.org
References: <CA+w+GKQbOMz5nb_SnLB6Xb0FYzNZ_rEj5nbNjm2jY0+L8JJGAA@mail.gmail.com>	<55A4AF62.4090607@electrum.org>
	<CA+w+GKRCPEUezaTb46pzuDNxKNgi_KdTW2dOn9hsHwgD159czw@mail.gmail.com>
In-Reply-To: <CA+w+GKRCPEUezaTb46pzuDNxKNgi_KdTW2dOn9hsHwgD159czw@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [bitcoin-dev] Proposal: extend bip70 with OpenAlias
Precedence: list

Hi Mike,

The reason why I would like to extend BIP70 is because it is currently
not being used in transactions between end-users. BIP70 works very well
in B2C situations, where users buy products from a website. However,
end-users still share Bitcoin addresses.

Before BIP70 was written, I had proposed "Signed URIs", where the
signature is a public proof that a payee requested a payment. This is
one of the main benefits of BIP70, and I still want to bring it to
user-to-user transactions.

I believe one of the main barriers to BIP70 adoption is that bitcoin:
URIs have been extended in a way that requires the request to be hosted
on a webserver. You may complain about the lack of store-and-forward
network, despite the apparent simplicity of creating one such network.
However, that does not mean we should absolutely do things that way and
wait until such a network exists.

Bitcoin addresses do not require a webserver. If we want to build
something that competes with that, we should have at least that level of
convenience.

EC signatures are short, and they can be shared by copy-paste, or added
to a bitcoin: URI. This is a features of my "Signed URIs" proposal, that
was lost in BIP70. Indeed, signed URIs were self-contained. A serialized
payment request can also be made very short, if it is signed by a EC
key, and if it does not include the chain of certificates. Such a
"lightweight request" can be base58-encoded, and easily shared by
copy-paste, or passed in a bitcoin: URI.

Size is another reason why I proposed to use DNSSEC in BIP70 (the first
reason is that the subdomain is signed by the domain, not by an external
CA). Indeed, DNSSEC provides a canonical way to download the chain of
signatures needed to verify a record. Thus, the chain of signatures does
not need to be included in the payment request; it can be downloaded and
archived by the verifier.

Now, I understand that SSL vertificates have distinct advantages over
DNSSEC; for example, CA-signed SSL certificates have a legal value,
which is important for dispute resolution.

Would it be possible to create the same kind of "lightweight payment
requests" using SSL certificates? Probably, if the final signing key is
a EC key, and if the payment request does not include the whole chain of
certificates. (However, that would require an additional infrastructure
to publish the chain of certificates, and I do not think that x509
certification path are unique, which makes things more complicated, but
not impossible).

Sorry if I did not answer point-by-point to your post. I felt that I
failed to explain one of the reasons why I want to use DNSSEC in the
validation of payment requests.

Thomas


Le 14/07/2015 13:45, Mike Hearn a =C3=A9crit :
> Hi Thomas,
>=20
> Re: NetKi, I think any proposal in this space has to be an open standar=
d,
> almost by the definition of what it is. At any rate, it may be worth
> talking to them. They have signed up to implement their system at least=
.
>=20
> I did understand that your proposal does not rely on email - for instan=
ce a
> web forum could issue username@reddit.com type aliases, even if those a=
re
> not also email accounts. I am just continuing the comparison against em=
ail
> address certs.
>=20
> It's also the case that a domain can use the DKIM setup without actuall=
y
> offering email accounts. They can just have a web form or API that trig=
gers
> sending of the signed email (or simply, providing the signed headers
> themselves). Thus the same system can be used transparently by both ema=
il
> providers and other sites that don't give their users email addresses, =
but
> would still like to use the same system.
>=20
> Hardly anyone uses email certificates today, so I don't think it would
>> affect a lot of users.
>=20
>=20
> No, but obviously we'd like to change that! The holdup is not the
> certificate side of things, really, but rather the lack of a
> store-and-forward network for signed payment requests. I keep asking
> someone to build one but I fear the problem is almost too simple ......
> everyone who looks at this decides to solve 12 other problems
> simultaneously, it gets complicated, then they never launch :(
>=20
> Once there's a simple and robust way to get PaymentRequest's from one e=
nd
> user to another, even when that first user is offline, then getting an
> email cert issued is no big deal.
>=20
> That does not look so... not until (1) BIP70 wallets integrate with
>> https://crt.sh, (2) you convince that service to index email certs (3)
>> you convince all CAs to report all email certs they issue to crt.sh.
>>
>=20
> Any solution that separates identity providers from certificate issuers
> would have these requirements, though. And as many identity providers t=
oday
> do not wish to become CAs too, it seems fundamental.
>=20
> I don't think it's such a problem, mind you. The crt.sh website is actu=
ally
> a frontend to the CT protocol, which is a somewhat blockchain like audi=
t
> log that's eventually intended to contain all issued certificates. Righ=
t
> now, of course, they focus on SSL certs because those are the most comm=
on
> and important. If other kinds of certs became more widely used, support=
 in
> the infrastructure would follow.
>=20
>=20
>=20
> Don't get me wrong - I would like to see a way for a domain to delegate
> BIP70 signing power to a third party. For instance, this would mean pay=
ment
> processors like BitPay could sign on the behalf of the merchant, and th=
e
> merchant identity would then show up in wallets. The "chain a cert off =
a
> domain cert" trick would be a good way to do that, though rather than
> hacking the X.509 stack to validate invalid stuff, at this point it may=
 as
> well be a custom (better) cert format. There's little reason to use X.5=
09
> beyond backwards compatibility.
>=20
> But the most popular identity providers today either don't care about
> Bitcoin at all, or worse, are developing competitors to it. So for real
> adoption to occur, we must have solutions that do not require identity
> provider cooperation. I realise this is a business reason rather than a
> technical reason, but it's a very strong one - so bootstrapping off
> existing infrastructure with a split CA/ID provider design still makes =
much
> more sense to me.
>=20