Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1RaQlQ-0008W7-W2 for bitcoin-development@lists.sourceforge.net; Tue, 13 Dec 2011 11:43:16 +0000 Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of gmail.com designates 74.125.82.53 as permitted sender) client-ip=74.125.82.53; envelope-from=decker.christian@gmail.com; helo=mail-ww0-f53.google.com; Received: from mail-ww0-f53.google.com ([74.125.82.53]) by sog-mx-3.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-MD5:128) (Exim 4.76) id 1RaQlM-0007V9-OT for bitcoin-development@lists.sourceforge.net; Tue, 13 Dec 2011 11:43:16 +0000 Received: by wgbds1 with SMTP id ds1so12536269wgb.10 for ; Tue, 13 Dec 2011 03:43:06 -0800 (PST) Received: by 10.216.49.1 with SMTP id w1mr72322web.29.1323776586555; Tue, 13 Dec 2011 03:43:06 -0800 (PST) MIME-Version: 1.0 Received: by 10.227.152.10 with HTTP; Tue, 13 Dec 2011 03:42:17 -0800 (PST) In-Reply-To: References: <1323731781.42953.YahooMailClassic@web120920.mail.ne1.yahoo.com> <201112121841.39864.luke@dashjr.org> <1323736946.58149.YahooMailNeo@web121001.mail.ne1.yahoo.com> From: Christian Decker Date: Tue, 13 Dec 2011 12:42:17 +0100 Message-ID: To: Mike Hearn Content-Type: multipart/alternative; boundary=001485f27b943422b804b3f7c18a X-Spam-Score: -0.6 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (decker.christian[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record 1.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1RaQlM-0007V9-OT Cc: "bitcoin-development@lists.sourceforge.net" Subject: Re: [Bitcoin-development] Fwd: [BIP 15] Aliases X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Dec 2011 11:43:17 -0000 --001485f27b943422b804b3f7c18a Content-Type: text/plain; charset=ISO-8859-1 I think the scope of this BIP is not so well defined right now. We need a way for merchants to translate a human readable, and more importantly human-writeable, address into a bitcoin address. I agree with Mike that a fixed address is not the way to go, because addresses should be used once for a single transaction to be able to track payments. While firstbits sounds attractive at first, I think we can all agree that it just isn't feasible and would not allow per-transaction addresses. DNS sounds interesting for fixed addresses, but caching and propagation make it difficult to use for per-transaction addresses that are to be generated ad-hoc. HTTP(S) is the best option I think, merchants are probably using HTTP anyway for their shops. So something like http://merchant.com/btc/transaction/1234 sounds reasonable. But I think it should not be over-engineered, it should be a simple HTTP(S) request to a merchant specified URL that returns an ASCII document containing either a bitcoin: URI or simply the bitcoin address or even a 301 redirect. It's no use to start defining URL schemes, it should be left to the merchants to define how to structure them. This would allow a merchant to decide if he prefers per-transaction addresses, per-user transactions, fixed addresses or any combination. Regards, cdecker On Tue, Dec 13, 2011 at 11:55 AM, Mike Hearn wrote: > I was in brmlab and wanted to pay 1 BTC for a Club Mate. They had on the >> wall a picture of their QR code and a bitcoin address. I don't own a mobile >> phone so the QR code is >> useless. > > > Fixed addresses like that are a temporary thing during Bitcoins maturation > period. They lead to merchants exposing data they probably don't realize > they're exposing, like their income, which is basically unacceptable for > any payment system. > > There's no point trying to optimize a case where: > > 1) You are in the minority (no phone?) > 2) The "perfect experience" leaks private data in such a way that would be > deemed a gross security breach by any serious payment processor. > > OK, some thoughts on the general proposal, from the POV of what it'd take > for a large deployment, like for every Gmail or every Facebook user. In > terms of ease of implementation it is ordered HTTPS/HTTP then DNS trailing > by a large margin. Big sites, even small sites, typically have high-speed > load balancing and demuxing already implemented for HTTP[S] and it's > usually easy to add new endpoints. The same is *not* true of DNS, and > whilst coding up a custom DNS server is possible it's definitely a worse > fit. > > FirstBits seems out of the question for the same privacy reasons as given > above. No banking system worth its salt would let everyone look up other > peoples income. > > The simplest approach would be to request a full public key with an HTTPS > request like > > foo@domain -> > https://domain/_bitcoin/getnewkey?user=foo&label=Payment%20from%20Bob > > If you then want to turn the resulting public key into an address before > creating a transaction you can obviously do that. > > BTW the BIP is pretty hard to read. Your spec for the HTTPS proposal is a > big pile of source code. I think it's the same as above, but it's hard to > tell without more effort. > > > ------------------------------------------------------------------------------ > Systems Optimization Self Assessment > Improve efficiency and utilization of IT resources. Drive out cost and > improve service delivery. Take 5 minutes to use this Systems Optimization > Self Assessment. http://www.accelacomm.com/jaw/sdnl/114/51450054/ > _______________________________________________ > Bitcoin-development mailing list > Bitcoin-development@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development > > --001485f27b943422b804b3f7c18a Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable I think the scope of this BIP is not so well defined right now. We need a w= ay for merchants to translate a human readable, and more importantly human-= writeable, address into a bitcoin address. I agree with Mike that a fixed a= ddress is not the way to go, because addresses should be used once for a si= ngle transaction to be able to track payments.

While firstbits sounds attractive at first, I think we can all agree th= at it just isn't feasible and would not allow per-transaction addresses= . DNS sounds interesting for fixed addresses, but caching and propagation m= ake it difficult to use for per-transaction addresses that are to be genera= ted ad-hoc.

HTTP(S) is the best option I think, merchants are probably using HTTP a= nyway for their shops. So something like http://merchant.com/btc/transaction/1234 sounds reas= onable. But I think it should not be over-engineered, it should be a simple= HTTP(S) request to a merchant specified URL that returns an ASCII document= containing either a bitcoin: URI or simply the bitcoin address or even a 3= 01 redirect. It's no use to start defining URL schemes, it should be le= ft to the merchants to define how to structure them.

This would allow a merchant to decide if he prefers per-transaction add= resses, per-user transactions, fixed addresses or any combination.

R= egards,
cdecker


On Tue, Dec 13, 20= 11 at 11:55 AM, Mike Hearn <mike@plan99.net> wrote:
I was in brmlab and wanted to pay 1 BTC for a Club Mate. They had on the wa= ll a picture of their QR code and a bitcoin address. I don't own a mobi= le phone so the QR code is
useless.

Fixed addresses like that ar= e a temporary thing during Bitcoins maturation period. They lead to merchan= ts exposing data they probably don't realize they're exposing, like= their income, which is basically unacceptable for any payment system.

There's no point trying to optimize a case where:

1) You are in the minority (no phone?)
2)= The "perfect experience" leaks private data in such a way that w= ould be deemed a gross security breach by any serious payment processor.

OK, some thoughts on the general proposal, from the POV= of what it'd take for a large deployment, like for every Gmail or ever= y Facebook user. In terms of ease of implementation it is ordered HTTPS/HTT= P then DNS trailing by a large margin. Big sites, even small sites, typical= ly have high-speed load balancing and demuxing already implemented for HTTP= [S] and it's usually easy to add new endpoints. The same is not = true of DNS, and whilst coding up a custom DNS server is possible it's = definitely a worse fit.

FirstBits seems out of the question for the same privac= y reasons as given above. No banking system worth its salt would let everyo= ne look up other peoples income.

The simplest appr= oach would be to request a full public key with an HTTPS request like


If you then want to turn the resulting public key into an address befo= re creating a transaction you can obviously do that.

BTW the BIP is pretty hard to read. Your spec for the HTTPS proposal is = a big pile of source code. I think it's the same as above, but it's= hard to tell without more effort.

-----------------------------------------------------------------------= -------
Systems Optimization Self Assessment
Improve efficiency and utilization of IT resources. Drive out cost and
improve service delivery. Take 5 minutes to use this Systems Optimization Self Assessment. http://www.accelacomm.com/jaw/sdnl/114/51450054/_______________________________________________
Bitcoin-development mailing list
Bitcoin-develo= pment@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-de= velopment


--001485f27b943422b804b3f7c18a--