Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193] helo=mx.sourceforge.net) by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from <gronager@ceptacle.com>) id 1TdKRx-0006pP-UU for bitcoin-development@lists.sourceforge.net; Tue, 27 Nov 2012 12:39:42 +0000 X-ACL-Warn: Received: from 2508ds5-oebr.1.fullrate.dk ([90.184.5.129] helo=mail.ceptacle.com) by sog-mx-3.v43.ch3.sourceforge.com with esmtp (Exim 4.76) id 1TdKRu-0000Oq-3R for bitcoin-development@lists.sourceforge.net; Tue, 27 Nov 2012 12:39:41 +0000 Received: from localhost (localhost [127.0.0.1]) by mail.ceptacle.com (Postfix) with ESMTP id 189CE26C6288 for <bitcoin-development@lists.sourceforge.net>; Tue, 27 Nov 2012 13:39:32 +0100 (CET) X-Virus-Scanned: amavisd-new at ceptacle.com Received: from mail.ceptacle.com ([127.0.0.1]) by localhost (server.ceptacle.private [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fQ95CKIef2w3 for <bitcoin-development@lists.sourceforge.net>; Tue, 27 Nov 2012 13:39:31 +0100 (CET) Received: from [109.105.106.200] (unknown [109.105.106.200]) by mail.ceptacle.com (Postfix) with ESMTPSA id DB47A26C627B for <bitcoin-development@lists.sourceforge.net>; Tue, 27 Nov 2012 13:39:31 +0100 (CET) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\)) From: Michael Gronager <gronager@ceptacle.com> In-Reply-To: <CANEZrP03kSG5BYMykkW+UJiy65qPOBC7RuvKg85eLEmE3tnukQ@mail.gmail.com> Date: Tue, 27 Nov 2012 13:39:30 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <98E8A2D6-56D1-4E28-BB63-71E13382B5B8@ceptacle.com> References: <CABsx9T0PsGLEAWRCjEDDFWQrb+DnJWQZ7mFLaZewAEX6vD1eHw@mail.gmail.com> <CACwuEiP7CGeZZGW=mXwrFAAqbbwbrPXTPb8vOEDuO9_96hqBGg@mail.gmail.com> <CAAS2fgSY8hHiCJYEDv=y48hYRJJtB-R5EBX8JLz6NivBm+Z9PQ@mail.gmail.com> <CACwuEiMjf8WYOpfmzHUHMa-sy2VsJHaUNj1cj722Y=P_sosbvw@mail.gmail.com> <CAJ1JLtuJ8HQri7++2bodc2ACRrE7Y48oy0HkPR8d400MooHaqA@mail.gmail.com> <CACwuEiMgcv09U2P9dD58x-oMXMSg==fPYo0yRLsqzyuax96Eqw@mail.gmail.com> <CAJ1JLttTPi9XNwCGyvbvx8TXqbLyk0KxFRHxv_8UB+tEQrKvvA@mail.gmail.com> <CACwuEiNZobcpR4g=1AH=JReZFzHmH=6exNGTaPBBjm+q5eR9vg@mail.gmail.com> <895A1D97-68B4-4A2F-B4A1-34814B9BA8AC@ceptacle.com> <CANEZrP1u0-JNf1nd4NsZhrqC=M0Yx3J6cTYA=bzKm8CTucd85w@mail.gmail.com> <626D0E73-1111-4380-AABE-6C8C65F2FFCC@ceptacle.com> <CANEZrP03kSG5BYMykkW+UJiy65qPOBC7RuvKg85eLEmE3tnukQ@mail.gmail.com> To: Bitcoin Dev <bitcoin-development@lists.sourceforge.net> X-Mailer: Apple Mail (2.1499) X-Spam-Score: 0.0 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. X-Headers-End: 1TdKRu-0000Oq-3R Subject: Re: [Bitcoin-development] Payment Protocol Proposal: Invoices/Payments/Receipts X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: <bitcoin-development.lists.sourceforge.net> List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>, <mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe> List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development> List-Post: <mailto:bitcoin-development@lists.sourceforge.net> List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help> List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>, <mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe> X-List-Received-Date: Tue, 27 Nov 2012 12:39:42 -0000 > No, the point of using X509 certs is to get a verified identity (a > domain name) on the receipt, this is needed for multi-factor > authentication. You can't do that without some kind of third party > asserting to an identity. Agree that you need a third party to verify identity. But the = verification policy of sites is the job for a payment provider not a = payment technology. So if you would like verification of the site you = could just sign the memo using standard S/MIME - why mix it with the = payment protocol? Further, it is controversial use of the host key to use it for digital = signing of documents, and not even within the policy of a host = certificate as far as I recall. The problem you are trying to tackle is that we don't have an ID = solution on the internet today for this purpose. Certificates for = signing messages are distributed freely and insecurely only based on = temporarily having an email from within an organization, and the host = certificates are meant for SSL handshakes. Funnily, any CA can issue = digital certificates for email signing for any domain, even though they = don't own them, and without notifying the owner. DANE actually solves = this, but until then using the host certificates is unintended use, it = is cryptographically a nice solution, but legally and standard-wise a = hack. /M=