1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191]
helo=mx.sourceforge.net)
by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <elarch@gmail.com>) id 1WW5kO-0002j7-4x
for bitcoin-development@lists.sourceforge.net;
Fri, 04 Apr 2014 15:09:36 +0000
Received-SPF: pass (sog-mx-1.v43.ch3.sourceforge.com: domain of gmail.com
designates 209.85.217.179 as permitted sender)
client-ip=209.85.217.179; envelope-from=elarch@gmail.com;
helo=mail-lb0-f179.google.com;
Received: from mail-lb0-f179.google.com ([209.85.217.179])
by sog-mx-1.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
(Exim 4.76) id 1WW5kN-0005qn-9p
for bitcoin-development@lists.sourceforge.net;
Fri, 04 Apr 2014 15:09:36 +0000
Received: by mail-lb0-f179.google.com with SMTP id p9so2627797lbv.10
for <bitcoin-development@lists.sourceforge.net>;
Fri, 04 Apr 2014 08:09:28 -0700 (PDT)
X-Received: by 10.112.85.6 with SMTP id d6mr8707169lbz.8.1396624168656; Fri,
04 Apr 2014 08:09:28 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.112.31.165 with HTTP; Fri, 4 Apr 2014 08:09:08 -0700 (PDT)
In-Reply-To: <CAJna-Hhz+K0iw4b8DDp5tNpQg6nJABKmu__aDbgT9M26PJ9tAg@mail.gmail.com>
References: <CA+WZAEp3HsW5ESGUZ7YfR1MZXGC5jd+LucUt_MUP8K94Xwhuhg@mail.gmail.com>
<CANEZrP0KVyp2Va7Wyy=t0qYkLNK9BDUaSzBfuzQss+=weLJ1Fw@mail.gmail.com>
<CA+WZAEqYKv8T1OMCKhOJvf5FAy=WujJ=OhtsYP9aBf=4ZPNxmw@mail.gmail.com>
<CANEZrP0DTYqobECBbw6eZqdk+-TR_2jhBtOviN08r31EQGmZHQ@mail.gmail.com>
<CANEZrP2Z5x0_kOQ=8-BMzbmi9=D=ou=s3dgEksMA5F84BHSt9A@mail.gmail.com>
<CA+WZAEqREDkDvmhM7AY+Ju3fkm3uOGm39Ef9+SYoEr43ybbg2Q@mail.gmail.com>
<CAJna-Hhz+K0iw4b8DDp5tNpQg6nJABKmu__aDbgT9M26PJ9tAg@mail.gmail.com>
From: =?ISO-8859-1?Q?Eric_Larchev=EAque?= <elarch@gmail.com>
Date: Fri, 4 Apr 2014 17:09:08 +0200
Message-ID: <CA+WZAErh6M6BV1imAXZaHQjX+5RKtj7Ma7_-+5KW9BpLw354Sg@mail.gmail.com>
To: slush <slush@centrum.cz>
Content-Type: multipart/alternative; boundary=001a11349f4c7525aa04f638e7aa
X-Spam-Score: -0.6 (/)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
sender-domain
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
(elarch[at]gmail.com)
-0.0 SPF_PASS SPF: sender matches SPF record
1.0 HTML_MESSAGE BODY: HTML included in message
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature,
not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Headers-End: 1WW5kN-0005qn-9p
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] Draft BIP for seamless website
authentication using Bitcoin address
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Fri, 04 Apr 2014 15:09:36 -0000
--001a11349f4c7525aa04f638e7aa
Content-Type: text/plain; charset=ISO-8859-1
On Fri, Apr 4, 2014 at 4:56 PM, slush <slush@centrum.cz> wrote:
> I'm cracking my head for many months with the idea of using TREZOR for web
> auth purposes. Unfortunately I'm far from any usable solution yet.
>
> My main comments to your BIP: Don't use bitcoin addresses directly and
> don't encourage services to use this "login" for financial purposes. Mike
> is right, mixing authentication and financial services is wrong. Use some
> function to generate other private/public key from bitcoin's seed/private
> key to not leak bitcoin-related data to website.
>
>
I'm probably very naive, but the fact that the authentication key is your
Bitcoin address was for me a great feature :)
What are the risks associated of id yourself with a bitcoin address you
plan to use on the website for transaction ?
I mean, what is the difference between doing that, and id with a login/pass
and add your bitcoin address in a settings field ? (knowing you could
always find a mechanism to transfer the account to another bitcoin address
if needed)
Eric
--001a11349f4c7525aa04f638e7aa
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div class=3D"gmail_extra"><div class=3D"gmail_quote">On F=
ri, Apr 4, 2014 at 4:56 PM, slush <span dir=3D"ltr"><<a href=3D"mailto:s=
lush@centrum.cz" target=3D"_blank">slush@centrum.cz</a>></span> wrote:<b=
r><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;borde=
r-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid=
;padding-left:1ex">
<div dir=3D"ltr">I'm cracking my head for many months with the idea of =
using TREZOR for web auth purposes. Unfortunately I'm far from any usab=
le solution yet.<div><br></div><div>My main comments to your BIP: Don't=
use bitcoin addresses directly and don't encourage services to use thi=
s "login" for financial purposes. Mike is right, mixing authentic=
ation and financial services is wrong. Use some function to generate other =
private/public key from bitcoin's seed/private key to not leak bitcoin-=
related data to website.</div>
<div><br></div></div></blockquote><div><br></div><div>I'm probably very=
naive, but the fact that the authentication key is your Bitcoin address wa=
s for me a great feature :)</div><div>What are the risks associated of id y=
ourself with a bitcoin address you plan to use on the website for transacti=
on ?</div>
<div><br></div><div>I mean, what is the difference between doing that, and =
id with a login/pass and add your bitcoin address in a settings field ? (kn=
owing you could always find a mechanism to transfer the account to another =
bitcoin address if needed)</div>
<div><br></div><div>Eric</div><div><br></div></div></div></div>
--001a11349f4c7525aa04f638e7aa--
|