1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
|
Received: from sog-mx-2.v43.ch3.sourceforge.com ([172.29.43.192]
helo=mx.sourceforge.net)
by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <kgreenek@gmail.com>) id 1WJqkA-0006GU-Bk
for bitcoin-development@lists.sourceforge.net;
Sat, 01 Mar 2014 20:42:46 +0000
Received-SPF: pass (sog-mx-2.v43.ch3.sourceforge.com: domain of gmail.com
designates 209.85.160.176 as permitted sender)
client-ip=209.85.160.176; envelope-from=kgreenek@gmail.com;
helo=mail-yk0-f176.google.com;
Received: from mail-yk0-f176.google.com ([209.85.160.176])
by sog-mx-2.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
(Exim 4.76) id 1WJqk8-0005rT-NA
for bitcoin-development@lists.sourceforge.net;
Sat, 01 Mar 2014 20:42:46 +0000
Received: by mail-yk0-f176.google.com with SMTP id 19so6179375ykq.7
for <bitcoin-development@lists.sourceforge.net>;
Sat, 01 Mar 2014 12:42:39 -0800 (PST)
X-Received: by 10.236.129.36 with SMTP id g24mr66185yhi.103.1393706559151;
Sat, 01 Mar 2014 12:42:39 -0800 (PST)
MIME-Version: 1.0
Received: by 10.170.99.66 with HTTP; Sat, 1 Mar 2014 12:42:18 -0800 (PST)
In-Reply-To: <1393704464.6290.118.camel@mimiz>
References: <CANEZrP1eABw_x8o-Z9ac23e-dVvUWfZJ-hKfAak=-NicPhUv9g@mail.gmail.com>
<1393704464.6290.118.camel@mimiz>
From: Kevin Greene <kgreenek@gmail.com>
Date: Sat, 1 Mar 2014 12:42:18 -0800
Message-ID: <CAEY8wq4KbfGteRf=UEwpxF7npa0=A3OReTdECxZE_02-8hjpAQ@mail.gmail.com>
To: Dev Random <c1.devrandom@niftybox.net>
Content-Type: multipart/alternative; boundary=20cf300e576161246704f3919843
X-Spam-Score: -0.6 (/)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
sender-domain
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
(kgreenek[at]gmail.com)
-0.0 SPF_PASS SPF: sender matches SPF record
1.0 HTML_MESSAGE BODY: HTML included in message
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature,
not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Headers-End: 1WJqk8-0005rT-NA
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] BIP70 extension to allow for identity
delegation
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Sat, 01 Mar 2014 20:42:46 -0000
--20cf300e576161246704f3919843
Content-Type: text/plain; charset=ISO-8859-1
Another example use-case to back up devrandom's point is using a twitter
handle as the "merchant name". In that example, a 3rd party service hosts
and signs the PaymentRequest, but when someone opens that PaymentRequest in
their wallet, they should know that they are paying the specified twitter
user.
On Sat, Mar 1, 2014 at 12:07 PM, Dev Random <c1.devrandom@niftybox.net>wrote:
> This looks like a good solution of the delegation use case for
> medium/large businesses.
>
> I'm wondering about the small business case. A small business or an
> individual might not have the technical expertise to perform the
> delegation signature. Normally the X509 keys are squirreled away on the
> merchant's web server and are not accessible through ordinary means.
> And actually, the merchant might not even have a standalone web
> presence.
>
> Do you think it makes sense to have another scheme where a merchant can
> be name spaced under the payment processor? This would require just one
> additional field - the merchant identifier. In effect, the PP would
> certify that "PP / merchant-id" generated this invoice directly on the
> PP system.
>
> On Fri, 2014-02-28 at 12:46 +0100, Mike Hearn wrote:
> > Now we're starting to see the first companies deploy BIP70, we're
> > encountering a need for identity delegation. This need was long
> > foreseen by the way: it's not in BIP70 because, well, we had to draw
> > the line for v1 somewhere, and this is an issue that mostly affects
> > payment processors. But I figured I'd start a thread anyway because
> > people keep asking me about it :)
> >
> >
> > Objective
> >
> >
> > Identity delegation means that a payment request can be signed by
> > someone who is not holding the certified private key. The most obvious
> > use case for this is payment processors like BitPay and Coinbase who
> > currently have to sign payment requests as themselves. Other use cases
> > might involve untrusted sales agents who want to be able to accept
> > payment as their employer, but cannot be trusted with a long-term
> > valuable secret, e.g. because they take their phone into areas with
> > high crime rates.
> >
> >
> > The lack of this is ok for v1 but not great, because:
> >
> >
> > 1) It requires the name of the *actual* recipient to be put in the
> > memo field, otherwise you don't have the nice receipt-like properties.
> > The memo field is just plain text though, it doesn't have any
> > exploitable structure.
> >
> >
> > 2) It gives a confusing UI, the user thinks they're paying e.g.
> > Overstock but their wallet UI tells them they're paying Coinbase
> >
> >
> > 3) Whilst these payment processors currently verify merchants so the
> > security risk is low, in future a lighter-weight model or competing
> > sites that allow open signups would give a weak security situation: a
> > hacker who compromised your computer could sign up for some popular
> > payment processor under a false identity (or no identity), and wait
> > until you use your hacked computer to make a payment to someone else
> > using the same payment processor. They could then do an identity swap
> > of the real payment request for one of their own, and your Trezor
> > would still look the same. Avoiding this is a major motivation for the
> > entire system!
> >
> >
> > Also it just looks more professional if the name you see in the wallet
> > UI is correct.
> >
> >
> > Proposed implementation
> >
> >
> > We can fix this with a simple extension:
> >
> >
> > enum KeyType {
> > SECP256K1 = 1
> > }
> >
> >
> > message ExtensionCert {
> > required bytes signature = 1;
> > required bytes public_key = 2;
> > required KeyType key_type = 3;
> > required uint32 expiry_time = 4;
> > optional string memo = 5;
> > }
> >
> >
> > // modification
> > message X509Certificates {
> > repeated bytes certificate = 1;
> > repeated ExtensionCert extended_certs = 2;
> > }
> >
> >
> > message PaymentRequest {
> > // new field
> > optional bytes extended_signature = 6;
> > }
> >
> >
> > This allow us to define a so-called extended certificate, which is
> > conceptually the same as an X.509 certificate except simpler and
> > Bitcoin specific. To create one, you just format a ExtensionCert
> > message with an ECDSA public key from the payment processor (PP), set
> > signature to an empty array and then sign it using your SSL private
> > key. Obviously the resulting (most likely RSA) signature then goes
> > into the signature field of the ExtensionCert. The memo field could
> > optionally indicate the purpose of this cert, like "Delegation to
> > BitPay" but I don't think it'd ever appear in the UI, rather, it
> > should be there for debugging purposes.
> >
> >
> > The new ExtensionCert can then be provided back to the PP who adds it
> > to the X509Certificates message. In the PaymentRequest, there are now
> > two signature fields (this is for backwards compatibility). Because of
> > how the mechanism is designed they should not interfere with each
> > other - old implementations that don't understand the new
> > extended_signature field will drop it during reserialization to set
> > signature to the empty array, and thus signature should not cover that
> > field. On the other hand, extended_signature would cover signature.
> > Thus, for full backwards compatibility, you would:
> >
> >
> > 1) Sign the payment request using the PP's SSL cert, i.e. sign as
> > coinbase.com
> >
> >
> > 2) Then sign again using the PP's delegated ECDSA key, i.e. sign as
> > the merchant
> >
> >
> > The finished protobuf would show up in old clients as signed by
> > coinbase.com and by new clients as signed by overstock.com even though
> > Overstock did not provide their SSL key to coinbase.
> >
> >
> > If you have only an ExtensionCert and not any X.509 cert of your own,
> > then you cannot of course make backwards compatible signatures in this
> > way, and in that case you would miss out the signature field and set
> > the pki_type to a new value: "x509+sha256+excert". Old wallets would
> > see that they don't understand this pki_type and treat the request as
> > unverified.
> >
> >
> > For maximum security the merchant may choose to set very short expiry
> > times (like, a day) and then have a cron job that uploads a new
> > ExtensionCert at the end of each expiry period. This means in the case
> > of PP compromise, the system reseals very fast.
> >
> >
> > Alternatives considered
> >
> >
> > We could always use a new pki_type and not bother with the two
> > signature fields. However, this means old wallets will show payment
> > requests as untrusted during the transition period. Some signing is
> > still better than none, security-wise.
> >
> >
> > We could attempt to fix the above by introducing a use of User-Agent
> > field to the case where a payment request is fetched via HTTP, so the
> > server can customise the PaymentRequest according to the capabilities
> > of the client. However, sometimes payment requests are not fetched via
> > HTTP, for example, they may be attached to an email, sent via an IM
> > network or sent over a Bluetooth socket. Nonetheless this may be a
> > useful thing to consider for future cases where the protocol may not
> > be extended in a backwards compatible manner.
> >
> >
> > We could create the extension cert as an X.509 cert, rather than a
> > custom type. However most CA's set path length constraints on their
> > intermediate certs that forbid this kind of extension (I forgot why,
> > possibly some kind of anti-DoS mitigation). Also re-using X.509 for
> > the extension cert would open up the risk of it being accepted by a
> > bogus SSL stack that didn't check the key usage constraints extension,
> > and that would allow for SSL delegation as well. It seems safer to
> > just use a different format that definitely won't be accepted.
> >
> >
> >
> >
> >
> >
> > Feedback welcome.
> >
> ------------------------------------------------------------------------------
> > Flow-based real-time traffic analytics software. Cisco certified tool.
> > Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
> > Customize your own dashboards, set traffic alerts and generate reports.
> > Network behavioral analysis & security monitoring. All-in-one tool.
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
> > _______________________________________________
> > Bitcoin-development mailing list
> > Bitcoin-development@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
> --
> Miron
>
>
>
>
--20cf300e576161246704f3919843
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div class=3D"gmail_default" style=3D"color:rgb(51,102,102=
)">Another example use-case to back up devrandom's point is using a twi=
tter handle as the "merchant name". In that example, a 3rd party =
service hosts and signs the=A0PaymentRequest, but=A0when someone opens that=
PaymentRequest in their wallet, they should know that they are paying the =
specified twitter user.</div>
</div><div class=3D"gmail_extra"><br><br><div class=3D"gmail_quote">On Sat,=
Mar 1, 2014 at 12:07 PM, Dev Random <span dir=3D"ltr"><<a href=3D"mailt=
o:c1.devrandom@niftybox.net" target=3D"_blank">c1.devrandom@niftybox.net</a=
>></span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">This looks like a good solution of the deleg=
ation use case for<br>
medium/large businesses.<br>
<br>
I'm wondering about the small business case. =A0A small business or an<=
br>
individual might not have the technical expertise to perform the<br>
delegation signature. =A0Normally the X509 keys are squirreled away on the<=
br>
merchant's web server and are not accessible through ordinary means.<br=
>
And actually, the merchant might not even have a standalone web<br>
presence.<br>
<br>
Do you think it makes sense to have another scheme where a merchant can<br>
be name spaced under the payment processor? =A0This would require just one<=
br>
additional field - the merchant identifier. =A0In effect, the PP would<br>
certify that "PP / merchant-id" generated this invoice directly o=
n the<br>
PP system.<br>
<div><div class=3D"h5"><br>
On Fri, 2014-02-28 at 12:46 +0100, Mike Hearn wrote:<br>
> Now we're starting to see the first companies deploy BIP70, we'=
;re<br>
> encountering a need for identity delegation. This need was long<br>
> foreseen by the way: it's not in BIP70 because, well, we had to dr=
aw<br>
> the line for v1 somewhere, and this is an issue that mostly affects<br=
>
> payment processors. But I figured I'd start a thread anyway becaus=
e<br>
> people keep asking me about it :)<br>
><br>
><br>
> Objective<br>
><br>
><br>
> Identity delegation means that a payment request can be signed by<br>
> someone who is not holding the certified private key. The most obvious=
<br>
> use case for this is payment processors like BitPay and Coinbase who<b=
r>
> currently have to sign payment requests as themselves. Other use cases=
<br>
> might involve untrusted sales agents who want to be able to accept<br>
> payment as their employer, but cannot be trusted with a long-term<br>
> valuable secret, e.g. because they take their phone into areas with<br=
>
> high crime rates.<br>
><br>
><br>
> The lack of this is ok for v1 but not great, because:<br>
><br>
><br>
> 1) It requires the name of the *actual* recipient to be put in the<br>
> memo field, otherwise you don't have the nice receipt-like propert=
ies.<br>
> The memo field is just plain text though, it doesn't have any<br>
> exploitable structure.<br>
><br>
><br>
> 2) It gives a confusing UI, the user thinks they're paying e.g.<br=
>
> Overstock but their wallet UI tells them they're paying Coinbase<b=
r>
><br>
><br>
> 3) Whilst these payment processors currently verify merchants so the<b=
r>
> security risk is low, in future a lighter-weight model or competing<br=
>
> sites that allow open signups would give a weak security situation: =
=A0a<br>
> hacker who compromised your computer could sign up for some popular<br=
>
> payment processor under a false identity (or no identity), and wait<br=
>
> until you use your hacked computer to make a payment to someone else<b=
r>
> using the same payment processor. They could then do an identity swap<=
br>
> of the real payment request for one of their own, and your Trezor<br>
> would still look the same. Avoiding this is a major motivation for the=
<br>
> entire system!<br>
><br>
><br>
> Also it just looks more professional if the name you see in the wallet=
<br>
> UI is correct.<br>
><br>
><br>
> Proposed implementation<br>
><br>
><br>
> We can fix this with a simple extension:<br>
><br>
><br>
> enum KeyType {<br>
> =A0 SECP256K1 =3D 1<br>
> }<br>
><br>
><br>
> message ExtensionCert {<br>
> =A0 required bytes signature =3D 1;<br>
> =A0 required bytes public_key =3D 2;<br>
> =A0 required KeyType key_type =3D 3;<br>
> =A0 required uint32 expiry_time =3D 4;<br>
> =A0 optional string memo =3D 5;<br>
> }<br>
><br>
><br>
> // modification<br>
> message X509Certificates {<br>
> =A0 repeated bytes certificate =3D 1;<br>
> =A0 repeated ExtensionCert extended_certs =3D 2;<br>
> }<br>
><br>
><br>
> message PaymentRequest {<br>
> =A0 // new field<br>
> =A0 optional bytes extended_signature =3D 6;<br>
> }<br>
><br>
><br>
> This allow us to define a so-called extended certificate, which is<br>
> conceptually the same as an X.509 certificate except simpler and<br>
> Bitcoin specific. To create one, you just format a ExtensionCert<br>
> message with an ECDSA public key from the payment processor (PP), set<=
br>
> signature to an empty array and then sign it using your SSL private<br=
>
> key. Obviously the resulting (most likely RSA) signature then goes<br>
> into the signature field of the ExtensionCert. The memo field could<br=
>
> optionally indicate the purpose of this cert, like "Delegation to=
<br>
> BitPay" but I don't think it'd ever appear in the UI, rat=
her, it<br>
> should be there for debugging purposes.<br>
><br>
><br>
> The new ExtensionCert can then be provided back to the PP who adds it<=
br>
> to the X509Certificates message. In the PaymentRequest, there are now<=
br>
> two signature fields (this is for backwards compatibility). Because of=
<br>
> how the mechanism is designed they should not interfere with each<br>
> other - old implementations that don't understand the new<br>
> extended_signature field will drop it during reserialization to set<br=
>
> signature to the empty array, and thus signature should not cover that=
<br>
> field. On the other hand, extended_signature would cover signature.<br=
>
> Thus, for full backwards compatibility, you would:<br>
><br>
><br>
> 1) Sign the payment request using the PP's SSL cert, i.e. sign as<=
br>
> <a href=3D"http://coinbase.com" target=3D"_blank">coinbase.com</a><br>
><br>
><br>
> 2) Then sign again using the PP's delegated ECDSA key, i.e. sign a=
s<br>
> the merchant<br>
><br>
><br>
> The finished protobuf would show up in old clients as signed by<br>
> <a href=3D"http://coinbase.com" target=3D"_blank">coinbase.com</a> and=
by new clients as signed by <a href=3D"http://overstock.com" target=3D"_bl=
ank">overstock.com</a> even though<br>
> Overstock did not provide their SSL key to coinbase.<br>
><br>
><br>
> If you have only an ExtensionCert and not any X.509 cert of your own,<=
br>
> then you cannot of course make backwards compatible signatures in this=
<br>
> way, and in that case you would miss out the signature field and set<b=
r>
> the pki_type to a new value: =A0"x509+sha256+excert". Old wa=
llets would<br>
> see that they don't understand this pki_type and treat the request=
as<br>
> unverified.<br>
><br>
><br>
> For maximum security the merchant may choose to set very short expiry<=
br>
> times (like, a day) and then have a cron job that uploads a new<br>
> ExtensionCert at the end of each expiry period. This means in the case=
<br>
> of PP compromise, the system reseals very fast.<br>
><br>
><br>
> Alternatives considered<br>
><br>
><br>
> We could always use a new pki_type and not bother with the two<br>
> signature fields. However, this means old wallets will show payment<br=
>
> requests as untrusted during the transition period. Some signing is<br=
>
> still better than none, security-wise.<br>
><br>
><br>
> We could attempt to fix the above by introducing a use of User-Agent<b=
r>
> field to the case where a payment request is fetched via HTTP, so the<=
br>
> server can customise the PaymentRequest according to the capabilities<=
br>
> of the client. However, sometimes payment requests are not fetched via=
<br>
> HTTP, for example, they may be attached to an email, sent via an IM<br=
>
> network or sent over a Bluetooth socket. Nonetheless this may be a<br>
> useful thing to consider for future cases where the protocol may not<b=
r>
> be extended in a backwards compatible manner.<br>
><br>
><br>
> We could create the extension cert as an X.509 cert, rather than a<br>
> custom type. However most CA's set path length constraints on thei=
r<br>
> intermediate certs that forbid this kind of extension (I forgot why,<b=
r>
> possibly some kind of anti-DoS mitigation). Also re-using X.509 for<br=
>
> the extension cert would open up the risk of it being accepted by a<br=
>
> bogus SSL stack that didn't check the key usage constraints extens=
ion,<br>
> and that would allow for SSL delegation as well. It seems safer to<br>
> just use a different format that definitely won't be accepted.<br>
><br>
><br>
><br>
><br>
><br>
><br>
> Feedback welcome.<br>
</div></div>> ----------------------------------------------------------=
--------------------<br>
> Flow-based real-time traffic analytics software. Cisco certified tool.=
<br>
> Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer<=
br>
> Customize your own dashboards, set traffic alerts and generate reports=
.<br>
> Network behavioral analysis & security monitoring. All-in-one tool=
.<br>
> <a href=3D"http://pubads.g.doubleclick.net/gampad/clk?id=3D126839071&a=
mp;iu=3D/4140/ostg.clktrk" target=3D"_blank">http://pubads.g.doubleclick.ne=
t/gampad/clk?id=3D126839071&iu=3D/4140/ostg.clktrk</a><br>
> _______________________________________________<br>
> Bitcoin-development mailing list<br>
> <a href=3D"mailto:Bitcoin-development@lists.sourceforge.net">Bitcoin-d=
evelopment@lists.sourceforge.net</a><br>
> <a href=3D"https://lists.sourceforge.net/lists/listinfo/bitcoin-develo=
pment" target=3D"_blank">https://lists.sourceforge.net/lists/listinfo/bitco=
in-development</a><br>
<span class=3D"HOEnZb"><font color=3D"#888888"><br>
--<br>
Miron<br>
<br>
<br>
<br>
</font></span></blockquote></div><br></div>
--20cf300e576161246704f3919843--
|
