Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194] helo=mx.sourceforge.net) by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1VP5S2-0001tA-D3 for bitcoin-development@lists.sourceforge.net; Thu, 26 Sep 2013 06:53:26 +0000 Received-SPF: pass (sog-mx-4.v43.ch3.sourceforge.com: domain of petertodd.org designates 62.13.148.93 as permitted sender) client-ip=62.13.148.93; envelope-from=pete@petertodd.org; helo=outmail148093.authsmtp.net; Received: from outmail148093.authsmtp.net ([62.13.148.93]) by sog-mx-4.v43.ch3.sourceforge.com with esmtp (Exim 4.76) id 1VP5Rz-0008VM-B9 for bitcoin-development@lists.sourceforge.net; Thu, 26 Sep 2013 06:53:26 +0000 Received: from mail-c235.authsmtp.com (mail-c235.authsmtp.com [62.13.128.235]) by punt14.authsmtp.com (8.14.2/8.14.2) with ESMTP id r8Q6bWOJ071346; Thu, 26 Sep 2013 07:37:32 +0100 (BST) Received: from savin (76-10-178-109.dsl.teksavvy.com [76.10.178.109]) (authenticated bits=128) by mail.authsmtp.com (8.14.2/8.14.2/) with ESMTP id r8Q6bKHb027635 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Thu, 26 Sep 2013 07:37:23 +0100 (BST) Date: Thu, 26 Sep 2013 02:37:19 -0400 From: Peter Todd To: Melvin Carvalho Message-ID: <20130926063719.GA13640@savin> References: <521298F0.20108@petersson.at> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="RnlQjJ0d97Da+TV1" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) X-Server-Quench: 1a44548d-2676-11e3-b802-002590a15da7 X-AuthReport-Spam: If SPAM / abuse - report it at: http://www.authsmtp.com/abuse X-AuthRoute: OCd2Yg0TA1ZNQRgX IjsJECJaVQIpKltL GxAVKBZePFsRUQkR bgdMdAQUC1AEAgsB AmUbW1NeU1p7W2A7 bAxPbAVDY01GQQRq WVdMSlVNFUsqCX0H VGVmABlwcANFfTBx Y09rXj5aDUB+cEJ1 FlNWE2oAeGZhPWMC AkhYdR5UcAFPdx8U a1UrBXRDAzANdhES HhM4ODE3eDlSNilR RRkIIFQOdA4zFy85 ShYeVQ01GlECTCI3 fVQMC2ZUQx5Vehpr dRN+AzoA X-Authentic-SMTP: 61633532353630.1023:706 X-AuthFastPath: 0 (Was 255) X-AuthSMTP-Origin: 76.10.178.109/587 X-AuthVirus-Status: No virus detected - but ensure you scan with your own anti-virus system. X-Spam-Score: -1.5 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1VP5Rz-0008VM-B9 Cc: Bitcoin Dev , Andreas Schildbach Subject: Re: [Bitcoin-development] Payment Protocol: BIP 70, 71, 72 X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Sep 2013 06:53:26 -0000 --RnlQjJ0d97Da+TV1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Sep 25, 2013 at 01:35:48PM +0200, Melvin Carvalho wrote: > On 25 September 2013 13:15, Mike Hearn wrote: >=20 > > It won't fit. But I don't see the logic. A URI contains instructions for > > making a payment. If that instruction is "pay to this address" or "down= load > > this file and do what you find there", it's no different unless there's > > potential for a MITM attack. If the request URL is HTTPS or a secured > > Bluetooth connection then there's no such possibility. > > >=20 > It depends on the attacker. I think a large entity such as a govt or big > to medium size corporation *may* be able to MITM https, of course the > incentive to do so is probably not there ... =2E..until the Bitcoin payment protocol showed up and let anyone with the ability to MITM https turn that ability into untraceable cash. I won't be at all surprised if one of the most valuable things to come out of the payment protocol using the SSL PKI infrastructure is to give us a good understanding of exactly how it's broken, and to give everyone involved good reasons to fix it. Even if the flaws of SSL PKI were exploited as a way to harm bitcoin by governments and other large players - and SSL PKI remained unfixed - I'd much rather have that solid evidence that it was broken than not. --=20 'peter'[:-1]@petertodd.org --RnlQjJ0d97Da+TV1 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBCAAGBQJSQ9YfAAoJECSBQD2l8JH7VPsH/0eZf2UuCEPfwkFaLUGyIMba YHLfr/ToXHv2y1Q9BpXIPuKWWzmj9CpwB5gI1hpp5vOoRBjPggV07eHqe9w5d1Ut O7GOLxMP430LNYd57FlaOE1jaTs+dA/S3Wh6zv7+nq+4yZFQNagQE1Z+L+1UTMtc 0B3S90ueqn22K59QyYpTwzrMGHBibojVt87lWgYTrfJS3qU6d7s/cORM0yTnszdc EefL4xjvmqY+RziMCL0Ve0eL1qTwnpjoLf8iZWNjM8AFgWqtwt20/m+ghQSo4Myz OpiFmbaKFEqwWYnpR5G2hgQzIAdBGx4HL/2rYl4Wo9KuWJdtn8gh5OZl3QdbiiM= =2nYF -----END PGP SIGNATURE----- --RnlQjJ0d97Da+TV1--