Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191] helo=mx.sourceforge.net) by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1VOnLY-0004cu-Lh for bitcoin-development@lists.sourceforge.net; Wed, 25 Sep 2013 11:33:32 +0000 Received-SPF: pass (sog-mx-1.v43.ch3.sourceforge.com: domain of m.gmane.org designates 80.91.229.3 as permitted sender) client-ip=80.91.229.3; envelope-from=gcbd-bitcoin-development@m.gmane.org; helo=plane.gmane.org; Received: from plane.gmane.org ([80.91.229.3]) by sog-mx-1.v43.ch3.sourceforge.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.76) id 1VOnLX-0004kt-CL for bitcoin-development@lists.sourceforge.net; Wed, 25 Sep 2013 11:33:32 +0000 Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1VOnLL-0005WS-9J for bitcoin-development@lists.sourceforge.net; Wed, 25 Sep 2013 13:33:19 +0200 Received: from e179079149.adsl.alicedsl.de ([85.179.79.149]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 25 Sep 2013 13:33:19 +0200 Received: from andreas by e179079149.adsl.alicedsl.de with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 25 Sep 2013 13:33:19 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: bitcoin-development@lists.sourceforge.net From: Andreas Schildbach Date: Wed, 25 Sep 2013 13:33:09 +0200 Message-ID: References: <521298F0.20108@petersson.at> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: e179079149.adsl.alicedsl.de User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0 In-Reply-To: X-Spam-Score: -2.4 (--) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [80.91.229.3 listed in list.dnswl.org] -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 1.1 DKIM_ADSP_ALL No valid author signature, domain signs all mail -0.0 SPF_PASS SPF: sender matches SPF record -2.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain X-Headers-End: 1VOnLX-0004kt-CL Subject: Re: [Bitcoin-development] Payment Protocol: BIP 70, 71, 72 X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Sep 2013 11:33:32 -0000 On 09/25/2013 01:15 PM, Mike Hearn wrote: > It won't fit. Why do you think that? Of course, I would skip the certificate, as its unnecessary if you see your partner in person. > But I don't see the logic. A URI contains instructions for > making a payment. If that instruction is "pay to this address" or > "download this file and do what you find there", it's no different > unless there's potential for a MITM attack. If the request URL is HTTPS > or a secured Bluetooth connection then there's no such possibility. HTTPS trust is utterly broken unless you fix it by adding the certificate or a fingerprint to the QR code. Bluetooth is not present in every case, e.g. QR codes scanned from the web. (Also, we currently don't have a concept of allowing both. The receiver forces you to either use BT or HTTP.) So yes, MITM is what I'm worrying about. When I'm scanning a QR code from a phone, you don't have that problem (unless sophisticated optical attacks emerge). Also, the HTTP request can fail and/or be slow, making the whole payment process more difficult than necessary. > On Wed, Sep 25, 2013 at 12:28 PM, Andreas Schildbach > > wrote: > > While it's good to save space, I'm at the moment not convinced that > taking a de-route via an URL is a good idea to begin with. > > The main problem is trust. If you scan a QR code from a foreign phone, > you trust that that phone is owned by the one you want to send money to. > By adding the HTTP request that trust is voided. > > As soon as there is a BIP70 implementation, I will begin playing with > putting the payment request directly into the QR code. > > > On 09/25/2013 11:27 AM, Mike Hearn wrote: > > We could also say that if protocol part (https://) is missing, it's > > implied automatically. So just: > > > > bitcoin:1abc........?r=bob.com/r/aZgR > > > > > I think that's about as small as possible without re-using the > pubkey as > > a token in the url. > > > > > > On Wed, Sep 25, 2013 at 1:35 AM, Gavin Andresen > > > >> > wrote: > > > > On Tue, Sep 24, 2013 at 11:52 PM, Mike Hearn > > >> wrote: > > > > BTW, on the "make qrcodes more scannable" front -- is it too > > late to change BIP 72 so the new param is just "r" instead of > > "request"? Every byte helps when it comes to qrcodes ... > > > > > > Not too late, assuming there are no objections. Smaller QR > codes is > > a very good reason to change it. > > > > -- > > -- > > Gavin Andresen > > > > > > > > > > > ------------------------------------------------------------------------------ > > October Webinars: Code for Performance > > Free Intel webinars can help you accelerate application performance. > > Explore tips for MPI, OpenMP, advanced profiling, and more. Get > the most from > > the latest Intel processors and coprocessors. See abstracts and > register > > > > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk > > > > > > > > _______________________________________________ > > Bitcoin-development mailing list > > Bitcoin-development@lists.sourceforge.net > > > https://lists.sourceforge.net/lists/listinfo/bitcoin-development > > > > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the > most from > the latest Intel processors and coprocessors. See abstracts and > register > > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk > _______________________________________________ > Bitcoin-development mailing list > Bitcoin-development@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/bitcoin-development > > > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk > > > > _______________________________________________ > Bitcoin-development mailing list > Bitcoin-development@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development >