Received-SPF: pass (sog-mx-1.v43.ch3.sourceforge.com: domain of gmail.com
	designates 209.85.214.54 as permitted sender)
	client-ip=209.85.214.54; envelope-from=mh.in.england@gmail.com;
	helo=mail-bk0-f54.google.com; 
MIME-Version: 1.0
Sender: mh.in.england@gmail.com
In-Reply-To: <CAJHLa0NbEjnQ2V8HPjVfC_mZ33ojMBMQP2i90KvmEsZik7h3kA@mail.gmail.com>
References: <CABsx9T0Ly67ZNJhoRQk0L9Q0-ucq3e=24b5Tg6GRKspRKKtP-g@mail.gmail.com>
	<521298F0.20108@petersson.at>
	<CABsx9T3b--tfUmaxJxsXyM2f3Cw4M1oX1nX8o9WkW_haBmLctA@mail.gmail.com>
	<CANEZrP2BOWk4FOUx4eVHvXmdSgx3zo_o18J8YBi2Uc_WkBAXKA@mail.gmail.com>
	<CANEZrP0H9TVfQ3AGv6aBmS1DUa6MTWhSFAN1Jo4eimBEBQhPZw@mail.gmail.com>
	<CABsx9T0TQ6Gg=muNP-rCZxan8_nAqeJt6ErYVOfnLJKrsLs81w@mail.gmail.com>
	<CANEZrP2V72+-m-FOCsW3C2GBO7+=-0casKadeHncmNTYjyqJRA@mail.gmail.com>
	<l1udst$uos$1@ger.gmane.org>
	<CANEZrP03KsGHvGqcNT1Qs6qkJ4i050CPjwvGqTRRhbdkgMf_dA@mail.gmail.com>
	<l1uhld$d68$1@ger.gmane.org>
	<CANEZrP2ZbSUvNk+0bHCWw40r00D8ja-crrZPjvN0mgG+NaD52w@mail.gmail.com>
	<l1uj7g$vds$1@ger.gmane.org>
	<CAJHLa0NbEjnQ2V8HPjVfC_mZ33ojMBMQP2i90KvmEsZik7h3kA@mail.gmail.com>
Date: Wed, 25 Sep 2013 16:38:58 +0200
Message-ID: <CANEZrP3KJL1+4ks7VNMDSzNtWGP-5B7fJemD3m-TPQVBAwc_jw@mail.gmail.com>
From: Mike Hearn <mike@plan99.net>
To: Jeff Garzik <jgarzik@bitpay.com>
Content-Type: multipart/alternative; boundary=bcaec52c5efbaa41bf04e7363680
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>,
	Andreas Schildbach <andreas@schildbach.de>
Subject: Re: [Bitcoin-development] Payment Protocol: BIP 70, 71, 72
Precedence: list

--bcaec52c5efbaa41bf04e7363680
Content-Type: text/plain; charset=UTF-8

Low light shouldn't be an issue for QRcodes generated by phones. They have
backlit screens that should always be bright enough. I can see how it might
be an issue for printed codes.

If your phone has no Bitcoin app installed then being redirected to an
invoice page is pretty useless, you still won't be able to pay the bill no
matter what (where do you get the money from?). If they are just raw HTTP
URLs then it means the effect of scanning a QRcode with a standalone
scanner app is different to scanning it inside the wallet, which is unlike
all other uses of QRcodes I know of. So I'm not really convinced by that UX
yet. Perhaps we can thrash it out in Amsterdam. Right now I'm thinking
QRcodes should always contain bitcoin URIs.


On Wed, Sep 25, 2013 at 4:31 PM, Jeff Garzik <jgarzik@bitpay.com> wrote:

> BitPay experimented with QR codes in low light, restaurant and other
> conditions.  QR codes become difficult to use even at 100 chars.
>
> On the merchant side, we prefer a short URL that speaks payment
> protocol if visited via bitcoin client, but will gracefully work if
> scanned by a phone with zero bitcoin support -- you will simply be
> redirected to a BitPay invoice page for a normal browser.
>
>
>
> On Wed, Sep 25, 2013 at 7:59 AM, Andreas Schildbach
> <andreas@schildbach.de> wrote:
> > On 09/25/2013 01:45 PM, Mike Hearn wrote:
> >
> >> OK, it might fit if you don't use any of the features the protocol
> >> provides :)
> >
> > Now you're dver-dramaticing (-:
> >
> > I'm just skipping one feature which I think is useless for QR codes
> > scanned in person.
> >
> >> You can try it here:
> >
> > Thanks. A typical request would be around 60 bytes, which should produce
> > an URL with around 100 chars. That should be fine for scanning, but I
> > will experiment.
> >
> >> If you're thinking about governments and so on subverting CA's, then
> >> there is a plan for handling that (outside the Bitcoin world) called
> >> certificate transparency which is being implemented now.
> >
> > Good to hear. Let's see if it gets momentum.
> >
> >> Now when you are getting a QR code from the web, it's already being
> >> served over HTTPS. So if you're up against an attacker who can break a
> >> CA in order to steal your money, then you already lose, the QRcode
> >> itself as MITMd.
> >
> > Sure. I was talking about QR codes scanned in person.
> >
> >> In the Bluetooth case we might have to keep the address around and use
> >> it to do ECDHE or something like that.
> >
> > Yeah, will look at that as soon as we're implementing the payment
> > protocol fully.
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > October Webinars: Code for Performance
> > Free Intel webinars can help you accelerate application performance.
> > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> > the latest Intel processors and coprocessors. See abstracts and register
> >
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
> > _______________________________________________
> > Bitcoin-development mailing list
> > Bitcoin-development@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
>
>
> --
> Jeff Garzik
> Senior Software Engineer and open source evangelist
> BitPay, Inc.      https://bitpay.com/
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>

--bcaec52c5efbaa41bf04e7363680
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Low light shouldn&#39;t be an issue for QRcodes generated =
by phones. They have backlit screens that should always be bright enough. I=
 can see how it might be an issue for printed codes.<div><br></div><div>If =
your phone has no Bitcoin app installed then being redirected to an invoice=
 page is pretty useless, you still won&#39;t be able to pay the bill no mat=
ter what (where do you get the money from?). If they are just raw HTTP URLs=
 then it means the effect of scanning a QRcode with a standalone scanner ap=
p is different to scanning it inside the wallet, which is unlike all other =
uses of QRcodes I know of. So I&#39;m not really convinced by that UX yet. =
Perhaps we can thrash it out in Amsterdam. Right now I&#39;m thinking QRcod=
es should always contain bitcoin URIs.</div>
</div><div class=3D"gmail_extra"><br><br><div class=3D"gmail_quote">On Wed,=
 Sep 25, 2013 at 4:31 PM, Jeff Garzik <span dir=3D"ltr">&lt;<a href=3D"mail=
to:jgarzik@bitpay.com" target=3D"_blank">jgarzik@bitpay.com</a>&gt;</span> =
wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">BitPay experimented with QR codes in low lig=
ht, restaurant and other<br>
conditions. =C2=A0QR codes become difficult to use even at 100 chars.<br>
<br>
On the merchant side, we prefer a short URL that speaks payment<br>
protocol if visited via bitcoin client, but will gracefully work if<br>
scanned by a phone with zero bitcoin support -- you will simply be<br>
redirected to a BitPay invoice page for a normal browser.<br>
<div class=3D"HOEnZb"><div class=3D"h5"><br>
<br>
<br>
On Wed, Sep 25, 2013 at 7:59 AM, Andreas Schildbach<br>
&lt;<a href=3D"mailto:andreas@schildbach.de">andreas@schildbach.de</a>&gt; =
wrote:<br>
&gt; On 09/25/2013 01:45 PM, Mike Hearn wrote:<br>
&gt;<br>
&gt;&gt; OK, it might fit if you don&#39;t use any of the features the prot=
ocol<br>
&gt;&gt; provides :)<br>
&gt;<br>
&gt; Now you&#39;re dver-dramaticing (-:<br>
&gt;<br>
&gt; I&#39;m just skipping one feature which I think is useless for QR code=
s<br>
&gt; scanned in person.<br>
&gt;<br>
&gt;&gt; You can try it here:<br>
&gt;<br>
&gt; Thanks. A typical request would be around 60 bytes, which should produ=
ce<br>
&gt; an URL with around 100 chars. That should be fine for scanning, but I<=
br>
&gt; will experiment.<br>
&gt;<br>
&gt;&gt; If you&#39;re thinking about governments and so on subverting CA&#=
39;s, then<br>
&gt;&gt; there is a plan for handling that (outside the Bitcoin world) call=
ed<br>
&gt;&gt; certificate transparency which is being implemented now.<br>
&gt;<br>
&gt; Good to hear. Let&#39;s see if it gets momentum.<br>
&gt;<br>
&gt;&gt; Now when you are getting a QR code from the web, it&#39;s already =
being<br>
&gt;&gt; served over HTTPS. So if you&#39;re up against an attacker who can=
 break a<br>
&gt;&gt; CA in order to steal your money, then you already lose, the QRcode=
<br>
&gt;&gt; itself as MITMd.<br>
&gt;<br>
&gt; Sure. I was talking about QR codes scanned in person.<br>
&gt;<br>
&gt;&gt; In the Bluetooth case we might have to keep the address around and=
 use<br>
&gt;&gt; it to do ECDHE or something like that.<br>
&gt;<br>
&gt; Yeah, will look at that as soon as we&#39;re implementing the payment<=
br>
&gt; protocol fully.<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt; ----------------------------------------------------------------------=
--------<br>
&gt; October Webinars: Code for Performance<br>
&gt; Free Intel webinars can help you accelerate application performance.<b=
r>
&gt; Explore tips for MPI, OpenMP, advanced profiling, and more. Get the mo=
st from<br>
&gt; the latest Intel processors and coprocessors. See abstracts and regist=
er &gt;<br>
&gt; <a href=3D"http://pubads.g.doubleclick.net/gampad/clk?id=3D60133471&am=
p;iu=3D/4140/ostg.clktrk" target=3D"_blank">http://pubads.g.doubleclick.net=
/gampad/clk?id=3D60133471&amp;iu=3D/4140/ostg.clktrk</a><br>
&gt; _______________________________________________<br>
&gt; Bitcoin-development mailing list<br>
&gt; <a href=3D"mailto:Bitcoin-development@lists.sourceforge.net">Bitcoin-d=
evelopment@lists.sourceforge.net</a><br>
&gt; <a href=3D"https://lists.sourceforge.net/lists/listinfo/bitcoin-develo=
pment" target=3D"_blank">https://lists.sourceforge.net/lists/listinfo/bitco=
in-development</a><br>
<br>
<br>
<br>
</div></div><div class=3D"im HOEnZb">--<br>
Jeff Garzik<br>
Senior Software Engineer and open source evangelist<br>
BitPay, Inc. =C2=A0 =C2=A0 =C2=A0<a href=3D"https://bitpay.com/" target=3D"=
_blank">https://bitpay.com/</a><br>
<br>
</div><div class=3D"HOEnZb"><div class=3D"h5">-----------------------------=
-------------------------------------------------<br>
October Webinars: Code for Performance<br>
Free Intel webinars can help you accelerate application performance.<br>
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most fr=
om<br>
the latest Intel processors and coprocessors. See abstracts and register &g=
t;<br>
<a href=3D"http://pubads.g.doubleclick.net/gampad/clk?id=3D60133471&amp;iu=
=3D/4140/ostg.clktrk" target=3D"_blank">http://pubads.g.doubleclick.net/gam=
pad/clk?id=3D60133471&amp;iu=3D/4140/ostg.clktrk</a><br>
_______________________________________________<br>
Bitcoin-development mailing list<br>
<a href=3D"mailto:Bitcoin-development@lists.sourceforge.net">Bitcoin-develo=
pment@lists.sourceforge.net</a><br>
<a href=3D"https://lists.sourceforge.net/lists/listinfo/bitcoin-development=
" target=3D"_blank">https://lists.sourceforge.net/lists/listinfo/bitcoin-de=
velopment</a><br>
</div></div></blockquote></div><br></div>

--bcaec52c5efbaa41bf04e7363680--