Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194] helo=mx.sourceforge.net) by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1YGW0V-0003A1-Tb for bitcoin-development@lists.sourceforge.net; Wed, 28 Jan 2015 17:02:23 +0000 Received-SPF: pass (sog-mx-4.v43.ch3.sourceforge.com: domain of gmail.com designates 74.125.82.179 as permitted sender) client-ip=74.125.82.179; envelope-from=mh.in.england@gmail.com; helo=mail-we0-f179.google.com; Received: from mail-we0-f179.google.com ([74.125.82.179]) by sog-mx-4.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1YGW0T-0001RW-Di for bitcoin-development@lists.sourceforge.net; Wed, 28 Jan 2015 17:02:23 +0000 Received: by mail-we0-f179.google.com with SMTP id q59so22025566wes.10 for ; Wed, 28 Jan 2015 09:02:16 -0800 (PST) MIME-Version: 1.0 X-Received: by 10.180.207.10 with SMTP id ls10mr9076018wic.7.1422464535340; Wed, 28 Jan 2015 09:02:15 -0800 (PST) Sender: mh.in.england@gmail.com Received: by 10.194.188.9 with HTTP; Wed, 28 Jan 2015 09:02:15 -0800 (PST) In-Reply-To: <2225268.rOb4P6uJX2@crushinator> References: <54C90C2B.3090708@bitonic.nl> <2225268.rOb4P6uJX2@crushinator> Date: Wed, 28 Jan 2015 18:02:15 +0100 X-Google-Sender-Auth: lUYirAznDtBClyAGyDPii_3L93Q Message-ID: From: Mike Hearn To: Matt Whitlock Content-Type: multipart/alternative; boundary=001a11c3f51a55ad44050db9554f X-Spam-Score: -0.5 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (mh.in.england[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record 1.0 HTML_MESSAGE BODY: HTML included in message 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1YGW0T-0001RW-Di Cc: Bitcoin Dev Subject: Re: [Bitcoin-development] BIP70: why Google Protocol Buffers for encoding? X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jan 2015 17:02:24 -0000 --001a11c3f51a55ad44050db9554f Content-Type: text/plain; charset=UTF-8 > > I'm frankly _horrified_ to learn that BitcoinJ ships its own root CA > certificates bundle. This means that, if a root CA gets breached and a > certificate gets revoked, all BitcoinJ-using software will be vulnerable > until BitcoinJ ships an update *and* the software in question pulls in the > new BitcoinJ update and releases its own update. That might never happen. If your wallet is unmaintained, you have other problems beyond (extremely rare) root CA revocations. As far as I know the only time a CA in wide usage has been revoked entirely is DigiNotar. One advantage of doing it this way is if, for example, a widely used piece of community infrastructure (e.g. bitcointalk, reddit, whatever) decides to become a CA, the Bitcoin community can decide to have different inclusion rules vs the OS/browser root CA programs. For example we'd probably relax the constraint to use an HSM and just ensure that the rendering of the asserted identity isn't confusible with other kinds of more strongly protected identities. For example no forum usernames like "foo.com" but rendering it in the UI as "Reddit forum user foo.com" would be OK. Also you don't get problems due to old operating systems not including new certs. Finally, Linux doesn't have any kind of standardised cert/keystore API. There are a few places where popular distros put certs but AFAIK they aren't standardised and there's no standard code to load them. So that's another reason why there's a built in store. But yes, this is a debatable topic on which reasonable people can disagree. The API makes it easy to use the platform OS store for wallet devs that want to do that, and I think using the platform store on Android is the default. It's only on the desktop where we fall back to a different store. --001a11c3f51a55ad44050db9554f Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
I'm frankly _horrified_ to learn that Bitcoi= nJ ships its own root CA certificates bundle. This means that, if a root CA= gets breached and a certificate gets revoked, all BitcoinJ-using software = will be vulnerable until BitcoinJ ships an update *and* the software in que= stion pulls in the new BitcoinJ update and releases its own update. That mi= ght never happen.

If your wallet is unmaint= ained, you have other problems beyond (extremely rare) root CA revocations.=

As far as I know the only time a CA in wide usage= has been revoked entirely is DigiNotar.

One advan= tage of doing it this way is if, for example, a widely used piece of commun= ity infrastructure (e.g. bitcointalk, reddit, whatever) decides to become a= CA, the Bitcoin community can decide to have different inclusion rules vs = the OS/browser root CA programs. For example we'd probably relax the co= nstraint to use an HSM and just ensure that the rendering of the asserted i= dentity isn't confusible with other kinds of more strongly protected id= entities. For example no forum usernames like "foo.com" but rendering it in the UI as "Reddit forum user= foo.com" would be OK.

Also you don't get problems due to old operating systems not i= ncluding new certs.

Finally, Linux doesn't hav= e any kind of standardised cert/keystore API. There are a few places where = popular distros put certs but AFAIK they aren't standardised and there&= #39;s no standard code to load them. So that's another reason why there= 's a built in store.

But yes, this is a debata= ble topic on which reasonable people can disagree. The API makes it easy to= use the platform OS store for wallet devs that want to do that, and I thin= k using the platform store on Android is the default. It's only on the = desktop where we fall back to a different store.
--001a11c3f51a55ad44050db9554f--