summaryrefslogtreecommitdiff
path: root/a8/8b197ca3e424a14e25b92b9f65505c426f14ef
blob: 87874fbdeed6be0bda961d5bf02a2912f6b5cf77 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193]
	helo=mx.sourceforge.net)
	by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
	(envelope-from <gronager@ceptacle.com>) id 1TdKRx-0006pP-UU
	for bitcoin-development@lists.sourceforge.net;
	Tue, 27 Nov 2012 12:39:42 +0000
X-ACL-Warn: 
Received: from 2508ds5-oebr.1.fullrate.dk ([90.184.5.129]
	helo=mail.ceptacle.com)
	by sog-mx-3.v43.ch3.sourceforge.com with esmtp (Exim 4.76)
	id 1TdKRu-0000Oq-3R for bitcoin-development@lists.sourceforge.net;
	Tue, 27 Nov 2012 12:39:41 +0000
Received: from localhost (localhost [127.0.0.1])
	by mail.ceptacle.com (Postfix) with ESMTP id 189CE26C6288
	for <bitcoin-development@lists.sourceforge.net>;
	Tue, 27 Nov 2012 13:39:32 +0100 (CET)
X-Virus-Scanned: amavisd-new at ceptacle.com
Received: from mail.ceptacle.com ([127.0.0.1])
	by localhost (server.ceptacle.private [127.0.0.1]) (amavisd-new,
	port 10024) with ESMTP id fQ95CKIef2w3
	for <bitcoin-development@lists.sourceforge.net>;
	Tue, 27 Nov 2012 13:39:31 +0100 (CET)
Received: from [109.105.106.200] (unknown [109.105.106.200])
	by mail.ceptacle.com (Postfix) with ESMTPSA id DB47A26C627B
	for <bitcoin-development@lists.sourceforge.net>;
	Tue, 27 Nov 2012 13:39:31 +0100 (CET)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: Michael Gronager <gronager@ceptacle.com>
In-Reply-To: <CANEZrP03kSG5BYMykkW+UJiy65qPOBC7RuvKg85eLEmE3tnukQ@mail.gmail.com>
Date: Tue, 27 Nov 2012 13:39:30 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <98E8A2D6-56D1-4E28-BB63-71E13382B5B8@ceptacle.com>
References: <CABsx9T0PsGLEAWRCjEDDFWQrb+DnJWQZ7mFLaZewAEX6vD1eHw@mail.gmail.com>
	<CACwuEiP7CGeZZGW=mXwrFAAqbbwbrPXTPb8vOEDuO9_96hqBGg@mail.gmail.com>
	<CAAS2fgSY8hHiCJYEDv=y48hYRJJtB-R5EBX8JLz6NivBm+Z9PQ@mail.gmail.com>
	<CACwuEiMjf8WYOpfmzHUHMa-sy2VsJHaUNj1cj722Y=P_sosbvw@mail.gmail.com>
	<CAJ1JLtuJ8HQri7++2bodc2ACRrE7Y48oy0HkPR8d400MooHaqA@mail.gmail.com>
	<CACwuEiMgcv09U2P9dD58x-oMXMSg==fPYo0yRLsqzyuax96Eqw@mail.gmail.com>
	<CAJ1JLttTPi9XNwCGyvbvx8TXqbLyk0KxFRHxv_8UB+tEQrKvvA@mail.gmail.com>
	<CACwuEiNZobcpR4g=1AH=JReZFzHmH=6exNGTaPBBjm+q5eR9vg@mail.gmail.com>
	<895A1D97-68B4-4A2F-B4A1-34814B9BA8AC@ceptacle.com>
	<CANEZrP1u0-JNf1nd4NsZhrqC=M0Yx3J6cTYA=bzKm8CTucd85w@mail.gmail.com>
	<626D0E73-1111-4380-AABE-6C8C65F2FFCC@ceptacle.com>
	<CANEZrP03kSG5BYMykkW+UJiy65qPOBC7RuvKg85eLEmE3tnukQ@mail.gmail.com>
To: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
X-Mailer: Apple Mail (2.1499)
X-Spam-Score: 0.0 (/)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
	See http://spamassassin.org/tag/ for more details.
X-Headers-End: 1TdKRu-0000Oq-3R
Subject: Re: [Bitcoin-development] Payment Protocol Proposal:
	Invoices/Payments/Receipts
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Tue, 27 Nov 2012 12:39:42 -0000

> No, the point of using X509 certs is to get a verified identity (a
> domain name) on the receipt, this is needed for multi-factor
> authentication. You can't do that without some kind of third party
> asserting to an identity.


Agree that you need a third party to verify identity. But the =
verification policy of sites is the job for a payment provider not a =
payment technology. So if you would like verification of the site you =
could just sign the memo using standard S/MIME - why mix it with the =
payment protocol?

Further, it is controversial use of the host key to use it for digital =
signing of documents, and not even within the policy of a host =
certificate as far as I recall.

The problem you are trying to tackle is that we don't have an ID =
solution on the internet today for this purpose. Certificates for =
signing messages are distributed freely and insecurely only based on =
temporarily having an email from within an organization, and the host =
certificates are meant for SSL handshakes. Funnily, any CA can issue =
digital certificates for email signing for any domain, even though they =
don't own them, and without notifying the owner. DANE actually solves =
this, but until then using the host certificates is unintended use, it =
is cryptographically a nice solution, but legally and standard-wise a =
hack.

/M=