path: root/bc/043ff2a978009e0a87de0ce10fe2b6fcb6f362

Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191]
	helo=mx.sourceforge.net)
	by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
	(envelope-from <melvincarvalho@gmail.com>) id 1V7lKP-0007jT-AG
	for bitcoin-development@lists.sourceforge.net;
	Fri, 09 Aug 2013 11:57:57 +0000
Received-SPF: pass (sog-mx-1.v43.ch3.sourceforge.com: domain of gmail.com
	designates 209.85.219.44 as permitted sender)
	client-ip=209.85.219.44; envelope-from=melvincarvalho@gmail.com;
	helo=mail-oa0-f44.google.com; 
Received: from mail-oa0-f44.google.com ([209.85.219.44])
	by sog-mx-1.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
	(Exim 4.76) id 1V7lKN-0000JJ-AR
	for bitcoin-development@lists.sourceforge.net;
	Fri, 09 Aug 2013 11:57:57 +0000
Received: by mail-oa0-f44.google.com with SMTP id l20so6779884oag.31
	for <bitcoin-development@lists.sourceforge.net>;
	Fri, 09 Aug 2013 04:57:50 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.182.66.115 with SMTP id e19mr25430obt.96.1376049469880; Fri,
	09 Aug 2013 04:57:49 -0700 (PDT)
Received: by 10.76.23.9 with HTTP; Fri, 9 Aug 2013 04:57:49 -0700 (PDT)
In-Reply-To: <CANEZrP3w+pGVJijxLr1N6wQiqg4U=RUP3Mrph2=fwF+Ga_U9sQ@mail.gmail.com>
References: <CANEZrP3w+pGVJijxLr1N6wQiqg4U=RUP3Mrph2=fwF+Ga_U9sQ@mail.gmail.com>
Date: Fri, 9 Aug 2013 13:57:49 +0200
Message-ID: <CAKaEYhLftC67Lrinc2yF0coqhJi_DpM4XvoXfBwJBGv=hFi3yQ@mail.gmail.com>
From: Melvin Carvalho <melvincarvalho@gmail.com>
To: Mike Hearn <mike@plan99.net>
Content-Type: multipart/alternative; boundary=e89a8fb1fdeed87f4a04e3827b7b
X-Spam-Score: -0.6 (/)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
	See http://spamassassin.org/tag/ for more details.
	-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
	sender-domain
	0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
	(melvincarvalho[at]gmail.com)
	-0.0 SPF_PASS               SPF: sender matches SPF record
	1.0 HTML_MESSAGE           BODY: HTML included in message
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Headers-End: 1V7lKN-0000JJ-AR
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] Idea for new payment protocol PKI
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Fri, 09 Aug 2013 11:57:57 -0000

--e89a8fb1fdeed87f4a04e3827b7b
Content-Type: text/plain; charset=ISO-8859-1

On 9 August 2013 13:43, Mike Hearn <mike@plan99.net> wrote:

> This is just me making notes for myself, I'm not seriously suggesting this
> be implemented any time soon.
>
> Mozilla Persona is an infrastructure for web based single sign on. It
> works by having email providers sign temporary certificates for their
> users, whose browsers then sign server-provided challenges to prove their
> email address.
>
> Because an SSO system is a classic chicken/egg setup, they run various
> fallback services that allow anyone with an email address to take part.
> They also integrate with the Google/Yahoo SSO systems as well. The
> intention being that they do this until Persona becomes big enough to
> matter, and then they can remove the centralised struts and the system
> becomes transparently decentralised.
>
> In other words, they seem to do a lot of things right.
>
> Of course you can already sign payments using an X.509 cert issued to an
> email address with v1 of the payment protocol, so technically no new PKI is
> needed. But the benefit of leveraging Persona would be convenience - you
> can get yourself a Persona cert and use it to sign in to websites with a
> single click, and the user experience is smart and professional. CAs in
> contrast are designed for web site admins really so the experience of
> getting a cert for an email address is rather variable and more heavyweight.
>
> Unfortunately Persona does not use X.509. It uses a custom thing based on
> JSON. However, under the hood it's just assertions signed by RSA keys, so
> an implementation is likely to be quite easy. From the users perspective,
> their wallet app would embed a browser and drive it as if it were signing
> into a website, but stop after the user is signed into Persona and a user
> cert has been provisioned. It can then sign payment requests automatically.
> For many users, it'd be just one click, which is pretty neat.
>

Persona, in it's current state, is the exact opposite of the principle
behind of bitcoin.

Bitcoin sought to reduce dependence on trusted third parties, where as,
persona is increasing the reach of trusted third parties.  The keys and
passwords are stored on mozilla's servers, sometimes on your email
providers.  Persona, is however, a progression and will hopefully improve
its security and decentralization as it goes along.

A (client or server side) X.509 cert can be issued to any address, be it
email, telephone, webpage, *or* to a bitcoin address, it allows any URI in
he subjectAlternativeName field.  This is much more of bitcoin like model
where the private key sits on your client and the public key is in
discoverable by the other end.

Most enterprises (including Mozilla) take the stance that key management on
the client is beyond the average user.  The notable exception is twitter
who are rolling out 2 factor auth based on PKI.

If you're interested in signing stuff with RSA (or other) keys, the web
payments and payswarm guys have done a ton of work on this, including
implementations, which you may be able to reuse ...


>
>
>
>
> ------------------------------------------------------------------------------
> Get 100% visibility into Java/.NET code with AppDynamics Lite!
> It's a free troubleshooting tool designed for production.
> Get down to code-level detail for bottlenecks, with <2% overhead.
> Download for free and get started troubleshooting in minutes.
> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
>

--e89a8fb1fdeed87f4a04e3827b7b
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">On 9 August 2013 13:43, Mike Hearn <span dir=3D"ltr">&lt;<a href=3D=
"mailto:mike@plan99.net" target=3D"_blank">mike@plan99.net</a>&gt;</span> w=
rote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><div dir=3D"ltr">This is just me making note=
s for myself, I&#39;m not seriously suggesting this be implemented any time=
 soon.<div>
<br></div><div>Mozilla Persona is an infrastructure for web based single si=
gn on. It works by having email providers sign temporary certificates for t=
heir users, whose browsers then sign server-provided challenges to prove th=
eir email address.</div>

<div><br></div><div>Because an SSO system is a classic chicken/egg setup, t=
hey run various fallback services that allow anyone with an email address t=
o take part. They also integrate with the Google/Yahoo SSO systems as well.=
 The intention being that they do this until Persona becomes big enough to =
matter, and then they can remove the centralised struts and the system beco=
mes transparently decentralised.</div>

<div><br></div><div>In other words, they seem to do a lot of things right.<=
/div><div><br></div><div>Of course you can already sign payments using an X=
.509 cert issued to an email address with v1 of the payment protocol, so te=
chnically no new PKI is needed. But the benefit of leveraging Persona would=
 be convenience - you can get yourself a Persona cert and use it to sign in=
 to websites with a single click, and the user experience is smart and prof=
essional. CAs in contrast are designed for web site admins really so the ex=
perience of getting a cert for an email address is rather variable and more=
 heavyweight.</div>

<div><br></div><div>Unfortunately Persona does not use X.509. It uses a cus=
tom thing based on JSON. However, under the hood it&#39;s just assertions s=
igned by RSA keys, so an implementation is likely to be quite easy. From th=
e users perspective, their wallet app would embed a browser and drive it as=
 if it were signing into a website, but stop after the user is signed into =
Persona and a user cert has been provisioned. It can then sign payment requ=
ests automatically. For many users, it&#39;d be just one click, which is pr=
etty neat.</div>
</div></blockquote><div><br></div><div>Persona, in it&#39;s current state, =
is the exact opposite of the principle behind of bitcoin.=A0 <br><br>Bitcoi=
n sought to reduce dependence on trusted third parties, where as, persona i=
s increasing the reach of trusted third parties.=A0 The keys and passwords =
are stored on mozilla&#39;s servers, sometimes on your email providers.=A0 =
Persona, is however, a progression and will hopefully improve its security =
and decentralization as it goes along.<br>
<br></div><div>A (client or server side) X.509 cert can be issued to any ad=
dress, be it email, telephone, webpage, *or* to a bitcoin address, it allow=
s any URI in he subjectAlternativeName field.=A0 This is much more of bitco=
in like model where the private key sits on your client and the public key =
is in discoverable by the other end.<br>
<br></div><div>Most enterprises (including Mozilla) take the stance that ke=
y management on the client is beyond the average user.=A0 The notable excep=
tion is twitter who are rolling out 2 factor auth based on PKI.<br><br></di=
v>
<div>If you&#39;re interested in signing stuff with RSA (or other) keys, th=
e web payments and payswarm guys have done a ton of work on this, including=
 implementations, which you may be able to reuse ...<br></div><div>=A0</div=
>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><div dir=3D"ltr">
<div><br></div><div><br></div></div>
<br>-----------------------------------------------------------------------=
-------<br>
Get 100% visibility into Java/.NET code with AppDynamics Lite!<br>
It&#39;s a free troubleshooting tool designed for production.<br>
Get down to code-level detail for bottlenecks, with &lt;2% overhead.<br>
Download for free and get started troubleshooting in minutes.<br>
<a href=3D"http://pubads.g.doubleclick.net/gampad/clk?id=3D48897031&amp;iu=
=3D/4140/ostg.clktrk" target=3D"_blank">http://pubads.g.doubleclick.net/gam=
pad/clk?id=3D48897031&amp;iu=3D/4140/ostg.clktrk</a><br>___________________=
____________________________<br>

Bitcoin-development mailing list<br>
<a href=3D"mailto:Bitcoin-development@lists.sourceforge.net">Bitcoin-develo=
pment@lists.sourceforge.net</a><br>
<a href=3D"https://lists.sourceforge.net/lists/listinfo/bitcoin-development=
" target=3D"_blank">https://lists.sourceforge.net/lists/listinfo/bitcoin-de=
velopment</a><br>
<br></blockquote></div><br></div></div>

--e89a8fb1fdeed87f4a04e3827b7b--