1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
|
Received: from sog-mx-2.v43.ch3.sourceforge.com ([172.29.43.192]
helo=mx.sourceforge.net)
by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <mh.in.england@gmail.com>) id 1W8qH5-0001zb-Tj
for bitcoin-development@lists.sourceforge.net;
Thu, 30 Jan 2014 11:59:15 +0000
Received-SPF: pass (sog-mx-2.v43.ch3.sourceforge.com: domain of gmail.com
designates 209.85.219.47 as permitted sender)
client-ip=209.85.219.47; envelope-from=mh.in.england@gmail.com;
helo=mail-oa0-f47.google.com;
Received: from mail-oa0-f47.google.com ([209.85.219.47])
by sog-mx-2.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
(Exim 4.76) id 1W8qH2-0000Jp-Us
for bitcoin-development@lists.sourceforge.net;
Thu, 30 Jan 2014 11:59:15 +0000
Received: by mail-oa0-f47.google.com with SMTP id m1so3497888oag.34
for <bitcoin-development@lists.sourceforge.net>;
Thu, 30 Jan 2014 03:59:05 -0800 (PST)
MIME-Version: 1.0
X-Received: by 10.182.157.114 with SMTP id wl18mr1062061obb.52.1391083145429;
Thu, 30 Jan 2014 03:59:05 -0800 (PST)
Sender: mh.in.england@gmail.com
Received: by 10.76.99.112 with HTTP; Thu, 30 Jan 2014 03:59:05 -0800 (PST)
In-Reply-To: <CAPg+sBg8AGrbny=2tXp3gsok4TX7XV5307Cx1+ArBwxM6xL4jQ@mail.gmail.com>
References: <52E9E787.8080304@borboggle.com>
<CANEZrP0soR0xRqW=vsKaL__HRuWstA5vW=6_JkGZm=8wkm8Q3g@mail.gmail.com>
<52EA343E.4010208@borboggle.com>
<CAPg+sBg8AGrbny=2tXp3gsok4TX7XV5307Cx1+ArBwxM6xL4jQ@mail.gmail.com>
Date: Thu, 30 Jan 2014 12:59:05 +0100
X-Google-Sender-Auth: pa1PdxAXcAfBaVrNO3GIJJBfRiQ
Message-ID: <CANEZrP2MHqw+c+AVSLzmc6A1xyMvVK=DfR_R-tH1ypGQLRqo_A@mail.gmail.com>
From: Mike Hearn <mike@plan99.net>
To: Pieter Wuille <pieter.wuille@gmail.com>
Content-Type: multipart/alternative; boundary=f46d04182830bc89c604f12ec806
X-Spam-Score: -0.5 (/)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
sender-domain
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
(mh.in.england[at]gmail.com)
-0.0 SPF_PASS SPF: sender matches SPF record
1.0 HTML_MESSAGE BODY: HTML included in message
0.1 DKIM_SIGNED Message has a DKIM or DK signature,
not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Headers-End: 1W8qH2-0000Jp-Us
Cc: Bitcoin-Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] BIP70 message delivery reliability
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Thu, 30 Jan 2014 11:59:16 -0000
--f46d04182830bc89c604f12ec806
Content-Type: text/plain; charset=UTF-8
With the way it works in bitcoinj, the tx is only committed to the wallet
if the server accepts the Payment message and ACKs it. So the tx would not
be retried if there's a failure submitting or some kind of internal server
error, and the UI would show that the payment failed. That seems
straightforward and how I'd expect things to work as a user.
On Thu, Jan 30, 2014 at 12:46 PM, Pieter Wuille <pieter.wuille@gmail.com>wrote:
> On Thu, Jan 30, 2014 at 12:15 PM, Chuck <chuck+bitcoindev@borboggle.com>
> wrote:
> > Hi Mike. Thanks for replying.
> >
> > On 1/30/2014 5:49 PM, Mike Hearn wrote:
> >> Both Bitcoin Core and bitcoinj are about to ship with the protocol
> >> as-is, so any changes from this point on have to be backwards
> compatible.
> > Then I think it's critically important to talk about failure situations
> > now, rather than trying to patch on solutions later; it's going to be
> > very hard to wedge/"hack" in fixes for potential problems when they
> > could be addressed now with minor changes.
> >> Let's get some practical experience with what we've got so far. We can
> >> evolve PaymentRequest/Payment/PaymentACK in the right direction with
> >> backwards compatible upgrades, I am hoping.
> > I think what I'm trying to discuss or find out here is whether the
> > current PP description is defunct or incomplete in some manner, thus
> > making any experience we gain from the current implementation moot.
> >
> > It seems the largest hole in the implementation is delivery of the
> > Payment message, but I'm happy to accept that maybe I'm just missing
> > something. A malicious merchant could claim he never received the
> > Payment message, or a faulty network connection could cause the message
> > to never be delivered. In arbitration the merchant could argue the
> > transactions seen on the network were insufficient.
>
> You don't even have to assume malicious intent. A payment message
> could just fail to arrive because the server is unreachable. As the
> specification currently doesn't even suggest retrying, there is no way
> the merchant can rely at all on the memo and refund address being
> delivered, which makes them in my opinion useless.
>
> Your proposal makes the whole protocol more atomic, which may be a
> step too far at this point (though I like the idea very much), but I
> really think the specification should do everything possible to
> prevent transactions confirming without the payment message ever being
> delivered (i.e., store them in the sender's client, retry when
> necessary, exponential backoff, ...).
>
> --
> Pieter
>
--f46d04182830bc89c604f12ec806
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">With the way it works in bitcoinj, the tx is only committe=
d to the wallet if the server accepts the Payment message and ACKs it. So t=
he tx would not be retried if there's a failure submitting or some kind=
of internal server error, and the UI would show that the payment failed. T=
hat seems straightforward and how I'd expect things to work as a user.<=
/div>
<div class=3D"gmail_extra"><br><br><div class=3D"gmail_quote">On Thu, Jan 3=
0, 2014 at 12:46 PM, Pieter Wuille <span dir=3D"ltr"><<a href=3D"mailto:=
pieter.wuille@gmail.com" target=3D"_blank">pieter.wuille@gmail.com</a>><=
/span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><div class=3D"im">On Thu, Jan 30, 2014 at 12=
:15 PM, Chuck <<a href=3D"mailto:chuck%2Bbitcoindev@borboggle.com">chuck=
+bitcoindev@borboggle.com</a>> wrote:<br>
</div><div><div class=3D"h5">> Hi Mike. =C2=A0Thanks for replying.<br>
><br>
> On 1/30/2014 5:49 PM, Mike Hearn wrote:<br>
>> Both Bitcoin Core and bitcoinj are about to ship with the protocol=
<br>
>> as-is, so any changes from this point on have to be backwards comp=
atible.<br>
> Then I think it's critically important to talk about failure situa=
tions<br>
> now, rather than trying to patch on solutions later; it's going to=
be<br>
> very hard to wedge/"hack" in fixes for potential problems wh=
en they<br>
> could be addressed now with minor changes.<br>
>> Let's get some practical experience with what we've got so=
far. We can<br>
>> evolve PaymentRequest/Payment/PaymentACK in the right direction wi=
th<br>
>> backwards compatible upgrades, I am hoping.<br>
> I think what I'm trying to discuss or find out here is whether the=
<br>
> current PP description is defunct or incomplete in some manner, thus<b=
r>
> making any experience we gain from the current implementation moot.<br=
>
><br>
> It seems the largest hole in the implementation is delivery of the<br>
> Payment message, but I'm happy to accept that maybe I'm just m=
issing<br>
> something. =C2=A0A malicious merchant could claim he never received th=
e<br>
> Payment message, or a faulty network connection could cause the messag=
e<br>
> to never be delivered. In arbitration the merchant could argue the<br>
> transactions seen on the network were insufficient.<br>
<br>
</div></div>You don't even have to assume malicious intent. A payment m=
essage<br>
could just fail to arrive because the server is unreachable. As the<br>
specification currently doesn't even suggest retrying, there is no way<=
br>
the merchant can rely at all on the memo and refund address being<br>
delivered, which makes them in my opinion useless.<br>
<br>
Your proposal makes the whole protocol more atomic, which may be a<br>
step too far at this point (though I like the idea very much), but I<br>
really think the specification should do everything possible to<br>
prevent transactions confirming without the payment message ever being<br>
delivered (i.e., store them in the sender's client, retry when<br>
necessary, exponential backoff, ...).<br>
<span class=3D"HOEnZb"><font color=3D"#888888"><br>
--<br>
Pieter<br>
</font></span></blockquote></div><br></div>
--f46d04182830bc89c604f12ec806--
|
