> No, the point of using X509 certs is to get a verified identity (a
> domain name) on the receipt, this is needed for multi-factor
> authentication. You can't do that without some kind of third party
> asserting to an identity.


Agree that you need a third party to verify identity. But the verification 
policy of sites is the job for a payment provider not a payment technology. So 
if you would like verification of the site you could just sign the memo using 
standard S/MIME - why mix it with the payment protocol?

Further, it is controversial use of the host key to use it for digital signing 
of documents, and not even within the policy of a host certificate as far as I 
recall.

The problem you are trying to tackle is that we don't have an ID solution on 
the internet today for this purpose. Certificates for signing messages are 
distributed freely and insecurely only based on temporarily having an email 
from within an organization, and the host certificates are meant for SSL 
handshakes. Funnily, any CA can issue digital certificates for email signing 
for any domain, even though they don't own them, and without notifying the 
owner. DANE actually solves this, but until then using the host certificates is 
unintended use, it is cryptographically a nice solution, but legally and 
standard-wise a hack.

/M
------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
Bitcoin-development mailing list
Bitcoin-development@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-development

Reply via email to