> I'm not a cryptography expert, but why not just wrap the bluetooth
> connection with SSL and not reimplement ECDH? Is this
hard to do with android/java?

Not at all, it should be very easy in Java because of how the SSL API is
designed. I'd worry more about non-Java platforms.

However, SSL is extremely large, old and complicated. We use it on the web
because of a mix of its feature set and legacy concerns. When discussing
encrypted connections in the past, there has been a desire to avoid SSL
because of these issues and do something much simpler and home grown. Of
course, part of the reason SSL is so convoluted is because cryptography
evolves over time, and thus it's not 100% clear to me that a simple
home-rolled crypto link would avoid falling into the same traps as SSL

But, at least for now, it's probably more secure and more robust to not use

> This sounds great, but I thought it is not desired to divulge a bitcoin
> public key until the time of signing a transaction. Isn't that the whole
> point of having a public key hash and never reusing addresses?

Eh, no. Satoshi originally introduced key hashing simply to make shorter
and easier to type destinations. Actually he envisioned most payments being
routed by IP address, where Bitcoin would just connect to the other node
and request a public key directly. There's no problem with the sender
knowing the public key of the address included in the URI.

> This could be resolved by the payee immediately sending the payment to
> another address after receiving it, but that is kind of a waste of a
> transaction. Also, I would love a less PKI dependent way to authenticate a
> transaction between the two parties, but I was trying to minimize the
> discussion of general payment protocol modifications in this announcement.

Alternative PKIs would be a topic for another thread, indeed. But I doubt
you will get anywhere. There are no usable alternatives to the SSL PKI. I
wrote an article on the topic here, you may find it useful:


It summarises why BIP70 uses the PKI.

> We can do something like this, I guess. The issue I mentioned about the
> message headers being inconsistent will have to be fixed though to to do
> this. However, is anyone even using the HTTP base failure signal (I don't
> even know what it is)?

It's "Respond with 500 Internal Server Error" pretty much.

Originally the idea of BIP70 was that clients would not broadcast
transactions. They would submit them to the merchant for broadcast. If the
merchant didn't like the payment for some reason (e.g. paying with a non
standard transaction or with lots of dust), they could just return an error.

Unfortunately Bitcoin Core does broadcast transactions simultaneously.
Additionally, whilst other wallets  did not, one major payment processor
had a very unreliable BIP70 payment_url endpoint for a while, whilst
broadcasting a tx via the p2p network was fully functioning. So to work
around bugs in this one payment processor some other wallets have started
broadcasting the payment tx simultaneously as well.

This means a receiver cannot meaningfully reject a payment. Some wallets
will send it anyway, via the p2p network.

> and a h= parameter, and Schildbach's wallet does accept the payment request

I suspect it won't work if you leave out the non-standard h= parameter.

WRT the merge avoidance - there's an article here on how it's meant to work:


It's totally OK for you to specify the amounts you want to avoid merges in
your own wallet. The sending wallet could (but none do today) then pay with
multiple transactions.

Your case is really weird because you aren't actually requesting a specific
amout of money. I recall that there's some reason for this, from your
video, but suddenly it escapes me. Because the user scans the payment
request before pumping?

> I don't trust HTTPS for a number of reasons.

I disagree with all your reasons (e.g. there is nothing wrong with
outsourcing payment processing and it doesn't have to imply the user sees
an incorrect name), and I believe you should trust the PKI a lot more than
you do. If you try and build a better replacement, I think you'll discover
it's a lot harder than you imagine.

Regardless, I am not against an *optional* tighter binding between URI and
payment request, mostly because it's useful for the cases where signing
with a cert isn't possible. But the simple/obvious "embed a hash of it in
the URI" is inefficient, not compatible with the current specs, can make QR
codes harder to scan, and forces you to format your payment request up
front rather than generating it on demand.

> The primary reason he does not have this in the master branch is because
> the payment protocol only supports signing of payment requests via PKI, and
> it is difficult for a user to install a PKI signed certificate on android,
> just for a single peer to peer use case.

Unsigned requests work OK for the phone to phone case, assuming you aren't
actually talking to an imposter.

> If you are to provide a full fledged wifi connection to the customer,
> there would then have to be a very sophisticated proxy server that can
> allow only access to bitcoin nodes, and how to do that would be difficult
> since every node doesn't know all of the nodes in the network.

You can just allow port 8333 and rewrite port 80, as most wifi hotspots do
today already.

But my point about this was that all smartphones get internet access from
time to time. In my own life, I've definitely been in cases where I wanted
to *pay* with bitcoins but didn't have good internet access at that exact
moment, e.g. back of a restaurant. I've also been in the situation more
rarely where I wanted to receive coins from someone in front of me, without
good internet access, but Bluetooth already addresses that.

I don't recall ever being in a situation where I had no internet access,
but somehow knew there was a payment waiting for me on the block chain, and
I needed it right now because it was necessary for me to receive that money
in order to pay a bill. That's what the dedicated blockchain radio would
provide, but it seems like a very rare use case.

> All this was already known but was not proposed because it does not allow
> you to use the h= parameter. What do you propose to do instead of the h=
> parameter, but still allow for a trust anchor with the payee still be
> maintained?

I think I said already, but maybe am not explaining well. You use the
address that's already in all backwards compatible URIs. The payment
details can be additionally signed with the key corresponding to that
address. Or, that key can be covered by the PKI signature if there is one.
But dual signing is always possible.
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
Bitcoin-development mailing list

Reply via email to