Re: [Bitcoin-development] Cold Signing Payment Requests

2013-04-25 Thread Mike Hearn
(for background: I did a lot of the design work with Gavin on the payment protocol and suggested/prototyped using x.509 in the way we do). So, I'm not a fan of weird hacks involving non-existent domain names. There's a clean way to implement this and we decided to punt on it for v1 in order to

Re: [Bitcoin-development] Cold Signing Payment Requests

2013-04-25 Thread Timo Hanke
So, I'm not a fan of weird hacks involving non-existent domain names. There's a clean way to implement this and we decided to punt on it for v1 in order to get something shippable, but if you're volunteering ... :) then indeed having a custom cert type that chains onto the end is the way to

Re: [Bitcoin-development] Cold Signing Payment Requests

2013-04-25 Thread Mike Hearn
Chaining a custom cert onto the end doesn't work, at least not if your end is the SSL cert. Chaining it to the SSL cert defeats the OP's intention of cold signing, as the SSL private key is usually kept online, therefore can't be used to sign a pubkey that is supposed to stay offline. What

Re: [Bitcoin-development] Cold Signing Payment Requests

2013-04-25 Thread Timo Hanke
On Thu, Apr 25, 2013 at 12:05:06PM +0200, Mike Hearn wrote: Chaining a custom cert onto the end doesn't work, at least not if your end is the SSL cert. Chaining it to the SSL cert defeats the OP's intention of cold signing, as the SSL private key is usually kept online,

Re: [Bitcoin-development] Cold Signing Payment Requests

2013-04-25 Thread Mike Hearn
That's a pointless goal to try and solve right now, because the SSL PKI cannot handle compromised web servers and so neither can we (with v1 of the payments spec). I don't think the OP intended to solve it right now, i.e. in v1. He differentiated between most trusted and less trusted

Re: [Bitcoin-development] [Bitcoin-test] Time for a 0.8.2 release

2013-04-25 Thread Arklan Uth Oslin
unfortunately my winter has proven a complicated series of significant life events - new work, etc - which sees me with little free time to help out. sorry. Arklan -- As long as there is light, the darkness holds no fear. And yet, even in the deepest black, there is life. - Arklan Uth

Re: [Bitcoin-development] Cold Signing Payment Requests

2013-04-25 Thread Mike Hearn
On Thu, Apr 25, 2013 at 4:13 PM, Mike Caldwell mcaldw...@swipeclock.comwrote: I am not sure if my replies hit the list. If not, can anyone who sees this help? In the past, I have pre signed (with PGP) large batches of Bitcoin addresses for distribution on my server. This way, even in the

Re: [Bitcoin-development] Cold Signing Payment Requests

2013-04-25 Thread Jeremy Spilman
There are definitely ways to keep the pay-to address secure even if the web server is compromised, just perhaps not perfectly clean standard X.509 ways under the current ecosystem which would be easier for everyone to agree on. - If a more trusted cert is an EV end cert, and a less trusted is a

Re: [Bitcoin-development] Cold Signing Payment Requests

2013-04-25 Thread Gavin Andresen
On Thu, Apr 25, 2013 at 3:12 PM, Jeremy Spilman jeremy.spil...@gmail.comwrote: Right now I'm leaning towards writing a prototype using a single cert with a fingerprint of PubKey in the Subject Alternate Name, and getting PubKey and InvoiceID in the Payment Request. Gavin, would the best way