public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Timo Hanke <timo.hanke@web.de>
To: bitcoin-development@lists.sourceforge.net
Subject: Re: [Bitcoin-development] Cold Signing Payment Requests
Date: Thu, 25 Apr 2013 11:58:55 +0200	[thread overview]
Message-ID: <20130425095855.GA30535@crunch> (raw)
In-Reply-To: <mailman.38128.1366844895.4905.bitcoin-development@lists.sourceforge.net>

> So, I'm not a fan of weird hacks involving non-existent domain names.
> There's a clean way to implement this and we decided to punt on it for
> v1 in order to get something shippable, but if you're volunteering ...
> :) then indeed having a custom cert type that chains onto the end is
> the way to go.

Chaining a custom cert onto the end doesn't work, at least not if your
"end" is the SSL cert. Chaining it to the SSL cert defeats the OP's
intention of "cold signing", as the SSL private key is usually kept
online, therefore can't be used to sign a pubkey that is supposed to
stay offline. Hence the idea of the "hack", to get two independent
things signed by the CA in just one cert: 1) your SSL pubkey, 2) your
custom cert (by including its cryptograhic hash). This hack seems the
easiest possible solution.

It also seems the only solution if you want to stick with domain-names
as identifiers for the payment protocol (and I think you do). A cleaner
way would be to get a cert signed by your CA that contains an extended
"bitcoin" attribute in compliance with X.509, but this seems a little
far off.

So I am in favor of the "hack" (properly thought out where to place the
hash).

ps. In the long run I would of course like to see payee identities based
on alt-chains rather than domain-names plus CAs. But that's rather a
concern for v3 than v2. Of course, you can also chain custom certs to
non-SSL identities like PGP-keys. You probably don't want to do that,
but it would solve Melvin Carvalho's problem of sending to RSA keys
(assuming the RSA key holder previously published his custom cert with a
cert server). 

-- 
Timo Hanke
PGP AB967DA8, Key fingerprint = 1EFF 69BC 6FB7 8744 14DB  631D 1BB5 D6E3 AB96 7DA8



       reply	other threads:[~2013-04-25  9:59 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <mailman.38128.1366844895.4905.bitcoin-development@lists.sourceforge.net>
2013-04-25  9:58 ` Timo Hanke [this message]
2013-04-25 10:05   ` [Bitcoin-development] Cold Signing Payment Requests Mike Hearn
2013-04-25 10:28     ` Timo Hanke
2013-04-25 10:45       ` Mike Hearn
2013-04-25 10:52         ` Mike Hearn
2013-04-25 11:55         ` Timo Hanke
     [not found]         ` <FDF215AE-F9A4-4EE3-BDC9-0A4EF027423A@swipeclock.com>
2013-04-25 14:31           ` Mike Hearn
2013-04-25 19:12             ` Jeremy Spilman
2013-04-26  1:07               ` Gavin Andresen
2013-04-28 18:03                 ` Timo Hanke
2013-04-29 18:40                   ` Jeremy Spilman
2013-04-30  9:17                     ` Mike Hearn
2013-04-30 11:32                       ` Jouke Hofman
2013-04-30 13:14                         ` Gavin Andresen
2013-04-30 17:17                           ` Jeremy Spilman
2013-05-06 21:29                             ` Peter Todd
2013-04-24 23:01 Jeremy Spilman
2013-04-24 23:07 ` Alan Reiner
2013-04-25  9:08   ` Mike Hearn

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130425095855.GA30535@crunch \
    --to=timo.hanke@web.de \
    --cc=bitcoin-development@lists.sourceforge.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox