Re: [Bitcoin-development] Draft BIP for seamless website authentication using Bitcoin address

["Eric Larchevêque" <elarch@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 2973 bytes --]

>
> The goal of writing a BIP seems to be to get lots of different wallet
> authors to write lots of code for you - but I *am* a wallet author, and I
> don't think that's the right way to get traction with a new scheme.
>

I started without a BIP and the feedback I got is that I should to a BIP.
We cannot write all the code for all the wallets ; this is after all a
communauty project.
However we have and we will propose bounties for each wallet to support
natively the protocol.


> For instance the TREZOR guys would have to support your new protocol
> otherwise if I paid my hotel bill with my TREZOR I couldn't open the door
> when I got there! But they probably have better things to be doing right
> now.
>

Yes you are right. But if the concept of authenticating yourself gets
traction, they will probably do it.


> The key difference between just generating a client certificate and using
> a Bitcoin address is that the client certificate is something that is used
> *specifically* for identification. It leaves no trace in the block chain,
> so no weird privacy issues, it doesn't matter how you manage your wallet,
> and you don't have to persuade lots of people to support your idea because
> it was already done >10 years ago and basically every browser/web server
> supports it.
>

My view on this is mainly about the UX and the fact everyone in Bitcoinland
has a wallet.
It's a approach leveraging this fact, with the possibility to build
interesting apps combining address auth and the blockchain.

I understand the problems related to multisig, contracts etc,
There is no such thing as a from address in a transaction, however many
services still take first tx as the return address.
People will always find way of building and doing stuff (cf the message in
the blockchain debate).


> Some reasons client certs aren't more widely used boil down to:
>
>    1. People like passwords. In particular they like forgetting them and
>    then having friendly people assist them to get it back. Client certs can
>    support this use case, but only if apps are checking the identity in them
>    and not the key.
>    2. The UI for managing client certs in browsers is pretty horrible.
>    There's little incentive to improve it because of (1).
>    3. Cross-device sync doesn't work very well. Apple are starting to
>    tackle this with their iCloud Keychain Sync service but then of course,
>    Apple has all your keys and you may well just sign in to things with your
>    Apple account (if it were to be supported). Cross-device sync where the
>    server *doesn't* get your keys is supported by Chrome for passwords,
>    but not client certs, because (1)
>
> None of the above issues have any obvious fix lurking within Bitcoin.
>

There is also the benefit of revocation with certificate and central
authority.

But, again, you already have a wallet and a Bitcoin address.
So if you add a simple auth protocol, people will use it at no cost.

Eric

[-- Attachment #2: Type: text/html, Size: 4331 bytes --]