From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1WW5kO-0002j7-4x for bitcoin-development@lists.sourceforge.net; Fri, 04 Apr 2014 15:09:36 +0000 Received-SPF: pass (sog-mx-1.v43.ch3.sourceforge.com: domain of gmail.com designates 209.85.217.179 as permitted sender) client-ip=209.85.217.179; envelope-from=elarch@gmail.com; helo=mail-lb0-f179.google.com; Received: from mail-lb0-f179.google.com ([209.85.217.179]) by sog-mx-1.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1WW5kN-0005qn-9p for bitcoin-development@lists.sourceforge.net; Fri, 04 Apr 2014 15:09:36 +0000 Received: by mail-lb0-f179.google.com with SMTP id p9so2627797lbv.10 for ; Fri, 04 Apr 2014 08:09:28 -0700 (PDT) X-Received: by 10.112.85.6 with SMTP id d6mr8707169lbz.8.1396624168656; Fri, 04 Apr 2014 08:09:28 -0700 (PDT) MIME-Version: 1.0 Received: by 10.112.31.165 with HTTP; Fri, 4 Apr 2014 08:09:08 -0700 (PDT) In-Reply-To: References: From: =?ISO-8859-1?Q?Eric_Larchev=EAque?= Date: Fri, 4 Apr 2014 17:09:08 +0200 Message-ID: To: slush Content-Type: multipart/alternative; boundary=001a11349f4c7525aa04f638e7aa X-Spam-Score: -0.6 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (elarch[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record 1.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1WW5kN-0005qn-9p Cc: Bitcoin Dev Subject: Re: [Bitcoin-development] Draft BIP for seamless website authentication using Bitcoin address X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Apr 2014 15:09:36 -0000 --001a11349f4c7525aa04f638e7aa Content-Type: text/plain; charset=ISO-8859-1 On Fri, Apr 4, 2014 at 4:56 PM, slush wrote: > I'm cracking my head for many months with the idea of using TREZOR for web > auth purposes. Unfortunately I'm far from any usable solution yet. > > My main comments to your BIP: Don't use bitcoin addresses directly and > don't encourage services to use this "login" for financial purposes. Mike > is right, mixing authentication and financial services is wrong. Use some > function to generate other private/public key from bitcoin's seed/private > key to not leak bitcoin-related data to website. > > I'm probably very naive, but the fact that the authentication key is your Bitcoin address was for me a great feature :) What are the risks associated of id yourself with a bitcoin address you plan to use on the website for transaction ? I mean, what is the difference between doing that, and id with a login/pass and add your bitcoin address in a settings field ? (knowing you could always find a mechanism to transfer the account to another bitcoin address if needed) Eric --001a11349f4c7525aa04f638e7aa Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
On F= ri, Apr 4, 2014 at 4:56 PM, slush <slush@centrum.cz> wrote:
I'm cracking my head for many months with the idea of = using TREZOR for web auth purposes. Unfortunately I'm far from any usab= le solution yet.

My main comments to your BIP: Don't= use bitcoin addresses directly and don't encourage services to use thi= s "login" for financial purposes. Mike is right, mixing authentic= ation and financial services is wrong. Use some function to generate other = private/public key from bitcoin's seed/private key to not leak bitcoin-= related data to website.


I'm probably very= naive, but the fact that the authentication key is your Bitcoin address wa= s for me a great feature :)
What are the risks associated of id y= ourself with a bitcoin address you plan to use on the website for transacti= on ?

I mean, what is the difference between doing that, and = id with a login/pass and add your bitcoin address in a settings field ? (kn= owing you could always find a mechanism to transfer the account to another = bitcoin address if needed)

Eric

--001a11349f4c7525aa04f638e7aa--