Re: [Bitcoin-development] Draft BIP for seamless website authentication using Bitcoin address

[Gavin Andresen <gavinandresen@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 5188 bytes --]

Using a bitcoin address repeatedly is something we're trying to move away
from.

And using a bitcoin address as a persistent identity key feels like the
wrong direction to me.

Better to use something like client certificates, the FIDO alliance's
(new!) specs:
  http://fidoalliance.org/specifications/download

... or Steve Gibson's proposed SQRL system:
  https://www.grc.com/sqrl/sqrl.htm

If one of those systems gets critical mass and actually starts being
successful, then I think it would make sense to specify a standard way of
using a HD wallet's deterministic seed to derive a key used for the FIDO or
SQRL systems.




On Fri, Apr 4, 2014 at 9:22 AM, Eric Larchevêque <elarch@gmail.com> wrote:

> What I'm trying to achieve, is to have a very simple way of authenticating
> yourself with one Bitcoin address from your wallet.
> For most of the people using Bitcoin, their wallet is on their phone.
>
> The UX is clear and simple :
> 1. click on "connect with Bitcoin" (the audience is normal people)
> 2. flash the QRcode with your wallet (blockchain.info, mycelium, ...)
> 3. accept the authentication request (same style than OpenID or Facebook
> connect)
> 4. user is autologged and identified by the chosen Bitcoin public address
>
> It makes sense only if major wallets are supporting the protocol. If you
> need to install a plugin or download a third party software, no one will do
> it.
> I see only benefits for the entire ecosystem, and if I'm working on such a
> proposition it is because I really need this feature.
>
> Of course, it can be done without a BIP, I just need to convince wallet
> developpers one by one to implement the feature.
> But I thought it was much better to start the "official" way, so all
> wallet could easily find and implement the same authentication mechanism.
>
> >  Bitcoin and website authentication are unrelated problems
>
> I respectfully disagree. Many services require your Bitcoin address, and
> to do that they artificially request an email/password to store it.
> This is not about authentication as an identity (as "I'm Eric
> Larcheveque"), but as in "I'm proving to you that I control this address".
>
> Without such a standard protocol, you could never envision a pure Bitcoin
> physical locker rental, or booking an hotel room via Bitcoin and opening
> the door through the paying address.
>
> Eric
>
>
>
> On Fri, Apr 4, 2014 at 3:08 PM, Mike Hearn <mike@plan99.net> wrote:
>
>> This comes up every few months. I think the problem you are trying to
>> solve is already solved by SSL client certificates, and if you want to help
>> make them more widespread the programs you need to upgrade are web browsers
>> and not Bitcoin wallets. There are certainly bits of infrastructure you
>> could reuse here and there, like perhaps a TREZOR with a custom firmware
>> extension for really advanced/keen users, but overall Bitcoin and website
>> authentication are unrelated problems.
>>
>>
>> On Fri, Apr 4, 2014 at 2:15 PM, Eric Larchevêque <elarch@gmail.com>wrote:
>>
>>> Hello,
>>>
>>> I've written a draft BIP description of an authentication protocol based
>>> on Bitcoin public address.
>>>
>>> By authentication we mean to prove to a service/application that we
>>> control a specific Bitcoin address by signing a challenge, and that all
>>> related data and settings may securely be linked to our session.
>>>
>>> The aim is to greatly facilitate sign ups and logins to services and
>>> applications, improving the Bitcoin ecosystem as a whole.
>>>
>>> https://github.com/bitid/bitid/blob/master/BIP_draft.md
>>>
>>> Demo website :
>>> http://bitid-demo.herokuapp.com/
>>>
>>> Classical password authentication is an insecure process that could be
>>> solved with public key cryptography. The problem is that it theoretically
>>> offloads a lot of complexity and responsibility on the user. Managing
>>> private keys securely is complex. However this complexity is already being
>>> addressed in the Bitcoin ecosystem. So doing public key authentication is
>>> practically a free lunch to bitcoiners.
>>>
>>> I've formatted the protocol description as a BIP because this is the
>>> only way to have all major wallets implementing it, and because it
>>> completely fits in my opinion the BIP "process" category.
>>>
>>> Please read it and let me know your thoughts and comments so we can
>>> improve on this draft.
>>>
>>> Eric Larcheveque
>>> elarch@gmail.com
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Bitcoin-development mailing list
>>> Bitcoin-development@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>>>
>>>
>>
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
>


-- 
--
Gavin Andresen

[-- Attachment #2: Type: text/html, Size: 7960 bytes --]