Chris, Thank you for taking the time to look at my proposal. 1) pay to addresses are not fixed - ie you can have a different address for > each transaction (which is why BIP70 is necessary to allow per transaction > addresses via https.) > This is certainly true for a "published" address; however a new address (and URL) can be generated for each one-off peer-to-peer transaction. However, I'd expect that most of the time this use case will be handed by BIP70. Still, this could allow someone to implement a authenticated, non-repudiable payment request without having to go through the hassle of a full BIP70 implementation. > 2) unless you are already aware of the public key of the signature, you > do not know if the signature is made by the person you think it is supposed > to be from. See recent concern over fake key for Gavin Andresen. Ie a > signature can always be verified with a valid public key, the question is > was it the real person's key. That is what WoT tried to resolve with > so-called "signing parties", nowadays keys posted to a public forum by a > known user, but it's not a standard and not ideal. > My proposal leverages the existing SSL key system (yes, PKI), so there is a reasonable expectation that if the signature verifies, it came from the party indicated on the cert. While SSL (and the PKI system underpinning it) have its faults, the example you highlighted was specifically a problem with WoT, not PKI. Can a compromised web server cause payments to be made to the wrong party? Of course-- but that's already true. And that's not something BIP70 solves (or attempts to solve) either. (To explain [better than I could] why I feel PKI is a pragmatic solution, I defer to Mike Hearn 's article: https://medium.com/bitcoin-security-functionality/b64cf5912aa7) --Daryl