On 2 November 2013 22:14, Johnathan Corgan <johnathan@corganlabs.com> wrote:

On 11/01/2013 10:01 PM, bitcoingrant@gmx.com wrote:

> Server provides a token for the client to sign.

Anyone else concerned about signing an arbitrary string? Could be a
hash of $EVIL_DOCUMENT, no? I'd want to XOR the string with my own
randomly generated nonce, sign that, then pass the nonce and the
signature back to the server for verification.

Good point.

There are actually times you may want to sign a transaction.

There's a little know HTTP code, 402, "Payment Required". We should really start using this at some point ...

http://en.wikipedia.org/wiki/List_of_HTTP_status_codes

Reserved for future use.[2] The original intention was that this code might be used as part of some form of digital cash or micropayment scheme, but that has not happened, and this code is not usually used. As an example of its use, however, Apple's defunct MobileMe service generated a 402 error if the MobileMe account was delinquent.[citation needed] In addition, YouTube uses this status if a particular IP address has made excessive requests, and requires the person to enter a CAPTCHA.

--
Johnathan Corgan, Corgan Labs
SDR Training and Development Services
http://corganlabs.com

------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
Bitcoin-development mailing list
Bitcoin-development@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-development