On Mon, Jan 27, 2014 at 7:18 PM, Andreas Schildbach <andreas@schildbach.de> wrote:
I'm not saying I'm against signed payment requests, but unfortunately
they are just too big for QR-codes. Then again, QR-codes *can* take up
to 2 KB. How big would a very basic trust chain plus signature be?

As I said, the test requests generated by Gavin's generator end up being about 4kb.

Unfortunately most certs are using RSA keys which aren't very compact. You can get ECC certs, but for whatever reason, the test requests aren't using one.
 
I was under the impression that addresses will go away. Can you
elaborate on the mechanism?

There's still an address in the URI for backwards compatibility, right? In theory if everyone some day uses wallets that support BIP70 it'd be superfluous and could be removed, but whilst it's there, we could find alternative uses for it ...
 
Ok, that's good news (to me). However, you are going to manage trust
stores (adding and revoking) without TCP?

Trust store is just a local database. Why would it involve TCP?
 
Well I'm thinking the other way round. Use Bitcoin where its already
used today -- face to face.

Maybe in Berlin :-) Most of my transactions are sadly with online shops, still.
 
> you probably still would like a receipt if you buy
> something from a local market trader.

Yes, but where is the problem?

A receipt is a proof of purchase. If the payment request isn't signed then it proves nothing as you could have made it yourself. Of course paper receipts are forgeable too - we sort of pretend receipt fraud does not exist, but it does.

Nobody would ever be forced to sign to receive money, obviously, but it's better if people do as it leads to herd immunity. If people expect to see it then they will be suspicious if an attacker strips the signing data. If it's randomly hit/miss then the signing data can just be deleted by a MITM and you'd never think anything was amiss.

And again, how is he going to provide the payment request to the payer
without TCP?

Over Bluetooth, perhaps. That's what we're talking about, right?
 
Interesting, did not know about this BIP. However I don't understand the
usecase.

It was proposed by the BitPay guys. I think they feel that scanning a QR code should always make something intelligent happen, even if you don't (for instance) have a wallet app installed at all. Overloading the URL so it works for both web browsers and wallet apps is easy, so I can see why they suggested it. Doesn't seem like a big deal either way.