From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1WK3np-0001i1-Eo for bitcoin-development@lists.sourceforge.net; Sun, 02 Mar 2014 10:39:25 +0000 Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of gmail.com designates 209.85.219.43 as permitted sender) client-ip=209.85.219.43; envelope-from=mh.in.england@gmail.com; helo=mail-oa0-f43.google.com; Received: from mail-oa0-f43.google.com ([209.85.219.43]) by sog-mx-3.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1WK3no-0006RD-AT for bitcoin-development@lists.sourceforge.net; Sun, 02 Mar 2014 10:39:25 +0000 Received: by mail-oa0-f43.google.com with SMTP id g12so5913769oah.30 for ; Sun, 02 Mar 2014 02:39:19 -0800 (PST) MIME-Version: 1.0 X-Received: by 10.182.2.42 with SMTP id 10mr354obr.73.1393756758948; Sun, 02 Mar 2014 02:39:18 -0800 (PST) Sender: mh.in.england@gmail.com Received: by 10.76.71.231 with HTTP; Sun, 2 Mar 2014 02:39:18 -0800 (PST) In-Reply-To: References: Date: Sun, 2 Mar 2014 11:39:18 +0100 X-Google-Sender-Auth: BNtuMjWgQbhmRs1fJK88spj5pTY Message-ID: From: Mike Hearn To: Drak Content-Type: multipart/alternative; boundary=001a1134ad0685423204f39d4816 X-Spam-Score: -0.5 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (mh.in.england[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record 1.0 HTML_MESSAGE BODY: HTML included in message 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1WK3no-0006RD-AT Cc: Bitcoin Dev Subject: Re: [Bitcoin-development] Payment Protocol Hash Comments X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Mar 2014 10:39:25 -0000 --001a1134ad0685423204f39d4816 Content-Type: text/plain; charset=UTF-8 I'm just repeating the rationale Gavin gave me for adding this to the spec last year when he was implementing it. Perhaps it only applied to some versions of PHP or something like that. Jeremy, good comments. A pull request to fix those would be good. One issue I seem looming on the horizon is that we'll need a version of the payment protocol document that's living. Trying to reverse engineer the current spec by manually reading all the BIPs and layering them in your head is a non starter. On Sun, Mar 2, 2014 at 9:52 AM, Drak wrote: > Not true, PHP does support sha2 > > http://php.net/manual/en/mhash.constants.php > > http://php.net/manual/en/function.hash-algos.php#refsect1-function.hash-algos-examples > On 2 Mar 2014 08:44, "Mike Hearn" wrote: > >> SHA-1 support is there for PHP developers. Apparently it can't do SHA-2. >> On 2 Mar 2014 08:53, "Jeremy Spilman" wrote: >> >>> From BIP70: >>> >>> If pki_type is "x509+sha256", then the Payment message is hashed using >>> the >>> SHA256 algorithm to produce the message digest that is signed. If >>> pki_type >>> is "x509+sha1", then the SHA1 algorithm is used. >>> >>> A couple minor comments; >>> >>> - I think it meant to say the field to be hashed is 'PaymentRequest' >>> not >>> 'Payment' message -- probably got renamed at some point and this is an >>> old >>> reference calling it by its original name. >>> >>> - Could be a bit more explicit about the hashing, e.g. 'copy the >>> PaymentRequest, set the signature field to the empty string, serialize to >>> a byte[] and hash. >>> >>> - SHA1 is retiring, any particular reason to even have it in there at >>> all? >>> >>> - Should there any way for the end-user to see details like the >>> pki_type >>> and the certificate chain, like browser do? >>> >>> >>> Thanks, >>> Jeremy >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Flow-based real-time traffic analytics software. Cisco certified tool. >>> Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer >>> Customize your own dashboards, set traffic alerts and generate reports. >>> Network behavioral analysis & security monitoring. All-in-one tool. >>> >>> http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> Bitcoin-development mailing list >>> Bitcoin-development@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/bitcoin-development >>> >> >> >> ------------------------------------------------------------------------------ >> Flow-based real-time traffic analytics software. Cisco certified tool. >> Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer >> Customize your own dashboards, set traffic alerts and generate reports. >> Network behavioral analysis & security monitoring. All-in-one tool. >> >> http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk >> _______________________________________________ >> Bitcoin-development mailing list >> Bitcoin-development@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/bitcoin-development >> >> --001a1134ad0685423204f39d4816 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
I'm just repeating the rationale Gavin gave me for add= ing this to the spec last year when he was implementing it. Perhaps it only= applied to some versions of PHP or something like that.

Jeremy, good comments. A pull request to fix those would be good.

One issue I seem looming on the horizon is that we'll n= eed a version of the payment protocol document that's living. Trying to= reverse engineer the current spec by manually reading all the BIPs and lay= ering them in your head is a non starter.




On Sun, Mar 2, 2014 at 9:52 AM, Drak <drak@zikula.org= > wrote:

Not true, PHP does support sh= a2

http://php.net/manual/en/mhash.constants.php
http://php.net/manual/en/function= .hash-algos.php#refsect1-function.hash-algos-examples

On 2 Mar 2014 08:44, "Mike Hearn" <= mike@plan99.net>= ; wrote:

SHA-1 support is there for PHP developers. Apparently it can= 't do SHA-2.

On 2 Mar 2014 08:53, "Jeremy Spilman" = <jeremy@taplink.c= o> wrote:
=C2=A0From BIP70:

=C2=A0 =C2=A0If pki_type is "x509+sha256", then the Payment messa= ge is hashed using
the
=C2=A0 =C2=A0SHA256 algorithm to produce the message digest that is signed.= If
pki_type
=C2=A0 =C2=A0is "x509+sha1", then the SHA1 algorithm is used.

A couple minor comments;

=C2=A0 - I think it meant to say the field to be hashed is 'PaymentRequ= est' not
'Payment' message -- probably got renamed at some point and this is= an old
reference calling it by its original name.

=C2=A0 - Could be a bit more explicit about the hashing, e.g. 'copy the=
PaymentRequest, set the signature field to the empty string, serialize to a byte[] and hash.

=C2=A0 - SHA1 is retiring, any particular reason to even have it in there a= t all?

=C2=A0 - Should there any way for the end-user to see details like the pki_= type
and the certificate chain, like browser do?


Thanks,
Jeremy


---------------------------------------------------------------------------= ---
Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gam= pad/clk?id=3D126839071&iu=3D/4140/ostg.clktrk
_______________________________________________
Bitcoin-development mailing list
Bitcoin-development@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-de= velopment

-----------------------------------------------------------------------= -------
Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gam= pad/clk?id=3D126839071&iu=3D/4140/ostg.clktrk
__________________= _____________________________
Bitcoin-development mailing list
Bitcoin-development@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-de= velopment


--001a1134ad0685423204f39d4816--