From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1W8q4w-0005od-D4 for bitcoin-development@lists.sourceforge.net; Thu, 30 Jan 2014 11:46:42 +0000 Received-SPF: pass (sog-mx-1.v43.ch3.sourceforge.com: domain of gmail.com designates 209.85.223.174 as permitted sender) client-ip=209.85.223.174; envelope-from=pieter.wuille@gmail.com; helo=mail-ie0-f174.google.com; Received: from mail-ie0-f174.google.com ([209.85.223.174]) by sog-mx-1.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1W8q4u-0006rU-6h for bitcoin-development@lists.sourceforge.net; Thu, 30 Jan 2014 11:46:42 +0000 Received: by mail-ie0-f174.google.com with SMTP id tp5so3132205ieb.5 for ; Thu, 30 Jan 2014 03:46:30 -0800 (PST) MIME-Version: 1.0 X-Received: by 10.50.176.165 with SMTP id cj5mr13434869igc.19.1391082390501; Thu, 30 Jan 2014 03:46:30 -0800 (PST) Received: by 10.50.100.10 with HTTP; Thu, 30 Jan 2014 03:46:30 -0800 (PST) In-Reply-To: <52EA343E.4010208@borboggle.com> References: <52E9E787.8080304@borboggle.com> <52EA343E.4010208@borboggle.com> Date: Thu, 30 Jan 2014 12:46:30 +0100 Message-ID: From: Pieter Wuille To: Chuck Content-Type: text/plain; charset=ISO-8859-1 X-Spam-Score: -1.6 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (pieter.wuille[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1W8q4u-0006rU-6h Cc: Bitcoin-Dev Subject: Re: [Bitcoin-development] BIP70 message delivery reliability X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jan 2014 11:46:42 -0000 On Thu, Jan 30, 2014 at 12:15 PM, Chuck wrote: > Hi Mike. Thanks for replying. > > On 1/30/2014 5:49 PM, Mike Hearn wrote: >> Both Bitcoin Core and bitcoinj are about to ship with the protocol >> as-is, so any changes from this point on have to be backwards compatible. > Then I think it's critically important to talk about failure situations > now, rather than trying to patch on solutions later; it's going to be > very hard to wedge/"hack" in fixes for potential problems when they > could be addressed now with minor changes. >> Let's get some practical experience with what we've got so far. We can >> evolve PaymentRequest/Payment/PaymentACK in the right direction with >> backwards compatible upgrades, I am hoping. > I think what I'm trying to discuss or find out here is whether the > current PP description is defunct or incomplete in some manner, thus > making any experience we gain from the current implementation moot. > > It seems the largest hole in the implementation is delivery of the > Payment message, but I'm happy to accept that maybe I'm just missing > something. A malicious merchant could claim he never received the > Payment message, or a faulty network connection could cause the message > to never be delivered. In arbitration the merchant could argue the > transactions seen on the network were insufficient. You don't even have to assume malicious intent. A payment message could just fail to arrive because the server is unreachable. As the specification currently doesn't even suggest retrying, there is no way the merchant can rely at all on the memo and refund address being delivered, which makes them in my opinion useless. Your proposal makes the whole protocol more atomic, which may be a step too far at this point (though I like the idea very much), but I really think the specification should do everything possible to prevent transactions confirming without the payment message ever being delivered (i.e., store them in the sender's client, retry when necessary, exponential backoff, ...). -- Pieter