Pages:
Author

Topic: [BIP][Draft] BitID - "Connect with Bitcoin" protocol - page 2. (Read 22743 times)

sr. member
Activity: 360
Merit: 250
CEO, Ledger
Specifically, in what standard format are the parameters passed? Using Json? Http headers? Encoded onto the Uri? What? A tangible example of the exact HTTP POST request sent from the client, byte by byte, would have been enormously helpful here. As is now, I'm blind on the server side - I don't know what data to expect and have to guess how the client sends its data?

If you go here :
http://bitid.bitcoin.blue/login
And click on "manual", you'll get a curl example showing exactly how to POST on the demo server implementation.
hero member
Activity: 707
Merit: 500
This makes the whole process more cumbersome plus forces me to have an offline phone just for signing in. People willing to take these hurdles could as well use a dedicated hardware device or some of the long available complicated options for secure authentication.
The beauty of bitid is that it requires only a mobile wallet and a very simple step. It's easy and get it for free if you use a mobile wallet anyway.

You could of course proxy the callback with some software reading from a QR code on the phone. But, you know, complicated more secure systems which don't get used improve  security less than systems which get used cause they are easy and still a hell lot better than this username  plus password crap we have today.
legendary
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
I don't get it... How should me phone authenticate me to some server without contacting that server?

It's really quite simple - to "sign up" your phone creates a public key that it displays as a QR code and you use the camera on your PC to *scan it*. Then it sends back a public key (for your account) along with a one time message as a QR code that you then scan with your phone. Your phone then *signs a message* with its private key for the public key (and the one time message) and displays that as a QR code - you now again show your phone to the camera and you are done.

When signing in at a later stage you first enter your username - it will then display a QR code that is the public key and one time message. You scan this with your phone and then it creates a QR code of the *signed response" which lets you "log in".

So your phone never needs internet access to do this (just needs a camera and a display).

It is not that much more difficult than a traditional login (especially if you consider 2FA) and it is 100% secure (getting people used to this idea is going to be the hardest part).
hero member
Activity: 707
Merit: 500
I had also considered this exact idea (being a fan of QR codes) - IMO the main thing to really help this to happen would be the software to be available for smart phones and a smart phone that can be *permanently disconnected from all normal comms*.

I have read about (more or less) transparent Faraday cages so I am thinking that an inexpensive approach might be to use an old smartphone and such a Faraday cage to create an authenticator that never needs to be online.


I don't get it... How should me phone authenticate me to some server without contacting that server?
legendary
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
I had also considered this exact idea (being a fan of QR codes) - IMO the main thing to really help this to happen would be the software to be available for smart phones and a smart phone that can be *permanently disconnected from all normal comms*.

I have read about (more or less) transparent Faraday cages so I am thinking that an inexpensive approach might be to use an old smartphone and such a Faraday cage to create an authenticator that never needs to be online.
newbie
Activity: 31
Merit: 0
Some feedback - this part was not clear to me:

Quote
POST the signature, the URI and the public key to the callback URL

Specifically, in what standard format are the parameters passed? Using Json? Http headers? Encoded onto the Uri? What? A tangible example of the exact HTTP POST request sent from the client, byte by byte, would have been enormously helpful here. As is now, I'm blind on the server side - I don't know what data to expect and have to guess how the client sends its data?
sr. member
Activity: 384
Merit: 258
I intend to implement this as a 2FA sign-on in Swarmops over the next two weeks. I've never seen _anything_ matching its ease of use.

Is there redistributable server-side code somewhere I can use as a template? My platform is ASP.Net and C#. I would rather not reimplement crypto code, but I am happy to change its syntax keywords from another implementation language.

Cheers,
Rick
(Swarmops: https://github.com/Swarmops/Swarmops)

Hi Falkvinge,

There's no server-side code written in C# yet but it would be really great if someone can achieve that.

WRT crypto code, there's a great bitcoin library written in C# : NBitcoin
I'm almost sure that you can get all the crypto code required by BitId (basically the verification of ECDSA signatures) from this library.
You may contact Nicolas Dorier (maintener of NBitcoin) to check if you can reuse parts of his code and where to find the relevant code.

WRT BitId code, implementing server-side code is quite straightforward. There's several implementations in different languages :
- Ruby (original code)
- Python
- JS
- PHP

I hope it helps. Do not hesitate if you need more details about the protocol.


Thumbs up here too.
You're welcome  Smiley
legendary
Activity: 1316
Merit: 1003
That's right, http://vps90685.ovh.net:8080/ is setup to reject all addresses which are not mainnet addresses.
Here is a new instance of the demo app for testnet addresses: http://vps90685.ovh.net:8084/
I just tried the TestNet version and I can confirm that it works like it should. Thanks for keeping those servers up and running. Wink
Thumbs up here too.
newbie
Activity: 31
Merit: 0
I intend to implement this as a 2FA sign-on in Swarmops over the next two weeks. I've never seen _anything_ matching its ease of use.

Is there redistributable server-side code somewhere I can use as a template? My platform is ASP.Net and C#. I would rather not reimplement crypto code, but I am happy to change its syntax keywords from another implementation language.

Cheers,
Rick


(Swarmops: https://github.com/Swarmops/Swarmops)
copper member
Activity: 3948
Merit: 2201
Verified awesomeness ✔
That's right, http://vps90685.ovh.net:8080/ is setup to reject all addresses which are not mainnet addresses.
Here is a new instance of the demo app for testnet addresses: http://vps90685.ovh.net:8084/
I just tried the TestNet version and I can confirm that it works like it should. Thanks for keeping those servers up and running. Wink
sr. member
Activity: 384
Merit: 258
I can confirm the demo on http://vps90685.ovh.net:8080/ works with mycelium wallet, too.

how did you do it? i am unable to get it work with my mycelium wallet.
is there a list of android apps which are supporting BitID?

BitId is currently only enabled in the testnet version of mycelium.
We are still discussing whether we want to derive the keys in the exact way we do now.
Note that the example listed above will reject testnet addresses as invalid, in order to test that one I enabled bitid for my prodnet version.
That's right, http://vps90685.ovh.net:8080/ is setup to reject all addresses which are not mainnet addresses.
Here is a new instance of the demo app for testnet addresses: http://vps90685.ovh.net:8084/
hero member
Activity: 707
Merit: 500
I can confirm the demo on http://vps90685.ovh.net:8080/ works with mycelium wallet, too.

how did you do it? i am unable to get it work with my mycelium wallet.
is there a list of android apps which are supporting BitID?

BitId is currently only enabled in the testnet version of mycelium.
We are still discussing whether we want to derive the keys in the exact way we do now.
Note that the example listed above will reject testnet addresses as invalid, in order to test that one I enabled bitid for my prodnet version.
hero member
Activity: 905
Merit: 1001
I can confirm the demo on http://vps90685.ovh.net:8080/ works with mycelium wallet, too.

how did you do it? i am unable to get it work with my mycelium wallet.
is there a list of android apps which are supporting BitID?
legendary
Activity: 1680
Merit: 1035
I can confirm the demo on http://vps90685.ovh.net:8080/ works with mycelium wallet, too.
Mycelium warns me about the callback using http instead of https, though Smiley

(Also, mycelium will not have bitid for prodnet right away. The prototype implementation is just available in the last regular testnet build, and for HD will be working again in the next alpha release on testnet, allowing you to have multiple bitid identities, one for each HD account (or single address account))

I was just about to post that too. Really cool!
sr. member
Activity: 384
Merit: 258
I can confirm the demo on http://vps90685.ovh.net:8080/ works with mycelium wallet, too.
Mycelium warns me about the callback using http instead of https, though Smiley
(Also, mycelium will not have bitid for prodnet right away. The prototype implementation is just available in the last regular testnet build, and for HD will be working again in the next alpha release on testnet, allowing you to have multiple bitid identities, one for each HD account (or single address account))
Thanks for the feedback and information !
The warning about http instead of https is a great idea. All websites should use https  Roll Eyes
hero member
Activity: 707
Merit: 500
I can confirm the demo on http://vps90685.ovh.net:8080/ works with mycelium wallet, too.
Mycelium warns me about the callback using http instead of https, though Smiley

(Also, mycelium will not have bitid for prodnet right away. The prototype implementation is just available in the last regular testnet build, and for HD will be working again in the next alpha release on testnet, allowing you to have multiple bitid identities, one for each HD account (or single address account))
sr. member
Activity: 384
Merit: 258
Dark Wallet supports BitID ? Do you have a link I can look at.
They do, since their last release (alpha 5)
newbie
Activity: 29
Merit: 0
I'll add it to my list of test platforms with Dark Wallet.

Dark Wallet supports BitID ? Do you have a link I can look at.
sr. member
Activity: 384
Merit: 258
Not sure. It's working now, that's the main thing. Smiley
Sure. Anyway, it's really great that you've integrated Bitid in the wallet !
Unfortunately, I don't own an android smartphone, so I won't be able to check your android app against futures version of the library but if your web web wallet manages bitid, I'll add it to my list of test platforms with Dark Wallet.
Keep up the good work !
Laurent
newbie
Activity: 29
Merit: 0
Not sure. It's working now, that's the main thing. Smiley
Pages:
Jump to: