[BTC-TC] Virtual Community Exchange [CLOSED] - page 100.

burnside

legendary

Activity: 1106

Merit: 1006

Lead Blockchain Developer

Quote from: btharper on June 01, 2013, 12:29:33 PM

You could use btc-otc for people already active there, or just insist that all issuers be active there and use those keys. Either way you don't have to worry about creating and distributing the keys yourself.

As far as the compromised key issue, all I can think of is getting another server to sign a timestamp + btct.co data at the cost of another extra step. Depending on how the mail system is setup now (I'm assuming one for trading activity that tells a mail server to send things), and assuming rooting one wouldn't mean definitely or possibly owning both servers you could have the trade machine sign transaction data and the mail server sign data+timestamp. Then as long as both servers aren't rooted you can't forge a timestamp that supersedes the correct data.

I'm thinking I'll create a key pair for all issuers when the security is created, then let them override it if they want. That way the users with existing keys should be good to go.

The mail setup would have to be altered significantly to do the staged signing, but it's a great idea. I'll have to think about it a bit.

Cheers.

burnside

legendary

Activity: 1106

Merit: 1006

Lead Blockchain Developer

Quote from: furuknap on June 01, 2013, 12:10:32 PM

Burnside, did you change anything with the CSS just now? In IE I now get this:

http://imgur.com/kgQK8SS

Looks good in FF, though.

.b

What's wrong with that? Looks great to me! Grin

Problem seems to be that all of a sudden IE wants to render it in compatibility mode. (compatible with what? IE 3?)

I added some code in the header and it seems better now.

Code:

Cheers.

btharper

sr. member

Activity: 389

Merit: 250

Quote from: burnside on June 01, 2013, 11:23:03 AM

Quote from: btharper on June 01, 2013, 05:41:25 AM

Quote from: burnside on June 01, 2013, 02:04:23 AM

Quote from: dance4x on June 01, 2013, 12:40:03 AM

Quote from: burnside on June 01, 2013, 12:33:44 AM

No, the asset issuers get lists sent to them every 12 hours, so if you're in the list, you're good to go. This does suck somewhat if you made a trade in the meantime so I have been exploring other options for users to be able to prove trades using the emails that get sent out. Basically will require the site to gpg sign trade emails I suspect.

What I haven't figured out yet is how to give you a gpg signed copy of your trade that the issuer could use as a diff against their copy of the asset holders. For them to be able to use it, the copy of your trade would need to have both your account and the other user's account in the trade data. I can't really send out info about the other user, so that's kind of where I'm stuck right now.

Cheers.

Ah. Thanks for the clarification. What would be the problem with sending an updated list to an asset holder after every trade involving his or her asset?

That'd be a lot of emails. Wink

Way too many on most assets.

Why not send the following data: (add or subtract to your liking)

GPG(Btct.co key)-Sign({trade:{time:, asset:, qty:<+-number traded based on buy/sell>, bal:}
,info:{GPG(issuers key)-encrypt({nonce:, user:, from:{0:{user:, qty:},{user:.., qty:..}} ) }

No new emails are required (but some extra processing and data per email, and extra work for issuers, but that's true in any system). This transmits (securely) everything the buyer needs to to prove they have new shares (asset name, how many, how many they have now). The issuer (but not the buyer or seller) can decrypt the portion containing everything about what user(s) sold their shares and how many. Userids are linked to the email that's normally sent out. The nonce assures correct ordering of separate transactions (even if the timestamp is identical), and allows the issuer to know at least how many transactions are missing based on holes from the highest nonce (but not later transactions with higher nonce's). The nonce should also be included in the emails so the issuer knows where the next one starts (generating the email should increment and get it's own unique nonce to create a clear before and after, no >=/<= confusion). Additionally if you wanted to the encrypted portion could also contain data for n previous transactions (not including ones before the email if one was sent just before the emailed txn) to help fill in the pieces faster for issuers, but increasing overhead and complexity of server side code.

Only issue that's glaring at me is if the key is compromised then there's no way to verify anything, but that's a larger problem anyway.

That's a great idea, issuing a key per issuer. No real flaws as far as I can tell.

I've thought about the compromised key issue a bit. Things always get ugly if the box gets rooted.

Thank you for that!

You could use btc-otc for people already active there, or just insist that all issuers be active there and use those keys. Either way you don't have to worry about creating and distributing the keys yourself.

As far as the compromised key issue, all I can think of is getting another server to sign a timestamp + btct.co data at the cost of another extra step. Depending on how the mail system is setup now (I'm assuming one for trading activity that tells a mail server to send things), and assuming rooting one wouldn't mean definitely or possibly owning both servers you could have the trade machine sign transaction data and the mail server sign data+timestamp. Then as long as both servers aren't rooted you can't forge a timestamp that supersedes the correct data.

furuknap

sr. member

Activity: 294

Merit: 250

http://coin.furuknap.net/

Burnside, did you change anything with the CSS just now? In IE I now get this:

http://imgur.com/kgQK8SS

Looks good in FF, though.

.b

burnside

legendary

Activity: 1106

Merit: 1006

Lead Blockchain Developer

Quote from: btharper on June 01, 2013, 05:41:25 AM

Quote from: burnside on June 01, 2013, 02:04:23 AM

Quote from: dance4x on June 01, 2013, 12:40:03 AM

Quote from: burnside on June 01, 2013, 12:33:44 AM

No, the asset issuers get lists sent to them every 12 hours, so if you're in the list, you're good to go. This does suck somewhat if you made a trade in the meantime so I have been exploring other options for users to be able to prove trades using the emails that get sent out. Basically will require the site to gpg sign trade emails I suspect.

What I haven't figured out yet is how to give you a gpg signed copy of your trade that the issuer could use as a diff against their copy of the asset holders. For them to be able to use it, the copy of your trade would need to have both your account and the other user's account in the trade data. I can't really send out info about the other user, so that's kind of where I'm stuck right now.

Cheers.

Ah. Thanks for the clarification. What would be the problem with sending an updated list to an asset holder after every trade involving his or her asset?

That'd be a lot of emails. Wink

Way too many on most assets.

Why not send the following data: (add or subtract to your liking)

GPG(Btct.co key)-Sign({trade:{time:, asset:, qty:<+-number traded based on buy/sell>, bal:}
,info:{GPG(issuers key)-encrypt({nonce:, user:, from:{0:{user:, qty:},{user:.., qty:..}} ) }

No new emails are required (but some extra processing and data per email, and extra work for issuers, but that's true in any system). This transmits (securely) everything the buyer needs to to prove they have new shares (asset name, how many, how many they have now). The issuer (but not the buyer or seller) can decrypt the portion containing everything about what user(s) sold their shares and how many. Userids are linked to the email that's normally sent out. The nonce assures correct ordering of separate transactions (even if the timestamp is identical), and allows the issuer to know at least how many transactions are missing based on holes from the highest nonce (but not later transactions with higher nonce's). The nonce should also be included in the emails so the issuer knows where the next one starts (generating the email should increment and get it's own unique nonce to create a clear before and after, no >=/<= confusion). Additionally if you wanted to the encrypted portion could also contain data for n previous transactions (not including ones before the email if one was sent just before the emailed txn) to help fill in the pieces faster for issuers, but increasing overhead and complexity of server side code.

Only issue that's glaring at me is if the key is compromised then there's no way to verify anything, but that's a larger problem anyway.

That's a great idea, issuing a key per issuer. No real flaws as far as I can tell.

I've thought about the compromised key issue a bit. Things always get ugly if the box gets rooted.

Thank you for that!

burnside

legendary

Activity: 1106

Merit: 1006

Lead Blockchain Developer

Quote from: 🏰 TradeFortress 🏰 on June 01, 2013, 05:11:56 AM

There shouldn't be any problem security side (all modern browsers isolate iframed stuff on external domains), but I guess people don't like chat / trollboxes on stock exchanges Tongue

There's always #bitcoin-assets on Freenode. Wink

Newscastix

sr. member

Activity: 349

Merit: 250

Quote from: 🏰 TradeFortress 🏰 on June 01, 2013, 05:11:56 AM

There shouldn't be any problem security side (all modern browsers isolate iframed stuff on external domains), but I guess people don't like chat / trollboxes on stock exchanges Tongue

Even if the iframed stuff is isolated, it is still embedded and the html/flash/java within the iframe is executed.

I just need to hack the chat provider and i can have any content displayed in within the iframe. Great for malicious code/java/etc.

And everything of that is beyond the control of the owner/admin of btctc.

btharper

sr. member

Activity: 389

Merit: 250

Quote from: 🏰 TradeFortress 🏰 on June 01, 2013, 05:11:56 AM

There shouldn't be any problem security side (all modern browsers isolate iframed stuff on external domains), but I guess people don't like chat / trollboxes on stock exchanges Tongue

Between security concerns (founded in truth, founded in paranoia, or unfounded) and potential to be seen as a spambox I'm not sure everyone would enjoy it at all. It could be possible to make a browser plugin to add boxes to sites that could use this as an initial offering. Taking the far end of an opt-in system.

btharper

sr. member

Activity: 389

Merit: 250

Quote from: burnside on June 01, 2013, 02:04:23 AM

Quote from: dance4x on June 01, 2013, 12:40:03 AM

Quote from: burnside on June 01, 2013, 12:33:44 AM

No, the asset issuers get lists sent to them every 12 hours, so if you're in the list, you're good to go. This does suck somewhat if you made a trade in the meantime so I have been exploring other options for users to be able to prove trades using the emails that get sent out. Basically will require the site to gpg sign trade emails I suspect.

What I haven't figured out yet is how to give you a gpg signed copy of your trade that the issuer could use as a diff against their copy of the asset holders. For them to be able to use it, the copy of your trade would need to have both your account and the other user's account in the trade data. I can't really send out info about the other user, so that's kind of where I'm stuck right now.

Cheers.

Ah. Thanks for the clarification. What would be the problem with sending an updated list to an asset holder after every trade involving his or her asset?

That'd be a lot of emails. Wink

Way too many on most assets.

Why not send the following data: (add or subtract to your liking)

GPG(Btct.co key)-Sign({trade:{time:, asset:, qty:<+-number traded based on buy/sell>, bal:}
,info:{GPG(issuers key)-encrypt({nonce:, user:, from:{0:{user:, qty:},{user:.., qty:..}} ) }

No new emails are required (but some extra processing and data per email, and extra work for issuers, but that's true in any system). This transmits (securely) everything the buyer needs to to prove they have new shares (asset name, how many, how many they have now). The issuer (but not the buyer or seller) can decrypt the portion containing everything about what user(s) sold their shares and how many. Userids are linked to the email that's normally sent out. The nonce assures correct ordering of separate transactions (even if the timestamp is identical), and allows the issuer to know at least how many transactions are missing based on holes from the highest nonce (but not later transactions with higher nonce's). The nonce should also be included in the emails so the issuer knows where the next one starts (generating the email should increment and get it's own unique nonce to create a clear before and after, no >=/<= confusion). Additionally if you wanted to the encrypted portion could also contain data for n previous transactions (not including ones before the email if one was sent just before the emailed txn) to help fill in the pieces faster for issuers, but increasing overhead and complexity of server side code.

Only issue that's glaring at me is if the key is compromised then there's no way to verify anything, but that's a larger problem anyway.

🏰 TradeFortress 🏰

vip

Activity: 1316

Merit: 1043

👻

There shouldn't be any problem security side (all modern browsers isolate iframed stuff on external domains), but I guess people don't like chat / trollboxes on stock exchanges Tongue

Newscastix

sr. member

Activity: 349

Merit: 250

Quote from: Garr255 on June 01, 2013, 04:47:52 AM

Quote from: ThickAsThieves on June 01, 2013, 03:20:58 AM

Please don't add chat.

^

+1

Especially not by embedding/iframing 3rd party sites you have no control of like proposed above.

Garr255

legendary

Activity: 938

Merit: 1000

What's a GPU?

Quote from: ThickAsThieves on June 01, 2013, 03:20:58 AM

Please don't add chat.

^

ThickAsThieves

hero member

Activity: 518

Merit: 500

Quote from: 🏰 TradeFortress 🏰 on June 01, 2013, 02:52:35 AM

You should add a trollbox to your site! You can use CoinChat - simply iframe it with the "j:yourroom" part so they'll automatically be in your room. If you create it, you have full moderation powers like kicking people.

Some third party clients for coinchat:

http://chromaticcreative.net/bitcoin/moobot/flatapp.php#

http://whiskers75.github.io/whiskchat/index.html

They're all responsive and can fit into any size.

Please don't add chat.

🏰 TradeFortress 🏰

vip

Activity: 1316

Merit: 1043

👻

You should add a trollbox to your site! You can use CoinChat - simply iframe it with the "j:yourroom" part so they'll automatically be in your room. If you create it, you have full moderation powers like kicking people.

Some third party clients for coinchat:

http://chromaticcreative.net/bitcoin/moobot/flatapp.php#

http://whiskers75.github.io/whiskchat/index.html

They're all responsive and can fit into any size.

burnside

legendary

Activity: 1106

Merit: 1006

Lead Blockchain Developer

Quote from: dance4x on June 01, 2013, 12:40:03 AM

Quote from: burnside on June 01, 2013, 12:33:44 AM

No, the asset issuers get lists sent to them every 12 hours, so if you're in the list, you're good to go. This does suck somewhat if you made a trade in the meantime so I have been exploring other options for users to be able to prove trades using the emails that get sent out. Basically will require the site to gpg sign trade emails I suspect.

What I haven't figured out yet is how to give you a gpg signed copy of your trade that the issuer could use as a diff against their copy of the asset holders. For them to be able to use it, the copy of your trade would need to have both your account and the other user's account in the trade data. I can't really send out info about the other user, so that's kind of where I'm stuck right now.

Cheers.

Ah. Thanks for the clarification. What would be the problem with sending an updated list to an asset holder after every trade involving his or her asset?

That'd be a lot of emails. Wink

Way too many on most assets.

dance4x

full member

Activity: 143

Merit: 100

Quote from: burnside on June 01, 2013, 12:33:44 AM

No, the asset issuers get lists sent to them every 12 hours, so if you're in the list, you're good to go. This does suck somewhat if you made a trade in the meantime so I have been exploring other options for users to be able to prove trades using the emails that get sent out. Basically will require the site to gpg sign trade emails I suspect.

What I haven't figured out yet is how to give you a gpg signed copy of your trade that the issuer could use as a diff against their copy of the asset holders. For them to be able to use it, the copy of your trade would need to have both your account and the other user's account in the trade data. I can't really send out info about the other user, so that's kind of where I'm stuck right now.

Cheers.

Ah. Thanks for the clarification. What would be the problem with sending an updated list to an asset holder after every trade involving his or her asset?

burnside

legendary

Activity: 1106

Merit: 1006

Lead Blockchain Developer

Quote from: dance4x on May 31, 2013, 11:56:44 PM

Quote from: burnside on May 31, 2013, 10:12:08 PM

Quote from: blurden on May 31, 2013, 08:18:14 PM

what will happen in case of domain seizure? are you on multiple servers?

It's not a .com, so in theory the US shouldn't seize it.

The site's spread across multiple servers, but not multiple geographic locations.

The servers are backed up offsite frequently. But honestly, if they're seized by the gov't wherever they're located, we have bigger problems than getting back online and at that point issuers are most likely going to need to use their regularly issued asset holder lists to transition to another site.

Let's hope it never comes to that, and we'll do everything we can to avoid it, but you never know.

Cheers.

How would I go about proving ownership of certain stocks if the site was taken down? Is there something in my account that I should be downloading on a regular basis?

No, the asset issuers get lists sent to them every 12 hours, so if you're in the list, you're good to go. This does suck somewhat if you made a trade in the meantime so I have been exploring other options for users to be able to prove trades using the emails that get sent out. Basically will require the site to gpg sign trade emails I suspect.

What I haven't figured out yet is how to give you a gpg signed copy of your trade that the issuer could use as a diff against their copy of the asset holders. For them to be able to use it, the copy of your trade would need to have both your account and the other user's account in the trade data. I can't really send out info about the other user, so that's kind of where I'm stuck right now.

Cheers.

dance4x

full member

Activity: 143

Merit: 100

Quote from: burnside on May 31, 2013, 10:12:08 PM

Quote from: blurden on May 31, 2013, 08:18:14 PM

what will happen in case of domain seizure? are you on multiple servers?

It's not a .com, so in theory the US shouldn't seize it.

The site's spread across multiple servers, but not multiple geographic locations.

The servers are backed up offsite frequently. But honestly, if they're seized by the gov't wherever they're located, we have bigger problems than getting back online and at that point issuers are most likely going to need to use their regularly issued asset holder lists to transition to another site.

Let's hope it never comes to that, and we'll do everything we can to avoid it, but you never know.

Cheers.

How would I go about proving ownership of certain stocks if the site was taken down? Is there something in my account that I should be downloading on a regular basis?

burnside

legendary

Activity: 1106

Merit: 1006

Lead Blockchain Developer

Quote from: nycgoat on May 31, 2013, 11:06:37 PM

Hey man, one quick suggestion. I know it isn't a priority at all, so when you get to it you get to it.

On Havelock they have it display the USD value of whatever BTC value you are looking at when you mouse over and hold it there for a second.

While I do track everything in BTC, it eliminates one step when trying to determine the value relative to USD.

Thanks for everything on the exchange, I love it!

I've actually thought about doing that.

It'd be easy to make every BTC value display with a hover popup that'd show LTC and USD. Unfortunately doing anything with USD would conflict with the "everything is virtual" verbiage everywhere.

Cheers.

nycgoat

member

Activity: 117

Merit: 10

Hey man, one quick suggestion. I know it isn't a priority at all, so when you get to it you get to it.

On Havelock they have it display the USD value of whatever BTC value you are looking at when you mouse over and hold it there for a second.

While I do track everything in BTC, it eliminates one step when trying to determine the value relative to USD.

Thanks for everything on the exchange, I love it!

Topic: [BTC-TC] Virtual Community Exchange [CLOSED] - page 100. (Read 316652 times)