Topic: FAQ on the payment protocol - page 2. (Read 47080 times)

I never cease to be amazed at how quickly and easily you insult anyone who you disagree with, Peter. It's a nasty habit that limits your effectiveness.

You understood my point perfectly well. You can become your own CA for much less than a few hundred dollars. Are you going to be handling millions of customers with that kind of investment? Duh, no. You can become a miner for a few hundred dollars. Are you going to be making as many blocks as ASICMiner? No.

Basically any activity that involves serious work turns into a market, and that market often ends up with big players. That does not make it less of a market.

If you think all the existing players in that market suck, go ahead and shake it up, just like StartSSL did.

As to revocation - we'd have to see what the browser makers do if/when a really large CA turns out to be routinely minting fake certs. So far if it's happening it has never been detected. Certs are a commodity, any CA can make one, so there's no particular reason to hold back. They can and have scheduled end dates for CA's to be revoked in the past, as they did with DigiNotar which was widely used in the Netherlands. It means people get a couple of months to buy a new cert from somewhere else, then browsers get updated and any site that fell behind sees errors. Painful for the people using the revoked CA but not infeasible.

But even if browser makers decided not to do that for some reason, wallet developers could certainly make different decisions. There's no requirement to use the same policies.

Lol.

I like how you're dumb enough to compare mining, a industry with barriers to entry of as little as a few hundred dollars, (including paid time) to a industry where to make any money at all you have to convince some large user-base to adopt your product. Mozilla has 57 trusted root CA's, and the majority of those are very niche ones from large corporations and government-sponsored CA's. As for the "free-market" ones, you've got Symantec with 42% market share, Comodo Group with 26%, and Go Daddy with 14%, and GlobalSign with 7.7% - the four largest companies in the industry have 90% of the market. Not exactly a sign of a competitive free-market at work.

The reality is if Symantec was told to create some fake certificates because the FBI needed to confiscate some Bitcoins they would do as they were told. More importantly doing that wouldn't get them blacklisted because of their 42% market share - no browser is going to break almost half of the sites their users need access to.


You know, you've really got a way of arguing that's remarkably good at undermining your own position. I kinda like the payment protocol, and I want to see it implemented in it's current form so we've got something to use while better solutions for the CA problem are developed; please go away and let more reasonable people talk about it and the nuances involved before you turn public opinion against it.

CA's verify DNS names and registrars are supposed to have policies in place to stop this kind of attack. But CA's are expected to also have some way to spot such attacks. For instance see here:

https://bugzilla.mozilla.org/show_bug.cgi?id=711366

Search for "homograph" and you can see how Atos plans to handle it. Their solution probably works, but it requires human intervention. This is the kind of reason there are fees attached to getting a cert - it represents actual work.


It should! Anyone can be a miner, in theory. In practice these days it requires some skill, time and capital investment, which is why it's done for profit.

Signing identities is the same. Anyone can do it. You can do it right now, just run a few openssl commands and you made yourself a root CA. But doing it well takes some effort, time and investment, which is why it's done for profit.

If you can't see the parallels, look closer.

Sure I will rely on some rumor about some Japanese company called MtCocks Co. Ltd [JP]...   

Given there are quite some voices of doubt in the community (see Hyena above) the question is does this have to go into the standard client right from the beginning?

Maybe this topic should be:
"VOTE on the payment protocol and the CA system to be included in standard client"

If you have DNSSEC you don't need the CA infrastructure for domain name validation. However DNSSEC does not remove CA's. It just merges them with DNS registrars instead. You can't pin certs to domains without that because otherwise, DNS itself can be MITM'd.

Rogue/forced CA's can be detected once cert transparency is online and rolled out. It will take a long time to upgrade everything, but when it's done certs can't be issued in secret anymore, which means bogus actions by a CA can be detected.

Anyway, as pointed out a million times already, the NSA are not going to forge payment requests from Amazon. This just isn't something they're going to care about. Lots of other types of criminals DO care about it, but the CA system is designed to handle those kinds of attackers, who are the ones we really care about. The NSA would be interested in snooping around, but payment requests don't give them any more info than they already have.

Well, direct them to this thread. It's titled "FAQ on the payment protocol" for a reason. And it goes in depth on why PGP doesn't work for this. I'd hope that this thread can put it to bed once and for all.


These points are sound. However, the second point leads to the question "why not do a decentralised method to start with?" to which the answer of course is complicated, but boils down to "the CA infrastructure is not actually centralised". So even though the payment protocol leaves choice of PKI open, I don't make the last point anymore because it just leads people round in circles.

Ultimately this stuff boils down to the same arguments that go around endlessly about Bitcoin scalability. If running a Bitcoin node is "hard" where "hard" is left vague and undefined, is Bitcoin now "centralised"? The language is too vague to achieve any reasonable debate. The fact is that literally anyone can run a CA, the very name "authority" is meaningless in that sense, but running one well is quite hard for fundamental reasons. That's why Verisign run a CA and you don't - because you would suck at it. If you stopped sucking at it, then you'd be doing it professionally, at which point you would probably need to charge fees and then people would decide you're an authoritarian Pillar of Centralisation. Back to square one.

The payment protocol is in some sense doomed to be like the question, "do ASICs make bitcoin centralised?". I still see that come up repeatedly. People who enjoy flaming forums will never be satisfied, everyone else will just get on with it.

I hate the CA system. As merchant I don't want to pay to some CAs just to have them confirm who I am. I use self signed certificates when necessary. Bitcoin ALREADY HAS message signing. USE THIS.
By just looking at BIP it disgusts me. I really hope you're not going to change the underlying bitcoin protocol to introduce your bip. Better start using namecoin, really!

Nakamoto, "Bitcoin: A Peer-to-Peer Electronic Cash System" Paragraph 2.

So could it be extensible to Namecoin stored self-signed certificate fingerprints?

Getting wedded to the broken CA system is a poor idea and your petulant non-rebuttals so far make me wonder if you already know you are on a hiding to nothing on this one.

What about certificate pinning to domains? MITMs with the co-operation of a rogue or forced CA will have very limited effectiveness.

I wrote a post on adding OpenPGP to the payment protocol the other day.

In all fairness, it has become a FAQ.  Given NSA/PRISM fun, it seems likely to remain so, no matter the hard evidence.  I got several variants of this question/complaint at the Atlanta crypto-currency conference, and reddit mirrored more of the same.

The core points I like to mention are

• There is a high likelihood that SSL & standard CAs are being used anyway.  It is probably a browser launching a payment from an https:// supplied page
• The payment protocol does not mandate SSL + standard CAs.  Other methods, including decentralized methods, are possible.

Perhaps it would be a good idea to specify a decentralized example.  PGP comes to mind, or a self-signed ECDSA scenario of bitcoin address or SIN.

Believe in whatever wild conspiracy theories you like. There's no way I can give a good rebuttal to things that aren't happening. The rationale for these changes has been laid out in detail. If you think you found a government-proof way to achieve the same goals without the CA infrastructure, please do go ahead and implement it.

Even with the cooperation of the core devs I don't see that being effectively enforced. How do you make all the Chinese, Russian, and European miners and nodes play ball?

But in the final analysis you are bolting on "just trust us we're the good guys" payment protocol onto a labelled "trust no-one currency system".

Sounds like a bait and switch. The CA system is prime for MITM because it introduces a third party into every secure connect negotiation, it is complex enough to seem like it must be secure if you don't dig down into it ... but it is broken as all fuck and that's why the NSA loves and pushes it endlessly, eh Mike?

I'm just counting the days until ALL bitcoin transactions are going to be required by legal or regulatory measures to be via the surveillance dragnet payment protocol ... it's pretty transparent where this is heading.

Edit: ""We have over 960 Ph.D.s, over 4,000 computer scientists, over a thousand mathematicians." -Gen. Keith "Starship" Alexander - NSA

If you go to mtgox.com then you see MtGox Co. Ltd [JP] in the browser address bar (on Chrome). So if someone told you about this Japanese company called Mt Gox then you know you're at the right place and the website was verified as being owned by a real company with that name.

For newish companies that were born on the net usually their domain name IS their identity, but there are lots and lots of organisations in the world that aren't like that.


With the CA system that's not "Bad luck" it's a failure that would get investigated, at least in theory.

With Namecoin, sure, it's just bad luck. You lose your money. That's kind of the outcome we DON'T want, right?


And back in reality the companies main domain is betterexchange.com and they may or may not use NameCoin, so you're back to square one - you don't know if you're talking to the real owner or not.


Yes, brilliant, they "solve" the problem by simply not supporting any alphabet other than the English alphabet. That's not a solution, that's a cop-out.


It's a free market for providers that are unified by common cryptographic protocols. Does that remind you of something? The market for mining blocks, perhaps?

Not namecoin alone.  Namecoin is just a storage method.

Wait a minute. How do people go to mtgox? They enter "mtgox.com" in their browser and trust their system to take them to the right place. From the little I know about the current CA system I guess the browser asks the CA server for a certificate fingerprint or something so I get a green lock icon or something if I am talking to a server with matching cert.

So in fact a little string is all that counts.

Probably most people even go there the first time by clicking some random link on the internets. If you fall for rntgox.com or some special character trick - bad luck. If the fake site is good and has a certificate for rntgox.com or even for "MtGox Corp. Lim. (cn)" - bad luck.

Again it's the little string that counts and the cert helps little.

If a company's main domain is betterexchange.bit with Namecoin TLS you can be more certain than with the current CA system that you are talking the server that you want to (assuming a strong implementation).

Not sure if this is being enforced currently in Namecoin but a string of simple characters is an ok solution imho.

The identity problem can be solved with Namecoin. Trust is the hard part but I'm sure it is possible and will come.

edit: I'm not saying the payment protocol should be implemented only with Namecoin domains/ids right now. But somehow I have a dislike against the current CA system, especially in combination with Bitcoin. It is just unbitcoinish.

Please do re-read the FAQ. It talks about how ways that problem is being tackled. Obviously SSL is important enough that people aren't going to just shrug and give up on it.

Also, the world would notice quickly if there were bulk MITM attacks happening. The leaked documents have mentioned MITM attacks, but they were also mentioned as being highly targeted and not a dragnet. If the NSA have managed to break SSL in bulk it's not due to the CA system but rather their rumoured 2010 cryptanalytic breakthrough.

To be honest I'm tired of this argument. If you've got something better, show us. So far 100% of the proposed alternatives have massive gaping holes in them, with no clear path to a fix.

So cosy right on up to the NSA's CA system and we'll all be just swell then?

http://security.stackexchange.com/questions/38199/can-a-nation-state-adversary-perform-a-mitm-attack-by-compelling-a-ca-to-issue-t

What's that saying about the "power of the illusion of security ..."?