Topic: Invoices/Payments/Receipts proposal discussion - page 10. (Read 24658 times)

Can somebody quote my questions, please ?

Gavin probably has me on his ignore list again. And i really want my questions answered.

@Gavin

I tried to be as constructive & reasonable as possible (and no shouting/emphasing/whatever).
I am getting any of my questions answered ?

Once again, the questions were:

Do you even have any idea what you're talking about here? What do you think the payment protocol does? Or, stated another way why the histrionics. If you don't like it, just don't use it. It doesn't do anything if you don't use it.

Yes please ignore me cause I was clearly the one being rude in this thread. The project leader couldn't defend his protocol, and was clearly being rude. Just cause I don't bow down to Gavin and his almighty coding power does make me rude. I don't get why me attacking some person being rude, is causing dev core members to not to reply in this sub-forum. I never really reply on this sub-forum so it is clearly not me. The funny part is people are emailing me cause I speak the truth and they don't want to be ignored out of this community so it really goes two ways. How am I treating people poorly when Gavin lost his cool under the defense of his protocol. Obviously that is the more important question, but spin that how you want.

Most of you are volunteers I know that, but you have to have some holdings in bitcoins, or do you not use bitcoin at all and just work on the software? So you are getting rich cause you want to advance bitcoin software.

Yes please ignore me everyone, that is how you get smart people to move on from this forum.

There should have been a poll or something about the payment protocol and other features to go into the satoshi client much earlier. Now it is too late and we will vote the hard way.

In my opinion the CA system is bad and there are many things more important than the payment system. On the other hand side this is a great opportunity for Bitcoin to diversify into several independent client versions.

Case in point.
Yes, as I said, this subforum is generally lower in nonsense than the rest of the forum.

Again, please feel free to state concerns, but if you regularly cannot manage to do so in a polite, adult manner I'm going to have to ask you to leave.

Back to the thread subject, the limitations of the CA infrastructure have been extensively discussed both in this very thread and in the older bitcoin-development thread. I agree that the CA infrastructure is lame, but the world doesn't really have any good PKIs.

Fortunately, the way the payment protocol is designed the CA infrastructure being potentially weak isn't all that critical, as payment messages can be sent directly between buyers and sellers over whatever secure channel they already have. An evil CA cannot do as ShadowOfHarbringer suggests, it cannot prevent people from transacting with each other even inside the payment protocol (of course, the option of just not using it would work too), nor can it produce completely undetectable forgeries, nor could it impersonate anyone _at all_ unless it could already impersonate your secure communications channel. As far as I know the x.509 support does in the payment protocol is create a non-reputable signature for invoices for messages which you would be sending over a secure channel anyways.

If a community of users (now or in the future) prefers to send their payment messages with external PGP signing— because they don't even trust the CA infrastructure for non-repudiation—, they can do that instead of or in addition to the x.509 key signing.

Perhaps something good come of this. It might be worth bringing somebody on via the Foundation to help demystify some of the protocol spec, and the new developments. Demystifying some of the core stuff will lead to better discussion, and perhaps avoid misconceptions like these.

Why should I be banned cause I posted my opinions and they aren't what you want to hear? The guy asked how this "payment protocol" is not going to be how current PKIs work which means their is a single point of failure or and easy privacy hole. He didn't ask for support, he asked a question to better this specific protocol. I personality think it was a good question. It is a shame Gavin has no answer and was really rude to him and this community. I put a lot of work into bitcoins, just cause I don't write the reference client does that mean my work is any less? I guess by that logic Mike Hearn hasn't done anything to help bitcoin as well. Why should I write an alternative protocol spec for a feature I think it is going to be a huge bug in the system. Hence why I don't update the reference client really anymore.

Ignore seems like a good idea.  . Ha ha. I wish the open-source life was rich and glamorous. This is pretty accurate:

Your incivility is going to scare off the actual technical people from responding on this forum. Already several of them don't, which I think is sad... relatively to the rest of the forum the technical sub-forum is mostly low rubbish.

Treating other people poorly has the effect of silencing their opinions here. It's possible to state just about any opinion without being excessively rude about it, but it seems is nearly impossible there to continue a conversation with some forum members while retaining a bit of human dignity.

Most of us are unpaid volunteers. Nothing I do with development makes me rich. This kind of ignorance just multiplies the offensiveness of your misplaced attacks.

FWIW, I didn't notice the attacks in this thread until someone reported-to-mod them because I had both Gweedo and ShadowOfHarbringer on ignore (though I've been considering removing the latter one lately). I strongly recommend everyone else use ignore aggressively, it can actually be pretty effective.  Even though I do ultimately end up clicking on much of what I've ignored, I find the extra clickthrough to be a good reminder that I've already written that poster's opinions off, and that I expect them to say some hurtful uninformed nonsense. It's less shocking when I find what I expect.

This guy needs to be banned from the forums. Agree with Gavin or not he deserves your respect for the work he has put into the Bitcoin source. If you don't agree then write an alternate protocol spec yourself.

Can you show me where in the Bitcoin TOS were it says that Gavin must provide support for you?

Gavin you ok?

I see. Well, the bricks and mortar businesses can at least prove that you're not subject to attacks that target key exchange as it happens (as in web transactions), but I guess we're trusting that said business hasn't had their wallet software compromised before the transaction is initiated.

It is only useful if you have separate channel to verify the PIN/SAS (similar to Bluetooth pairing), like in the restaurant where you can visually verify it.

Sounds like what I'd prefer.

Why not implement ZRTP as 2 party "trustless", then make a clear distinction between the two payment methods? I already trust Bitpay not to scam me, I have no problem with continuing to accept that risk at my end of the deal as a way to protect association of my public keys with my identity.

Wait so you agree Gavin should be rude to people that make him rich because they use bitcoins. Also since I working on startups and helping people get started in bitcoin I guess that isn't as good as people who write the reference client right? I work harder on bitcoin in a way to get more people involved instead of writing code, and just making myself rich. I am making the community richer.

For people seeking trustless key exchange algorithm: it has been already invented (i.e. you can avoid MITM attack without relying on PKI) - ZRTP could be easily adapted to bitcoin payments, changing SAS authentication string to PIN , for example, as it can be only 16 bit number. However, you would have to trust the merchant not to scam you. I don't see the problem with this in restaurant/bar scenario.

Gweedo, I think you're being rude.

Until you're willing to put up time and effort developing code, don't harsh on someone who does.

That said, I don't think Bitcoin needs SSL for any security purpose, and should not rely on it for any security purpose.  If we need it at all, it's for purposes of making it easy for websites to accept bitcoin payments using a system they already know how to use and already have set up.  But I don't see how we can do that unless the communications are otherwise unsecured (ie, insecure), so I don't really think it's a good idea.

Short answer; I don't think you'll be able to order things directly from Amazon.com using Bitcoin until this is done.  But if we have it at all, I don't think you'll be able to order things from Amazon.com with any security greater than it provides now.  And, in fact, even less, because if you use it with a bank, credit card, etc, you can always reverse bogus charges.  With Bitcoin that isn't, and won't, be possible.  

Because Bitcoin has a higher security requirement in the first case, due to its non-repudiability, I don't think that SSL is adequate to secure Bitcoin payments.  It's okay for payments you can challenge or reverse, but it's not okay for Bitcoin.  The right answer is that Amazon.com and company need to man up and accept some genuinely secure protocols to process payments.

Bear

Not necessarily a bad thing, it depends what the message is!

SatoshiDice is the classic example. They were using lots of single Satoshi transactions as a way of proving the validity of their bets. Blockchain space got gobbled, Bitcoin devs had to contemplate how to dissuade them from doing this. They weren't sending money for the purpose of someone else receiving that money, they were doing it as a way to send a message that had the effect of providing evidence of the trustworthiness of their betting system.  

Payments Protocol solves this problem, but also gives the person who draws up the payments request the option to have the message authenticated by a CA. This is where your own personal details might get associated with the public key you use to pay that person. In a webshop -> customer transaction, the webshop might include the product, and a confirmation of the Name & Address to deliver to. The information in the message is all under their control, and we now know this can be slurped by the CA, and in turn by our friends at the NSA.

There's no reason to assume the payment requester to disclose details that identify either you or your purchase items in the Payments Protocol message, this is not mandatory to the protocol (I hope!). Although, the merchant requesting payment should choose something useful to the user, and relevant to the transaction. Imagine buying from a webshop, confirming the order, being presented with a payment request message triggered in your Bitcoin client, and the message being completely or nearly blank! It would seem a little strange, you'd wonder if the Payment had been successfully attacked and you were sending your money to an attackers address (the attacker's method maybe didn't or couldn't copy the message into their spoof message).

And so there lies the rub, you can kind of assume that the more correct information about the transaction that the merchant includes, the more convinced the end user will be that they're accepting a request to pay from who it's supposed to be from. And hence the more information for the NSA to slurp.

Go back to the foundation forums where everyone pays to kiss your feet. It is sad you can't address concerns of user of the client, that make the price $171 which makes you rich. Greedy Dev core members that is all they are, they do nothing to advance bitcoin.