Topic: Invoices/Payments/Receipts proposal discussion - page 15. (Read 24728 times)

...and then people set up fake merchant identities and countless fake customer identities, and bump up their own trust ratings as high as they want before each scam.  The best way to prevent this from happening is to elect third parties that are trusted by lots of people, to check identities before letting them into the system... oh wait, I just described the CA system...

The CA system isn't perfect, but those who succeed in breaking it are usually high profile (like Mike Hearn was saying: state-sponsored, etc), and they're not going to waste their time stealing the $42 I paid BitBrew for some coffee.  But using self-signed certificates, anyone in the coffee shop with me can MitM me if they, perhaps, set up their system with the same SSID and I mistakenly connect through them when making my purchase.

Anything that is big enough to be worth stealing on a massive scale is usually done through direct merchant-customer interaction -- you don't usually buy a $17,000 car on the internet with your credit card... such large transactions usually use a second-level (or more-reliable) form of authentication beyond CAs.  For "regular"-sized purchases, it makes complete sense to piggyback off of a "complete" system that is already in place, for which everyone who's ever bought anything on the internet is already capable of using.

One good thing about Bitcoin is that there is not something like a credit card number to steal.  The worst someone can do is redirect a given transaction, but nothing like getting your CC number and draining your available credit, leaving you to spend hours on the phone with credit agencies trying to restore your "trust."  Therefore, a passive eavesdropper who is able to decrypt the payment stream cannot directly benefit like they would with credit card transactions:  with CC, they decrypt and steal databases of CC numbers and sell them on the black market (probably with BTC).  But getting a database of past transactions executed in this way (via BTC) does not offer the attacker anything.  

Doesn't namecoin solve this problem?

It's a problem easily solved: forget centralized certification and commoditize the actual trust itself. Like eBay feedback points. Every transaction completed to the satisfaction of both parties then credits each party with a new unit of "trust". You would make a public record of it, to establish a picture of how trust in major transaction hubs changes over time. At least then the relative trustworthyness of actors in the system is given an actual value, instead of the current situation of a qualitative notion of trust in the certificate authorities.

Edit: and yes, I know that doesn't help out with implementing an integrated signed Invoices and Receipts system. I'm saying it's a solution searching for a problem. I don't need to prove my receipt of purchase from a website using the Bitcoin client, the merchant website can record that in my account already. Ditto the invoices. Why does Bitcoin need to provide this when merchant websites can (and already successfully do)?

I think Receipt is only a "soft" receipt. It signifies only a receipt of valid payment message, not the funds. Hence evil customer may still try a double spend after getting the receipt. The "hard" receipt should be provided only after N confirmations. On the other hand, a real world merchant usually provides receipt when receiving banknotes that appear genuine, even if they may later turn out counterfeit. So maybe some reasonable trust level should be found. But now I prefer that N confirmations option.

Also I think the specification should cater for real world shops and QR and NFC communication. In particular I like idea of some offline spending wallets, communicating only with POS terminals, and getting power and updates (blockchain info, root certificates) from USB occasionally. So Invoice.receiptURI should cover also QR and NFC. Not sure if an offline device could still verify certificates, but if it has got root certificates and merchants provide the rest, then it seems possible.

Wouldn't the certificates, plus the invoice memo field (which could include long contract terms) be too large for a QR code?

Or a QR code that contains the file.

I mean it would be easy to just provide the 20 byte bitcoin address in the invoice rather than an entire script. P2SH addresses would allow for any script to be used, but only an address would be needed in the invoice.


That makes much more sense.

And one should think about how a merchant provides these invoices. It could be a downloadable file or it could be a QR code with a URL to download a file.

P2SH is itself a script so you can already do that.

A signed invoice and accepted transaction together are indeed proof of payment. The SignedReceipt message was deleted in a later version of the proposal.

I support this idea and I have thought about this myself previously. This will especially become handy with Extended Validation certificates as you can show proof of identity for a business.


Why not use a P2SH as the output, instead of the entire script? Makes it very simple.

And why not just accept an invoice as paid when the funds have been received? You can use a unique address for this. The proof of payment is then stored in the block-chain. That would be simple and I do not see the reason for complicating it with this Payment and Receipt message.

So you just pay to the address on the invoice. If the merchant says "We have not received the funds" you can give evidence that you sent the funds by showing the transaction in the block-chain which conforms to the amount requested and P2SH given in the Invoice.

I think it is great for the multi person wallet part. I don't get the use case of satoshdice though. What does it solve?

edit: I got convinced of the usefullness of this proposal by the post of Mike Hearn explaining that it may be used to let merchants broadcast the transaction as well.

I'm cool with that, especially if this part of the proposal is implemented as a sort of plugin, where in the future a more secure and decentralized system can also be used.

I think there are a few things that need to be cleared up here.

Firstly, self signed certificates. These can be more secure than the CA infrastructure if and only if you get the certificate out of band from the merchant in a trustworthy way - like by meeting them in person. Otherwise they are useless. If you don't understand why browsers now universally reject self-signed certs without any easy override, then you don't understand cryptography.

Consider the dispute case: you present a self-signed invoice and accepted Bitcoin transaction as proof you paid. Merchant says "I didn't sign that". It's your word vs his, there's no way to mediate the dispute. Now consider with a valid chain to a root CA. Merchant says "I didn't sign that", you say "somebody with a certificate issued under your identity did!" and now it's not just your word vs his, there's some evidence in your favor. No, it's not bulletproof. Maybe they got hacked, or their CA did. But, probably not - CA hacks are rare and seem to usually be linked some kind of government or corporate espionage.

Secondly, yes, X.509 cert chains are flawed in many ways. They're being used in this spec for one reason and one reason only - lots and lots and lots of people already have them, they're easy to get, and they assert to an identity (normally a domain name). Also, the code to do the signing and verification is simple (I sent Gavin an example) and can be implemented with OpenSSL in about a page of code. Implementations in other languages would probably also be easy.

So, we use X.509 here for practical reasons. It's a version 1, nothing more.

Where would we go from here? There are a few obvious improvements we could make in version 2. Protocol buffers are easily extendable so it's trivial to come up with protocol extensions later.

• We could introduce our own cert type that allows delegation for the purposes of signing Bitcoin invoices, but isn't accepted by normal SSL stacks. This solves the problem of "I have an SSL cert for foobar.net but I want BitPay to handle payments for me, and I don't want my payment processor to be able to MITM my secure connections". Another scenario - you have a bunch of salesmen or waiters wandering around your shops and you want them to be able to quickly issue invoices on behalf of the business, but you don't want to give them all your SSL keys. The way this would work is, we create a new ChainedPaymentCert protocol message that contains a signature calculated using the X.509 CA issued private key, and another public key, so it effectively chains onto the bottom of the X.509 chain (but it isn't an actual X.509 cert). Bitcoin clients would recognize and parse this new cert type and allow it to assert the authority of the domain name in the X.509 parent cert, but SSL stacks wouldn't.
• We could also use DNSSEC. This is a relatively new system so there's less shared experience around how to use it for something like Bitcoin invoices. But it's sort of similar to SSL, except instead of the CA heirarchy it uses the DNS heirarchy. It's attractive in that everyone should be getting DNSSEC keys for free, from what I understand (if you have a domain name). It seems like Chrome will happily accept self-signed SSL certs that have DNSSEC data embedded in them, probably, it's easiest for us to go with the flow and do the same.
• We could introduce another type of custom Bitcoin cert chain for other purposes, with roots that you might trust more. For instance, MtGox could be a root authority and issue certs derived from your government issued ID that is submitted as part of the "Know your customer" checks. A portable digital cert that you can use to sign things with could be very useful, and it'd mean you can sign invoices with a personal identity instead of a website/business identity.

Integrating a web of trust that doesn't have any roots at all isn't quite so easy. Unless you have access to the full trust graph, you can't build a chain between yourself and the counterparty to prove you own the identity/nym which you are asserting. So the question is how do you build a protocol that lets two parties who don't know each other find enough common connections and then how do you calculate the trustworthyness of those connections. When you have a short chain back to an organization that you axiomatically accept is competent and trustworthy it's easy (until your assumptions are violated, of course). If you don't have that, you need new protocols and bootstrapping mechanisms.

How will signed invoices work with offline wallets? I ask this in the context of dedicated hardware wallets, but this issue also applies to cold-storage wallets on computers intentionally disconnected from the Internet.

Theoretically, basic verification of a signature is feasible. As long as an offline device is seeded with a sufficient set of root certificates, it can verify a valid chain of certificates. However, there are problems with certificate revocation. Ideally, certificate verification should be accompanied by revocation checks. For an offline device, checks are very difficult.

I am aware that even with no revocation checking, the security of offline devices is significantly enhanced by signed invoices. But is it possible to do better than this?

Has anything fundamentally changed since February of this year?

http://www.schneier.com/blog/archives/2012/02/verisign_hacked.html

That's the theory, where's the proof?

How difficult is it really to get a fake certificate?

If every Tom, Dick and Harry can get one basically on demand, the illusion of protection extremely harmful.

The answer is:  it makes MitM attacks dramatically more difficult to execute by an arbitrary attacker.  Self-signed certificates are useless against MitM attacks.  I consider that a huge benefit for an irreversible payment system, even if it's not 100%.

That's a false dichotomy and dishonest.

The relevant question is how much value the CA system adds compared self-signed certificates, not compared to unencrypted traffic.

What percentage of attackers who want to perform a MITM attack are actually prevented from doing so by CAs?

Then, I guess we might as well start using http:// for credit cards transactions and email now.  Since there's no value added by the CA system...

If you are doing things that require ultimate security, at the risk of millions of dollars, I agree with you.  But for sending $23 over the internet to pay for your water bill, it does exactly what it is supposed to do.

Of course it does. If you can't rely on it you don't have security.

"This fire extinguisher doesn't always fail, it only has problems when I try to use it. It's fine most of the time."

Just because there have been security breaches, doesn't mean that the system is useless.  While the system could be improved, the alternatives are terrible.  If you don't use an established system, then you need to build up a whole new "web of trust", and users and merchants will be doing a lot of work, outside an established system, just to accommodate this use case (Bitcoin payments).

If what you suggest is true, then credit card payments on the internet are a joke, too.  Really, it's not quite black and white like that...