Topic: Secure Payment Address By Verisign and Armory (Read 881 times)

All sounds good, but I was thinking more: How does a prospective owner of a name register the name they chose with a nameserver? My imagination suggests it could be done the forms/fees/fleshbags way that, say, domain name registration happens typically today, but that it could also be made more efficient and/or carry more veracity if a bitcoin sidechain were used to store and transact the domain names. (I know, sidechains don't exist yet, blockstream controversy etc)

If at least both those were possible (and I reckon it may be cheaper at point of use if using a sidechain), that would be a serious coup for the whole range of hashchain technologies.

I haven't thought that one through for myself, to be honest. Alan might be able to answer. It is something that will need to be addressed. Just shooting off the cuff, I presume that every domain will have their own gatekeeper. So, somebody at Amazon would handle the main entry and would then dole out any necessary child keys (e.g., payments.amazon.com, [email protected], etc.). This shouldn't be too hard for a company. It'll probably be a bit more challenging for, say, somebody making the odd sale on eBay, though.

What's current thinking on how the email address owner and the owner of the address server will negotiate their relationship with one another?

More or less. Basically, starting at the DNS root, you have keys that can be used to sign keys for, say, the "com" zone. That key can then be used for the "bitcoinarmory.com" zone, etc. This tutorial is a bit rough but covers the rough basics. The idea is that if, say, the bitcoinarmory.com keys get compromised, that can't be done to compromise amazon.com, or whitehouse.gov, or whatever. It is, on one level, a way to minimize damage should something go wrong.


AFAIK, except for a short transition period when keys swap out, there should only be one key valid at a time. (Well, I guess you can have multiple valid keys all the time, but that seems pointless and dangerous.) What happens is you have a Key Signing Key (KSK), which is a master key of sorts. This is used to sign the Zone Signing Key (ZSK), which is weaker and is also what you actually want to use to sign DNSSEC records. (If you're signing "com" records, you need a smaller key in order to be able to efficiently sign all requests.) The ZSK swaps out more often than the KSK, which is more long-term. If the ZSK is compromised, you can quickly deploy a new key and limit the damage. If the KSK is compromised, it creates a larger attack vector, although it's still more limited than it would be if, say, an SSL CA is compromised and creates certs for any and all web sites.


We're definitely in the prototype stage. There is a testnet plugin that can pull down payment info based on an email address. It'll be awhile before anything is ready for primetime, especially since we need to formally submit it to various orgs and informally to the Bitcoin community. We just wanted to get some code and some examples out there before throwing this concept to the wolves.


Yes, this is being done to pass along payment info based on BIP32. One cool thing about BIP32 that not a lot of people know is that it's possible to start with a parent public key, supply a 32 byte multiplier, and land at any derived key on the tree, no matter how deep you go. So, if amazon.com wants to accept Bitcoin, they can publish their public key and then send each customer a 32 byte multiplier that yields a 3rd level key, or 92nd level key, or whatever. That multiplier is then broadcast to the paying party, and Amazon's key is protected by DNSSEC/DANE.

I wasn't part of this development effort, so I only remember the dev discussion we had about it a few months ago. The idea is that this system allows you to create your own "DNS zone", i.e. you are deploying your own cryptographic credentials to a ring of trustees. In that sense it's closer to GPG than the SSL/CA structure. You need only to corrupt one out of the existing 300 or so CAs to successfully spoof a domain.

With DANE records, you can reduce the 3rd party involvement since you have control on the chain of trustees (the different entities that will sign and store your ZSK). This means there is a finite set of trusted 3rd parties of your choosing an attacker has to compromise to spoof your identity rather than one out of N certificate authorities.

Correct me if I'm wrong, but if you are using your own DNSsec zone, you never expose your key signing key (KSK) to the network. You sign the zone signing key (ZSK) with it and expose that instead, whereas with SSL your certificate's private key has to be available to your server at all times to handshake.

Deploying your own ZSK is a lot more secure than using the regular path to register a domain. In the later, you can use a wealth of petty attack vectors like cross-site JS scripts to steal your targets' credentials, you don't have to go straight after the DNS security model. It's a whole deal easier to steal a user's Verisign login and password or socially engineer someone on the phone than to compromise Verisign's ZSK. If you choose to create your own DNS zone, you will be relying on the security of other's ZSK (rather than a web interface).

We will most likely come up with a plugin to create and manage KSK + ZSK directly from Armory, sometimes in the future.


Sadly I don't remember all the details, that discussion was a long time ago. I'm sure Alan or Doug will do a better job at shedding light on this. The feeling I got out of it was that DNSsec makes SSL look amateurish in terms of security and flexibility.

One last point on security is how the DANE record is used to verify the addresses in our proposed scheme. It doesn't simply green-light the address you are asking for. It provides a mathematical proof that the bitcoin address you resolved from the payment request is indeed derived from the master public key that is associated with this domain in the issuers' the DANE record.

There are (at least?) two proposals mentioned.

This one is more about how a payee can prove that an address they give to a payer in fact belongs to the payee (and hasn't been modified by a malicious third party), and at the same time:

• the address can be generated in a "complicated" way, such as from an HD and/or multisig wallet;
• the payee does not need to publicly publish something new for each new address (they only need to publish a single "master verifying key"^*)
• the "master verifying key" is not a BIP32 master extended public key; in other words it can't be used to violate the privacy of the payee / generate other addresses

The method of publishing this "master verifying key" isn't detailed in the above proposal, but DNS is mentioned as a possibility, in which case the spec recommends it be signed by a DNSSEC zone signing key.

This proposal is is about the DNS side of things. It mentions some of the concepts mentioned in the above proposal, but doesn't really detail them. It does detail the DNSSEC issues though.

The two seem like they should be linked to one another, but they're (currently) not (just because they're still drafts? don't know...). For example, the first proposal talks about BTCA DNS resource records (for which google can't find any spec), while the second details PMTA records.

* I just made that "master verifying key" term up, the spec uses more precise terms

Someone did bring it up somewhere, but it is a bit buried, it did need it's own thread.

I think the idea is that it's just more resistant to the types of attack vectors used against the current SSL based CA/PKI and/or the conventional DNS system. But if someone managed to get access to the signing keys for one of these servers through some new software exploit or just through sloppy practices or coercion, you'd still have man-in-the-middle domain/ID impersonation problems. But that doesn't mean this isn't progress still.

https://bitcoinarmory.com/verisign-discusses-collaboration-with-armory-to-secure-payment-addresses/

Why isn't this discussed here?

As it is based on DNS, how do you prevent DNS hijacking?