Topic: There needs to be a new bitcoin address format... (Read 3392 times)

I proposed a solution in other thread... It is possible to use blockchain as an address book without namecoinesque complexities.

To reference a public key you can reference certain transaction input. Transaction input can be identified using triple .

Applying certain optimizations and trade-offs you can encode this tripple in a 32-bit (or even 24-bit) number.

PGP word list can encode 8 bits in one English word. So to encode a 32-bit ID you need four words.

So, basically, we can make public key IDs like "absurd replica cranky decadance".

And this is, like, also a name of a company...

That's probably because you always sign with the same certificate. The company I work for has to sign in the name of other people actually, so, after authentication, they generate a "minute-certificate", used only to sign the document (it expires quickly). That certificate carries the name of the client. And to generate that certificate, you gotta pay 15 cents of euro IIRC.


As there's nothing inherently wrong with charging a 4% fee for conducting a payment either. Yet, here are we trying to make something better.

There is a bit of irony in CA services for bitcoiners.

True blue bitcoiners already have and understand PGP and thus probably wouldn't feel the need to pay for such services.

If and when PGP-like functions make their way into Bitcoin clients (not an outrageous proposition), that will be even more true.  After all, if you're already trusting in cryptography for your money, trusting in the same software to provide cryptography for your communications is a totally reasonable stretch that would make sense even to average computer users.

At that rate, the real value won't necessarily be in one guy being the "trust authority".  Instead, I see Bitcoin conferences having key-signing parties as standard fare, given that Bitcoiners put a premium on decentralized trust mechanisms.  That way, the conferences themselves will add the value... not so much that somebody will be making the money, but rather, people will be paying to attend the conference in order to receive that value among other things.  The more people who can make a business case to come to the conference, the more revenue comes in, which directly translates to a lower admission price per person, or a nicer venue, for future conferences.

I was offering my "services" tongue in cheek, if you didn't catch that - I've made no great effort to establish a reputation or reveal my identity to more than members I've bought stuff from. A company like MtGox would be a likely root CA issuer - they've got your ID and bank info already, so they have already verified "trust" for many bitcoiners, and scammers might be put off going through MtGox and paying money to get a counterfeit look-alike alias.

You or any other person could offer such service though, in the spirit of "decentralized". With a "signed alias", one could simply use their own main identity to self-register other addresses (like auto-sign pregenerated one-time pay addresses), or you could "vouch" for others by signing their address and require real verification or only verifying that they've proved to you it's their address. As an issuer, you can scan for and reject any name that might be confused for an already-issued trust. A fully implemented client could not only look up the name when you put in an address, but let you "view certificate" to see who issued the trust. Like you say, charge $50 and do some checks, and your issued certificates are more trustworthy.

The work would be putting it in Bitcoin; you'd have to make a bastard-child client that accessed both blockchains (main client, very low chance of that happening), or get a BIP through that added the namecoin-like registration to Bitcoin (devs have already said Bitcoin isn't for data). That's the part that's worth 50BTC.

For the most part, this is brilliant (no I'm not about to pay 50BTC though).

What you've done here is created a novel application for an existing technology that in all probability will work exactly the way it's supposed to... something I see as a viable business model, other than for a couple missing things.  If I could describe those couple missing things and you took them seriously (among other things), there is no reason you couldn't actually start a business where you did nothing other than generate cryptographic certificates at negligible cost to you, and charge real money for them.

The first thing is that I have never heard of you being in the business of vouching for people's reputation and identity.  That doesn't mean it's too late to start, by any means.  For your "authority" to have value, people need to know who you are and that you've dedicated yourself and put a serious stake in the business of being one.  The main reason why your offer isn't worth 50 BTC to me is that I can't go somewhere and point to that record and have average folks give me significant extra credibility as a result of its existence.  It's not competitive, because there are numerous other avenues where I can get that for much less.  (Note that GPG isn't a candidate here despite the free price, because most casual computer users don't use it)

The second thing is that I did not offer to purchase these services from you.  This is an important distinction.  Read this little blurb on contract law: http://tutor2u.net/law/notes/contract-elements.html ... what you have proposed is best described as an offer, and I have not accepted it.  Mr. Riley put it perfectly: "It is very important to distinguish an offer from an invitation to treat – that is, an invitation for other people to submit offers. Some everyday situations which we might think are offers are in fact invitations to treat:" (list of examples follows)

On the other hand, be aware that 50 BTC isn't an unreasonable price for cryptographic services when the value has been added.  50 BTC is about $1000, seems to me that's about what I paid to get an Adobe certificate.  The difference is, something I sign with my Adobe certificate gets instant credibility with the uninitiated public (who has never heard of PGP) because their Acrobat Reader will display a soothing blue badge and bar - within the program itself - asserting that I really signed/certified that document when they open it.  There is also a legal system accustomed to using PDF that would likely recognize it as well.  There is nowhere computer-illiterate Joe Blow can go to see the results of what you added to the namecoin database and feel he understands it well enough to be confident about trusting it, and this is what distinguishes the two.

If you had a proposition where your services were widely deemed to be worth 50 BTC, unfortunately that wouldn't just be "free money" to stuff your pocket.  You'd get to that position of authority by spending a lot of money on reputation building, advertising, and PR, and that 50 BTC would hopefully be a return on investment representing a profit after all of your expenses.  But of course it might not be, that's your risk to take.

Finally, some bit of personal reputation goes into your ability to operate trust-related services.  Having a clean criminal background, good credit history are musts, having a somewhat related career or degree, as well as connections to those with capital and other resources are a huge help as well.  Someone who started a business like this but who had, for example, a check forgery conviction in their past, could reasonably expect to see their business collapse when people started doing their due diligence.

If you ever become known in the community as operating a business like this though... I'd probably subscribe if the rate was a reasonable reflection of what I deemed its value to be in the marketplace.

Thanks for taking time to make it clear. I stand corrected.

Adobe folks have got to eat too!

I have an Adobe signing key and I paid for the key, there is no per-document charge for my key.  But even if there was one, there is nothing inherently wrong with that, no law of nature says that everything that does not involve an increment in manual labor per transaction must be free, and there are more variables that define value than just the price.

Ironically, the high price serves as a barrier to entry, which itself adds value.  If you represent institution A and want to authenticate a document from institution B, the fact that Joe Blow can't get a similar looking certificate at a negligible cost adds value.  I wish more people understood why "overpriced" stuff derives the price/value it does, there's always more to it than somebody just wanting to overpay for something just because they're gullible or want the satisfaction of having paid too much for something.

Unlike the first characters of a Bitcoin address, the possible last characters (including the checksum) are evenly distributed among the Base58 characters, i.e. the chance of the last character of any address you generate being "Z" is 1 in 58. On average, for every 58 addresses you generate, one will end with "Z", and the average time to find a "Z" will be 58 key generations (a 50% chance).

We only need to scale the probability up; for five characters, the chance is 1 in (58^5) - that's 1 in 656356768. Running my vanitygen at 180Kkey/s, I would have a 50% chance of finding one in 3646 seconds (about an hour). In fact, it took me less time:

vanitygen -r -k BpiZ$

(at result 35, of 58 expected on average):

Address: 17piCjuatkXRi8tPJf43fN2bSNeJi4BpiZ
Privkey: 5KJshpZnAygza2goQNB7gsmyvwEwg8CquLZBPgpHCDU8Dg5xCvP

How will you force this user to distinguish between "Confirmed, you are paying Rocky Mountain Power Company" and "Confirmed, you are paying Pocky Mountain Power Company", or "Confirmed, you are paying Rocky Mountin Power Company"?

Absolutely. Many people just don't understand that there is a difference between the monetary system that is supporting the very existence of a currency and the payment system that is using this currency. There is a reason why these two systems must be kept separate. What casascius is pointing out as an issue has to be solved by improvements in different competing payment systems using bitcoin as a currency. Don't mess with the blockchain, mining or transaction relaying!

I thought last few bytes are the checksum. How easy is it to generate a key pair with the public address ending in 4BpiZ?

Well, it works, yes... but it is expensive! I work for a company that among other things has a system that does digital signatures for official documents. They are required to pay 0€15 for each signature they issue, not to mention the enormous costs for being able to issue these signatures in the first place. And that's paying exclusively for Adobe's "recognition". Adobe does't actually do anything, they have absolutely no extra cost when these signatures are issued. But if you want their recognition, open your pockets!

I hope that this implementation for bitcoin is done in such a way that more competition in the "authority market" is available, so that prices are not so high.

It can be useful. You can do it with the existing payment protocol by including a signature with no PKI data. Use ECDSA key recovery on the signature and then record the derived pubkey.


That's what the payment protocol does.

What about using data from the blockchain to determine the trustworthiness of an address? If it is not a throw away address it would say a lot.

First seen
Number of tx
Coins received

A hacker would probably use a fresh address. At least for donation addresses this would work well.

You could even calculate a bitcoin inherent web of trust from the addresses you own to the address in question.

I'm not sure this is possible, the address derives from a key only you know, if it were to derive from your brand name everyone would know the private key.

Seems to me there's no way to get both.

I would suggest letting a beefed computer run a week or a month to create a vanity address for your company and then use that. 1 layer of extra security anyway.
The more serious the company the more money and CPU you could put into it.

How about the following things that would require no PKI:

1. Some way for a user to know if he's paying someone he has paid before, versus someone he is now paying for the first time.  (Example: imagine paying your power bill with bitcoins.  Pretend you like having a paper power bill.  Every month you get a power bill in the mail and you pay it by scanning a QR code bitcoin address unique to each month's bill.  One month, a scammer sends you a realistic looking power bill but has his bitcoin address on it.  Your bitcoin client ought to have a means to flag something's unusual... this WILL happen, it's just a matter of time!)

2. Some way for a user to get a public key and know that he is paying the owner of that public key.  (Yes, that's how Bitcoin works inherently, but I mean a secondary public key that allows a user to confirm that a certain person must own the address)

3. The "Bitcoin Messaging" system previously discussed in other threads.  This would provide very similar functionality to PGP, except that keys are Bitcoin addresses.  Importantly, functionality would include ensuring you're paying the same person you're talking to, and/or paying the same person whose public key you can verify somewhere else.  As a simple minded example, before paying someone, you could send a bitcoin message to their address and confirm their ability to confirm, verbally for example, that they received it.  If they can confirm they can decrypt the message, you can feel good paying them at the same address.

Yeah, I have higher hopes for the DNSSEC PKI. It's how things should have worked from the start, but of course the cost of crypto and the US Govts attempts to stifle it made doing a PKI any earlier unworkable.

Unfortunately DNSSEC is still pretty new. It'd make sense to integrate it into the payment protocol after v1 is successfully deployed.

Adobe's Acrobat/PDF document signing PKI is an example of one that appears to work and be well-managed.

The operative difference is that those who care about the quality of the signatures have a vested interest in a good PKI and would be the last to complain about a loosey goosey PKI that favors convenience over security.

On the other hand, browser makers are far less in control.  They can't just decide that they will throw out the flawed SSL'iverse in favor of their own PKI scheme, or they'd lose market share.

I don't think the idea of PKI is inherently flawed, it's just that the most prominent one is being mismanaged and suffers from poor design.

Within namecoin you could tie a name to a bitcoin address.
(sendtoname, namecoin/bitcoin keysharing and even throw away addresses: https://en.bitcoin.it/wiki/BIP_0015#Namecoin_ID )

As long as you don't know if the name is legit you have not really added security, though.

Other than using a (central) authoritah only a web of trust comes to mind.

Isn't it amazing how trustproof and fool proof are nearly opposite ends of the spectrum.