Peter Todd [ARCHIVE] on Nostr: 📅 Original date posted:2013-10-26 📝 Original message:On Fri, Oct 25, 2013 at ...
📅 Original date posted:2013-10-26
📝 Original message:On Fri, Oct 25, 2013 at 08:31:05PM -0700, Gregory Maxwell wrote:
> One limitation of the payment protocol as speced is that there is no
> way for a hidden service site to make use of its full authentication
> capability because they are unable to get SSL certificates issued to
> them.
>
> A tor hidden service (onion site) is controlled by an RSA key.
>
> It would be trivial to pack a tor HS pubkey into a self-signed x509
> certificate with the cn set to foooo.onion.
>
> If we specified in the payment protocol an additional validation
> procedure for [base32].onion hosts that just has it hash and base32
> encode the pubkey (as tor does) then the payment protocol could work
> seamlessly with tor hosts. (Displaying that the payment request came
> from "foooo.onion"). I believe that the additional code for this
> would be trivial (and I'll write it if there is support for making
> this a standard feature).
>
> This would give us an fully supported option which is completely CA
> free... it would only work for tor sites, but the people concerned
> about CA trechery are likely to want to use tor in any case.
>
> Thoughts?
Strong ACK on the basis of responding for forum trolls alone.
It's easy enough to make it a genuinely useful tool for multisig wallets
too: keep a copy of your Tor URL bookmarks on your second signing
computer. So long as either computer has the correct URL you're safe.
--
'peter'[:-1]@petertodd.org
0000000000000006fbd917e8b4770c566dbc8ed4bedd00f441286ffb6e7f73ac
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 685 bytes
Desc: Digital signature
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20131026/c214a3f2/attachment.sig>
📝 Original message:On Fri, Oct 25, 2013 at 08:31:05PM -0700, Gregory Maxwell wrote:
> One limitation of the payment protocol as speced is that there is no
> way for a hidden service site to make use of its full authentication
> capability because they are unable to get SSL certificates issued to
> them.
>
> A tor hidden service (onion site) is controlled by an RSA key.
>
> It would be trivial to pack a tor HS pubkey into a self-signed x509
> certificate with the cn set to foooo.onion.
>
> If we specified in the payment protocol an additional validation
> procedure for [base32].onion hosts that just has it hash and base32
> encode the pubkey (as tor does) then the payment protocol could work
> seamlessly with tor hosts. (Displaying that the payment request came
> from "foooo.onion"). I believe that the additional code for this
> would be trivial (and I'll write it if there is support for making
> this a standard feature).
>
> This would give us an fully supported option which is completely CA
> free... it would only work for tor sites, but the people concerned
> about CA trechery are likely to want to use tor in any case.
>
> Thoughts?
Strong ACK on the basis of responding for forum trolls alone.
It's easy enough to make it a genuinely useful tool for multisig wallets
too: keep a copy of your Tor URL bookmarks on your second signing
computer. So long as either computer has the correct URL you're safe.
--
'peter'[:-1]@petertodd.org
0000000000000006fbd917e8b4770c566dbc8ed4bedd00f441286ffb6e7f73ac
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 685 bytes
Desc: Digital signature
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20131026/c214a3f2/attachment.sig>