Mike Hearn [ARCHIVE] on Nostr: 📅 Original date posted:2014-01-27 📝 Original message:On Mon, Jan 27, 2014 at ...
📅 Original date posted:2014-01-27
📝 Original message:On Mon, Jan 27, 2014 at 7:18 PM, Andreas Schildbach
<andreas at schildbach.de>wrote:
> I'm not saying I'm against signed payment requests, but unfortunately
> they are just too big for QR-codes. Then again, QR-codes *can* take up
> to 2 KB. How big would a very basic trust chain plus signature be?
>
As I said, the test requests generated by Gavin's generator end up being
about 4kb.
Unfortunately most certs are using RSA keys which aren't very compact. You
can get ECC certs, but for whatever reason, the test requests aren't using
one.
> I was under the impression that addresses will go away. Can you
> elaborate on the mechanism?
>
There's still an address in the URI for backwards compatibility, right? In
theory if everyone some day uses wallets that support BIP70 it'd be
superfluous and could be removed, but whilst it's there, we could find
alternative uses for it ...
> Ok, that's good news (to me). However, you are going to manage trust
> stores (adding and revoking) without TCP?
>
Trust store is just a local database. Why would it involve TCP?
> Well I'm thinking the other way round. Use Bitcoin where its already
> used today -- face to face.
>
Maybe in Berlin :-) Most of my transactions are sadly with online shops,
still.
> > you probably still would like a receipt if you buy
> > something from a local market trader.
>
> Yes, but where is the problem?
>
A receipt is a proof of purchase. If the payment request isn't signed then
it proves nothing as you could have made it yourself. Of course paper
receipts are forgeable too - we sort of pretend receipt
fraud<http://en.wikipedia.org/wiki/Return_fraud>does not exist, but it
does.
Nobody would ever be forced to sign to receive money, obviously, but it's
better if people do as it leads to herd immunity. If people expect to see
it then they will be suspicious if an attacker strips the signing data. If
it's randomly hit/miss then the signing data can just be deleted by a MITM
and you'd never think anything was amiss.
And again, how is he going to provide the payment request to the payer
> without TCP?
>
Over Bluetooth, perhaps. That's what we're talking about, right?
> Interesting, did not know about this BIP. However I don't understand the
> usecase.
It was proposed by the BitPay guys. I think they feel that scanning a QR
code should always make something intelligent happen, even if you don't
(for instance) have a wallet app installed at all. Overloading the URL so
it works for both web browsers and wallet apps is easy, so I can see why
they suggested it. Doesn't seem like a big deal either way.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20140127/dcd2f111/attachment.html>;
📝 Original message:On Mon, Jan 27, 2014 at 7:18 PM, Andreas Schildbach
<andreas at schildbach.de>wrote:
> I'm not saying I'm against signed payment requests, but unfortunately
> they are just too big for QR-codes. Then again, QR-codes *can* take up
> to 2 KB. How big would a very basic trust chain plus signature be?
>
As I said, the test requests generated by Gavin's generator end up being
about 4kb.
Unfortunately most certs are using RSA keys which aren't very compact. You
can get ECC certs, but for whatever reason, the test requests aren't using
one.
> I was under the impression that addresses will go away. Can you
> elaborate on the mechanism?
>
There's still an address in the URI for backwards compatibility, right? In
theory if everyone some day uses wallets that support BIP70 it'd be
superfluous and could be removed, but whilst it's there, we could find
alternative uses for it ...
> Ok, that's good news (to me). However, you are going to manage trust
> stores (adding and revoking) without TCP?
>
Trust store is just a local database. Why would it involve TCP?
> Well I'm thinking the other way round. Use Bitcoin where its already
> used today -- face to face.
>
Maybe in Berlin :-) Most of my transactions are sadly with online shops,
still.
> > you probably still would like a receipt if you buy
> > something from a local market trader.
>
> Yes, but where is the problem?
>
A receipt is a proof of purchase. If the payment request isn't signed then
it proves nothing as you could have made it yourself. Of course paper
receipts are forgeable too - we sort of pretend receipt
fraud<http://en.wikipedia.org/wiki/Return_fraud>does not exist, but it
does.
Nobody would ever be forced to sign to receive money, obviously, but it's
better if people do as it leads to herd immunity. If people expect to see
it then they will be suspicious if an attacker strips the signing data. If
it's randomly hit/miss then the signing data can just be deleted by a MITM
and you'd never think anything was amiss.
And again, how is he going to provide the payment request to the payer
> without TCP?
>
Over Bluetooth, perhaps. That's what we're talking about, right?
> Interesting, did not know about this BIP. However I don't understand the
> usecase.
It was proposed by the BitPay guys. I think they feel that scanning a QR
code should always make something intelligent happen, even if you don't
(for instance) have a wallet app installed at all. Overloading the URL so
it works for both web browsers and wallet apps is easy, so I can see why
they suggested it. Doesn't seem like a big deal either way.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20140127/dcd2f111/attachment.html>;