Eric Larchevêque [ARCHIVE] on Nostr: 📅 Original date posted:2014-04-04 📝 Original message:> > The goal of writing a ...
📅 Original date posted:2014-04-04
📝 Original message:>
> The goal of writing a BIP seems to be to get lots of different wallet
> authors to write lots of code for you - but I *am* a wallet author, and I
> don't think that's the right way to get traction with a new scheme.
>
I started without a BIP and the feedback I got is that I should to a BIP.
We cannot write all the code for all the wallets ; this is after all a
communauty project.
However we have and we will propose bounties for each wallet to support
natively the protocol.
> For instance the TREZOR guys would have to support your new protocol
> otherwise if I paid my hotel bill with my TREZOR I couldn't open the door
> when I got there! But they probably have better things to be doing right
> now.
>
Yes you are right. But if the concept of authenticating yourself gets
traction, they will probably do it.
> The key difference between just generating a client certificate and using
> a Bitcoin address is that the client certificate is something that is used
> *specifically* for identification. It leaves no trace in the block chain,
> so no weird privacy issues, it doesn't matter how you manage your wallet,
> and you don't have to persuade lots of people to support your idea because
> it was already done >10 years ago and basically every browser/web server
> supports it.
>
My view on this is mainly about the UX and the fact everyone in Bitcoinland
has a wallet.
It's a approach leveraging this fact, with the possibility to build
interesting apps combining address auth and the blockchain.
I understand the problems related to multisig, contracts etc,
There is no such thing as a from address in a transaction, however many
services still take first tx as the return address.
People will always find way of building and doing stuff (cf the message in
the blockchain debate).
> Some reasons client certs aren't more widely used boil down to:
>
> 1. People like passwords. In particular they like forgetting them and
> then having friendly people assist them to get it back. Client certs can
> support this use case, but only if apps are checking the identity in them
> and not the key.
> 2. The UI for managing client certs in browsers is pretty horrible.
> There's little incentive to improve it because of (1).
> 3. Cross-device sync doesn't work very well. Apple are starting to
> tackle this with their iCloud Keychain Sync service but then of course,
> Apple has all your keys and you may well just sign in to things with your
> Apple account (if it were to be supported). Cross-device sync where the
> server *doesn't* get your keys is supported by Chrome for passwords,
> but not client certs, because (1)
>
> None of the above issues have any obvious fix lurking within Bitcoin.
>
There is also the benefit of revocation with certificate and central
authority.
But, again, you already have a wallet and a Bitcoin address.
So if you add a simple auth protocol, people will use it at no cost.
Eric
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20140404/9e6d4ffc/attachment.html>
📝 Original message:>
> The goal of writing a BIP seems to be to get lots of different wallet
> authors to write lots of code for you - but I *am* a wallet author, and I
> don't think that's the right way to get traction with a new scheme.
>
I started without a BIP and the feedback I got is that I should to a BIP.
We cannot write all the code for all the wallets ; this is after all a
communauty project.
However we have and we will propose bounties for each wallet to support
natively the protocol.
> For instance the TREZOR guys would have to support your new protocol
> otherwise if I paid my hotel bill with my TREZOR I couldn't open the door
> when I got there! But they probably have better things to be doing right
> now.
>
Yes you are right. But if the concept of authenticating yourself gets
traction, they will probably do it.
> The key difference between just generating a client certificate and using
> a Bitcoin address is that the client certificate is something that is used
> *specifically* for identification. It leaves no trace in the block chain,
> so no weird privacy issues, it doesn't matter how you manage your wallet,
> and you don't have to persuade lots of people to support your idea because
> it was already done >10 years ago and basically every browser/web server
> supports it.
>
My view on this is mainly about the UX and the fact everyone in Bitcoinland
has a wallet.
It's a approach leveraging this fact, with the possibility to build
interesting apps combining address auth and the blockchain.
I understand the problems related to multisig, contracts etc,
There is no such thing as a from address in a transaction, however many
services still take first tx as the return address.
People will always find way of building and doing stuff (cf the message in
the blockchain debate).
> Some reasons client certs aren't more widely used boil down to:
>
> 1. People like passwords. In particular they like forgetting them and
> then having friendly people assist them to get it back. Client certs can
> support this use case, but only if apps are checking the identity in them
> and not the key.
> 2. The UI for managing client certs in browsers is pretty horrible.
> There's little incentive to improve it because of (1).
> 3. Cross-device sync doesn't work very well. Apple are starting to
> tackle this with their iCloud Keychain Sync service but then of course,
> Apple has all your keys and you may well just sign in to things with your
> Apple account (if it were to be supported). Cross-device sync where the
> server *doesn't* get your keys is supported by Chrome for passwords,
> but not client certs, because (1)
>
> None of the above issues have any obvious fix lurking within Bitcoin.
>
There is also the benefit of revocation with certificate and central
authority.
But, again, you already have a wallet and a Bitcoin address.
So if you add a simple auth protocol, people will use it at no cost.
Eric
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20140404/9e6d4ffc/attachment.html>