Bitcoin Forum

I understand the reason why chargebacks are a bad idea for online commerce.
Bitcoin makes more sense, because it is a system where consumers have to trust the reputation of established sellers, instead of asking sellers to trust random customers.

However, the current system could be improved.
When I place an order, I receive a Bitcoin address from the merchant. At that point, sending my coins to that address remains a leap of faith.

As a buyer, I would feel more comfortable if I had a public proof that I sent coins to that merchant, (not just to an anonymous address), in case of  litigation.

I propose the following:
Instead of simply displaying "Please send <xx> BTC to address <aaa>", the merchant's website should also sign that message with a private key, and give the signature to the customer.
The corresponding public key should be visible on their website. That way, a customer can prove that he actually sent money to the merchant, not just to a random address.

The signed message could also contain the description of the purchased good, and maybe the shipping address of the customer (in that case, customers would lose anonymity if they publish the proof).

Are there online sellers interested in such a solution?
The "signmessage" and "verifymessage" RPC commands of the bitcoin daemon should make this easy. For example, you could use a bitcoin address of your wallet in order to sign messages with it.

That's clever.  I like the idea.  I would use it.

This is also a good way of stopping various attacks by an attacker substituting their bitcoin address in a bitcoin payment request URI for the merchant's real bitcoin URI.

The bitcoin URI a merchant uses is likely to have a 'one-time' address but by signing it with a private key which has a well known public key it gives it veracity.

Of course the user has to have confidence in the advertised public key of the merchant which is probably best served by a locked down server via SSL.

but then again: you have to trust a SSL provider, Cert. authority.

indeed, a merchant could sign with a certified SSL public key, but I don't think that this is what jim618 was saying...

watching ...

The main thing about publicising your public key / address from a locked down SSL server is to to make attacks such as the following more difficult:

Webmaster: this is a great Javascript utility to 'insert something neat here' I will just pop that on my website.
Behind the scenes, utility code swops out real bitcoin payment address for attacker's.

Buyer sees authentic looking bitcoin payment URI with right amount, label etc. The address is one-time so would not be in buyer's address book. Buyer pays happily. Attacker receives bitcoin. Merchant just sees 'no purchase'. Several days later buyer complains to merchant - where's my stuff ? Merchant : What stuff ? You never paid.

You *could* sign with an SSL cert but I think using the bitcoin crypto is better. It is defence in depth. The signed payment request and payment are effectively a key exchange that you could then use for, say, secure chat between the two parties.

ideally, the signature should be verified by a browser extension or bitcoin client.
if the message is just a bitcoin address + amount, then perhaps the signature could be integrated to the bitcoin URI scheme. https://en.bitcoin.it/wiki/URI_Scheme

Edit: a straight-forward method would be to sign the unsigned URI.
Example:
which yields the following signed URI:

in this example the payment address is 15kfzDMX2Gr7hXrwRQQGkxrd5eBveKH777 and the authentication address is 19mP9FKrXqL46Si58pHdhGKow88SUPy1V8

I have been thinking about it a bit more.
I believe that URI Scheme is indeed the best way to do this.
I have added URI support to Electrum, similar to what Multibit does. now I need to add a 'verifymessage' capability.

Here is how I think we should implement identity verification:
 - the browser should verify that the Bitcoin address used to sign a bitcoin: URI matches the address provided by the website (i.e. the identity of the merchant).
 - the bitcoin client should verify that the provided signature matches the address and message. it will show a warning if the URI is unsigned.
 - if the user accepts the transaction, the bitcoin client will store the message and the signature in its records, so that the user keeps a proof of identity.
 - I guess the URI should contain the signature AND the bitcoin address corresponding to the signing key. Even though the public key can be recovered from the signature, this is not something that can be done easily by a browser extension

(reference: https://bitcointalk.org/index.php?topic=6430.0)

Hi Thomas,
I like your previous post but think that you will very likely have:
+ the bitcoin address the website is offering to that specific customer / order.
   (unique to customer / session and used by the merchant software to track order)
+ a merchant specific address - the merchant's identity - unchanging.

I think you need both the 'address for this payment' and 'merchant identity address'.
I know in MultiBitMerchant we use one address per potential customer order and never recycle them.

Edit: rereading your post I think you have got this covered. I think you are proposing:
+ have the customer specific address in the bitcoin URI.
+ look up the merchant public address from a 'well known' SSL location on the website.

(a bit like everyone knows where to get the favicon from)

You could then show on the UI 'signed by myWebsiteName.com' - the location of the website you got the public key from.

subscribed.  interesting ideas. 

A system which implements proof of payment and assurance payment is going to the right entity is a great step forward.

But how do you ensure that they don't change it anyway? It's almost as if we need a distributed, timestamped, database system...  ;)
(you should see where I'm going with this)

If we sign the URI with a bitcoin address, then the verification will need ecdsa, and it is better to do it with the bitcoin client. Thus, we need to send the merchant's public address to the bitcoin client. The easiest way to do it is to include the merchant's address in the URI, but this means that the browser needs to verify that the URI contains a public address that matches the public address of the website.

Another solution, as you suggest, is to lookup the merchant address from a standard location on the website. But in that case too, we will need to make sure that the bitcoin client gets the correct public address. I assume that the URI is the only information passed to the bitcoin client; this means that the URI would need to contain the hostname of the web server, so that the client can request the public key; and again, we need to verify that the hostname is correct.

This is why I wrote that two things need to be verified: the public address and the signature. It seems that a web browser extension is necessary in order to perform the first verification.

We could also use the ssl public key of the website in order to sign the URI. This might fit better with the existing infrastructure.

@Thomas.  Agreed - both the public address and signature need verification.

@Maged.  I like the hint to a full distributed "blockchain-ey" PKI solution !   :-)

I don't get this.
You are trying to verify that bitcoin address on sellers website belogns to seller ?

Yes AND provide proof of payment.

Maybe I missed something, but stores still need TLS to transport bitcoin addresses so they cannot be tampered with.

Proof of payment is easy - customer provides a bitcoin address (any) at registration. Merchant presents a receipt (arbitrary string associated with purchase details) at checkout. Customer sends Bitcoins and signs receipt to complete the purchase.

That proves absolutely nothing.

"Um.  That address isn't mine.  He didn't pay me he likely sent 100 BTC to his friend and is now trying to pull a scam."

Someone signing their own receipt is no proof the counterparty exists.

Sorry, I didn't quite think that through... When you register, you could be required to pay a small random amount micropayment to register your key with the merchant. From that point, this key would be required to sign a receipt.

How's that?

Doesn't prove anything.

The CUSTOMER can't sign a receipt and PROVE a payment was made to a merchant.

Merchant can say:
a) customer made up receipt
b) customer send money to someone else
c) customer signed his own bogus scam crap

it provides no proof is the CUSTOMER is signing something to prove the MERCHANT got paid.

merchant doesn't present receipt until payment is made. merchant signs receipt before presenting it to customer for their signature.

The struck part is useless.  Yes that is what this thread is about.  The merchants signature is only useful if there is some mechanism to validate it.  One would also want some mechanism to validate merchant BEFORE paying.  Otherwise you pay, and merchant doesn't sign receipt.  Oops you have no proof of nothing.

update: here is a more detailed proposal for the proposed URI syntax: http://ecdsa.org/bitcoin_URIs.html

The Bitcoin client should keep the signature in its records.

Pardon my ignorance, but doesn't https already signs every response sent by the server?
Or authenticity is assumed due to the knowledge of the common symmetric key used for encryption?

yes, but that's not practical.
do you keep a record of the webpage and its https signature everytime you do a Bitcoin transaction?

It could be practical if you have a browser plugin which saves a https page together with its signature, and that would have a much broader usage. I wonder if such a thing doesn't exist already...

the fact that we don't know if such a thing exists already illustrates my point...
in addition, there are situations where the communication channel is not https, and where signed URIs would still be useful.

Also a key thing to remember is we want the payment address signed BEFORE payment.  

We want to prove not just a payment was made but it was made to an address controlled by the merchant/payee and (optionally) for what purpose. 

Example:
D&T paid ThomasV 100 BTC on 01/17/2012.  
I wouldn't want to rely on website as for example  http:thomasV.com and https://tho.masV.com are different identities.  While I could save the pages & signatures for https://tho.masV.com it doesn't prove anything other than I got scammed.

Compare that to a system where I can obtain ThomasV public key in advance and import it into my wallet.  I then get a payment URL which is signed by ThomasV private key.  The wallet can then notify me that I am not just paying a random bitcoin address I am paying an address signed by ThomasV (or warn me if it isn't signed).  Once I make that payment I now have proof of the time (via block timestamp), the entity paid, and the amount.    By including more information in the payment url (as a note) it eliminates the ability to even say  "no that 100 BTC was for an unrelated order.  I loaned him 100 BTC and he was paying me back".   As an example the protocol should allow (optionally) to include a plain text note ("Order # 12345 for 3 HD 5970 graphics cards").

If ThomasV doesn't deliver, delivers the wrong item, or claims nonpayment all those things can be proven false.

TL/DR version:
The goal is a system/protocol that using digital signatures one can obtain proof of payment for a specific transaction.

This should be possible with bitcoind 0.5 and Bitcoin-Qt 0.6.

I added these features to Electrum.
See the announcement here:
https://bitcointalk.org/index.php?topic=50936.msg735942#msg735942