There isn't a widely used transport layer standard for OpenPGP, which is what the protocol needs, so TLS is probably a better choice then PGP for the actual encryption.
This is very much false, all information could be encrypted using the public key of the user that wants to send the bitcoins and then decrypt by their machine. Also I wouldn't include gpg into the actually bitcoin client I would have it called out to the shell so their is a disconnect of passwords and stuff. |
|
|
|
Yes SSL protocol supports it but no browsers (Firefox does) really support that feature, no web server really makes use of that of feature. So what makes bitcoin going to support? How would Bitcoin support PGP client public keys? Whatever the solution replace PGP public key with SSL Client cert. Not saying SSL is better but not seeing how we gain anything by going to PGP. Well the X509 also isn't that strong. I mean if people think that SSL cert would work better in a decentralized environment I am open to it but I don't think SSL certificates aren't strong enough for this. Ok now we are talking or at least to the heart of the matter. Do you have a cite or link where X509 would fail that PGP wouldn't? Well technically you can use a X509 to relay pgp information. I think a PGP certificate would be stronger and better in this case. Also X509 is weak with the signature algorithms, you don't need a link to show that. |
|
|
|
With PGP we could validate two way, that the company is talking to the right user and user could be talking to the right company. That is a valid point although SSL does support client certs. Bitcoin would be extended to expose that support making it identical to PGP in that respect. Yes SSL protocol supports it but no browsers (Firefox does) really support that feature, no web server really makes use of that of feature. So what makes bitcoin going to support? Also PKI are expensive so we can't really have any community involvement this yet. Where is we used a key server that was decentralized like using a DHT, we can then not have to worry about hacks on CA's or it being expensive to start your own. We also could use each full node be a key server and then you query everyone of them for the public key for the company you want to validate from. With majority rule on what is the correct public key. All of that can be done with SSL self signed SSL certs as well. I guess my point is you seem to be indicating that CA = bad therefore don't use SSL. SSL can be used in a self signed fashion. You could have SSL self signed key servers, you could load them into the network DHT style essentially replace public key in your example with SSL cert and the same thing applies. Well the X509 also isn't that strong. I mean if people think that SSL cert would work better in a decentralized environment I am open to it but I don't think SSL certificates aren't strong enough for this. |
|
|
|
If you write good patches to add PGP/WoT authentication, I suspect they would be merged in a heartbeat.
As far as I can tell, no one is opposed to such a thing, they just don't think it has a very good payoff to effort ratio compared to authentication using the global SSL PKI. Because of this, it is not a good candidate for being built first. If you disagree, feel free to write some code, or convince/bribe someone to do so.
Indeed. 100% agreed. I'm certainly not against better, more distributed alternatives to the payment protocol. BIP0070 was not meant as the be-all and end-all idea, but a immediate workable solution. But there has been enough talk on this subject. Long, handwavy discussions are just not useful. Show us code. Yes I agree that code is the overrules talking about it, but by having these talks I am hoping to get a developer who could do this and has the time. Right now many of us just don't have the time to develop this protocol write the features and then convince people to use it. I don't think a bounty is appropriate with this feature. |
|
|
|
Not trying to flame gweedo but what would we gain from using PGP over say self signed SSL cert? SSL doesn't need to mean that CA are used.
Well first SSL cert are one-way. You only validate them for the company you are connecting to. With PGP we could validate two way, that the company is talking to the right user and user could be talking to the right company. Also PKI are expensive so we can't really have any community involvement this yet. Where is we used a key server that was decentralized like using a DHT, we can then not have to worry about hacks on CA's or it being expensive to start your own. We also could use each full node be a key server and then you query everyone of them for the public key for the company you want to validate from. With majority rule on what is the correct public key. |
|
|
|
Mike Hearn got his already for free...
He did not get his for free. I don't understand where did you get this information :-/ So then he got his early, I do have my own sources that could be wrong that told me this information. Still unacceptable in my eyes, can you at least give a target date for shipping? |
|
|
|
If you write good patches to add PGP/WoT authentication, I suspect they would be merged in a heartbeat.
As far as I can tell, no one is opposed to such a thing, they just don't think it has a very good payoff to effort ratio compared to authentication using the global SSL PKI. Because of this, it is not a good candidate for being built first. If you disagree, feel free to write some code, or convince/bribe someone to do so.
Yes I know if I want it I should write it myself. I just don't have the time. |
|
|
|
With BFL you were loosing revenue while waiting longer for your device to arrive, if you cannot see the difference then you maybe shouldn't have pre-ordered this product in the first place.
I'm also eager to receive my device, but I do understand that delivering this product only when it is rock solid in performance and security is key!
There is no gain in receiving this product when it is not completely ready.
Besides I'm sure that you can sell your pre-order easily for the dollar amount you paid, you might even make a little profit.
I'm a software developer, why can't I opt in to receive mine early? I have no problem upgrading firmware down the road. Yeah, good idea, I'll just sell my preorder now for 1/5 of what I paid! yeah I am even getting a little upset now, in the beginning I would have explain to you how you invested in a hardware startup and it isn't easy. Well now I am out 3 BTC and this device still hasn't come they missed many deadlines and now we don't even have a deadline. I wish I could get my bitcoins back but that isn't an option, as they were used to build this device. I wish stick and slush would give at least a target date to get these shipped. Mike Hearn got his already for free... Kinda disappointed when I saw that. People that paid are still waiting and he got his already for free? But you going to do nothing just have sit here and take it. Worst investment I ever made. |
|
|
|
|
Multibit has no api so this would not be able to happen.
|
|
|
|
Armory offline and online are both safe right?
I'm using Armory 0.8.x
Yes because it doesn't bitcoind rpcssl. |
|
|
|
|
Switch cause I think bitcoin would tank and this new coin would explode.
|
|
|
|
tail -f ~/.bitcoin/debug.log
That is going to be your friend in SSH. It will tell you what block and the progress of completion. |
|
|
|
|
"At midnight" made fun of bitcoins.
|
|
|
|
How about alt-coin-wallets based on pre-0.9 code?
Yes alt-coin wallets are affected. Unless they switched out openssl. |
|
|
|
|
I think PGP would be better than SSL, plus all can be keyservers or a DHT keyserver. It really wouldn't be too hard to add this. I think we need to reopen this discussion. Remember the payment protocol doesn't hinder users because of how technical it is but companies that want to use bitcoins can easily do this.
|
|
|
|
However the problems really happen on the weekend when I start drinking to excess. And tell them that i hate my job and want to kill myself. so i think i have an alcohol problem and it has nothing to do with programming.
Get therapy first, if you aren't happy with yourself then you will never be happy at work. |
|
|
|
Most users have absolutely no reason to upgrade. SSL isn't used in the Bitcoin protocol.
Only users who use bitcoind RPC calls over SSL/TSL connection have any potential vulnerability.
Do you not use bitcoind RPC? Then there is no urgent need to upgrade.
Do you use bitcoind RPC but don't use SSL? Then there is no urgent need to upgrade.
Do you use bitcoind RPC over SSL? Then you should halt your bitcoind server and upgrade before restoring access.On edit: Bad information. The payment protocol uses SSL any user could already be compromised if they used the new payment protocol "feature". Upgrade now or if you can't shutdown the client and don't restart it until such time as you can upgrade. Isn't ssl used at the merchant? How's this effect our wallet? SSL is used as both ends of the connection. I don't know enough about the new payment protocol "feature" to provide guidance on the scope and severity of a compromise. Since this is money we are talking about it is likely a good idea to be overly cautious. Basically they are saying that SSL certificate could be compromised, which in turn could allow an attack slip his address into the payment protocol and you wouldn't know. |
|
|
|
|
I agree Jim should have been more helpful. I am pretty sure as the move to MultibitHD they said they would support some major bug fixes to the classic version, this sounds like a rare but major bug. I think jim should be more hopefully and honestly if you need to do something, you can put the code down for three days and get some lights for your house come on we aren't north korea.
I would have multi-bit removed from the bitcoin.org page. Also as Java developer I didn't see any code for multi-bit HD I would gladly help them if they are that stressed out. I don't have much free time but I know bitcoinj very well.
|
|
|
|
|
Capitalism most people don't understand it and that manifested jealous turns into rage like this.
|
|
|
|
Are you serious?
How come there will be bitcoin merchant script without bitcoind? How do you think addresses will be generated from?
Master public key can always be used. You can always check out my site, https://apicoin.io a lot more secure (we don't hold any user funds) and robust and we promote the use of cold storage/disconnect rather than a wallet stored on a server. |
|
|
|
|
Show Posts
