Can we talk about removing SSL from the payment protocol and put PGP?

[gweedo]

Say I want to buy some hardware from bitcoinstore.com.  I go to their website, prepare my order and check out.  They send a payment request, signed by some PGP key.  Now what?

So bitcoinstore's servers will look up a pgp key for you, which I am guessing since you supplied them an email would be easy in the key server.

Ok, so the merchant's store software looks up the attacker's key and encrypts the store's key so that only the attacker has access to it.  The attacker then decrypts it, and re-encrypts it using your actual key, then signs it using their key, which you think is the store's key.  Got it. 

Just kidding.  What will really happen is that the attacker will look up your pubkey, encrypt their key with your key.  Since you have no way to authenticate the store's key, you'll have no idea that it was swapped around.

They take that public key and use it to encrypt the address, which they also signed. Your client takes this decrypts it and checks the signature, if it is good it displays a green box just like the current payment protocol.

Lets say you don't want your email hashed in the DHT. Then the bitcoind would have it's own public key which then can be sent to bitcoin store, and this would only allow a one way verification by the user and not by the site. These would be less trustworthy than the above but would still work.

Keep in mind that the problem we are trying to solve is how I authenticate a key that I've never seen before.  You can't solve that problem with another unauthenticated key.

How would they look up an attacker's key if you have it in a decentralized environment? If they use your email they would get yours, if your private key is compromised then an attacker could read it, but can't sign on behalf of the store.

[kjj]

How would they look up an attacker's key if you have it in a decentralized environment? If they use your email they would get yours, if your private key is compromised then an attacker could read it, but can't sign on behalf of the store.

How do they know the email address they are looking up is mine?

[gweedo]

How would they look up an attacker's key if you have it in a decentralized environment? If they use your email they would get yours, if your private key is compromised then an attacker could read it, but can't sign on behalf of the store.

How do they know the email address they are looking up is mine?

So lets explore this, I give them a fake email that is in the key server, I get a PGP message, that I can't decrypt and if I can decrypt it I can changed anything cause it is signed. So what is the attack?

[kjj]

How would they look up an attacker's key if you have it in a decentralized environment? If they use your email they would get yours, if your private key is compromised then an attacker could read it, but can't sign on behalf of the store.

How do they know the email address they are looking up is mine?

So lets explore this, I give them a fake email that is in the key server, I get a PGP message, that I can't decrypt and if I can decrypt it I can changed anything cause it is signed. So what is the attack?

No.  You give Mallory your email address, she gives the server her address.  The server encrypts the message with Mallory's key, she decrypts it, changes is, signs it with her key, then encrypts it with your key.  You then place the order with Mallory, and send the payment to her bitcoin address.

The server doesn't know how to distinguish your key from Mallory's key, and you don't know how to distinguish Mallory's key from the server's key, because that is the problem we are trying to solve.

[gweedo]

How would they look up an attacker's key if you have it in a decentralized environment? If they use your email they would get yours, if your private key is compromised then an attacker could read it, but can't sign on behalf of the store.

How do they know the email address they are looking up is mine?

So lets explore this, I give them a fake email that is in the key server, I get a PGP message, that I can't decrypt and if I can decrypt it I can changed anything cause it is signed. So what is the attack?

No.  You give Mallory your email address, she gives the server her address.  The server encrypts the message with Mallory's key, she decrypts it, changes is, signs it with her key, then encrypts it with your key.  You then place the order with Mallory, and send the payment to her bitcoin address.

The server doesn't know how to distinguish your key from Mallory's key, and you don't know how to distinguish Mallory's key from the server's key, because that is the problem we are trying to solve.

That can easily be solved with a proof of burn or some soft of proof of stake.

[kjj]

That can easily be solved with a proof of burn or some soft of proof of stake.

Ha!

[gweedo]

That can easily be solved with a proof of burn or some soft of proof of stake.

Ha!

Well think about if it costed $10 for someone to put an PGP key into the DHT then that would probably solve the problem of them registering a fake one.