pushing BIP70 Payment Requests to customers using WebFinger

[johba]

Hi there,

Let's assume I want to have the ability to be invoiced by merchants any time. Of course, they could just send me a signed email with a Bitcoin address, or a payment protocol link, however, I need (the knowledge how-) to confirm the email's authenticity, which is quite difficult for the average user.

Here is a method that could be achieved from within the wallets:

1. I publish a URL that accepts payment requests (could be my married wallet, or a less secure hosted wallet) using WebFinger.
2. I give my email to the merchant.
3. His wallet discovers the "Payment Request push URL", and sends the request.
4. I get notified in my wallet and confirm the payment.

I've written up an example of publishing a Bitcoin address by Email. This would use the same technique to publish an endpoint to charge my wallet with a payment request.

The whole thing would only require a tiny modification for the payment protocol, so that payment requests can be pushed, and a decent implementation of WebFinger for the wallet. The WebFinger protocol is a great feature to be offered by Risk Analysis Services, as they are connected with wallets through multi-sig anyway.

[paulej]

This can work.  I noted you specify how to use WebFist as the way to publish the JRD.  However, you don't need to do that unless your email provider does not support WebFinger.  I run my own WebFinger server and could just publish the JRD directly myself.  In fact, I do. You can query my WebFinger server like this:

$ curl https://packetizer.com/.well-known/webfinger?resource=paulej@packetizer.com

You'll see I have a couple of bitcoin-related entries in mine already (and I show one more below):

Code:

      {
         "rel" : "http://bitcoin.org/rel/address",
         "href" : "bitcoin:17XoqvUCrf12H7Vc7c7uDxib8FDMXFx2p6"
      },
      {
         "rel" : "http://bitcoin.org/rel/payments",
         "href" : "https://secure.packetizer.com/bitcoin_address/?account=paulej",
         "type" : "text/plain"
      },
      {
         "rel" : "http://bitcoin.org/rel/payments",
         "href" : "bitcoin:17XoqvUCrf12H7Vc7c7uDxib8FDMXFx2p6?request=https%3A%2F%2Fblockchain.info%2Fr%3Fid%3Dpaulej"
      }

One of those is just a Bitcoin address.  The other two are Bitcoin payments URIs, though I suspect the latter is more along the lines of what you're expecting to use.  The URIs I use as the link relation types ("rel") are made up, since there is not standard specified for those.  However, I think those are reasonable ones to use and follow standard conventions.

I'm not terribly familiar with BIP70.  I can understand how you might publish a URI to which a payment is made, but how would you receive notifications of payment requests?  Does the wallet poll some location from time-to-time to see if there are requests?

[johba]

In general a Risk Management Service would be a hosted co-signing service. It would be up to a specific implementation how your device is notified.

I chose WebFist, because most users don't have a domain they control.
Do you happen to know if there is any solid implementation of the Fist Bump server except Brad Fitzpatrick's go implementation?

[paulej]

In general a Risk Management Service would be a hosted co-signing service. It would be up to a specific implementation how your device is notified.

I chose WebFist, because most users don't have a domain they control.
Do you happen to know if there is any solid implementation of the Fist Bump server except Brad Fitzpatrick's go implementation?

One month later...

Sorry about the really slow reply.  Somehow, I missed this entirely.  But, I do have an excuse: two weeks traveling and then, as always, slammed at work for another couple of weeks.

Anyway, I'm not aware of other implementations.  I'd suggest pinging Brad to find out.

You're right that few users have domains they control.  However, for WebFinger to be useful, it doesn't necessarily have to be one they control.  For example, if Coinbase offered a WF server, I could tell people to send money to me at paulej@coinbase.com.  The address would not necessarily have to be my personal email address, after all.  It's nice that it might be, but what I personally think is more important is that one can offer an address that is easier to deal with than a big string of base53 characters.