The first reason would be when a person/entity is owed a specific amount of bitcoin (measured in bitcoin) (either because they borrowed money, because they were provided goods/services or otherwise), but cannot pay the entire amount all at once
This does fit within the model of "address as an invoice number", and it's strictly less harmful than other kinds of reuse. Though it would certainly be possible to provide multiple addresses for this purpose (the payment protocol accommodates this, IIRC). There may be reasons why the receiver cannot handle funds split up, and so the
willingness to accept multiple payments really should be established up front or no payment should be made.Absolutely. Some people explicitly say that they destroy private keys after they are used so without this confirmation it is possible that one of you will be out whatever is sent to the address. I was speaking more in the context of the practice of reusing addresses. If reusing addresses is so frowned upon that the miners will not accept transactions sent to a reused address then this application would not work.
Another reason to reuse an address would be to maintain the integrity of a charity
This application was my primary inspiration for the type-2 deterministic wallet proposal, which became BIP32: The FSF started accepting Bitcoin donations and they asked about being able to issue receipts for donation in order to comply with
IRS requirements for 501(c)(3) chartable contributions over $250 in value. Doing so required they use one address per contribution but they did not want to generate private keys on an exposed web server which could be hacked.
In theory someone could send payment to a public address, then provide a signed message from a 'sending' address to get a receipt (although it is not always possible to accurately determine the sending address of a particular transaction). I would agree that a deterministic wallet would work better, as long as it can be confirmed to be associated with a 'master' key that is well known. This still has privacy draw backs because someone with enough resources could link all the addresses as being controlled by a single entity.
If potential donors had to contact, say the American Red Cross every time they wanted to make a donation then the money would not make it to the Red Cross in the event their website gets hacked (and the hacker directs donors to send bitcoin to address that the hackers control).
Using an extended pubkey to receive funds allows the sender to verify the correct receiver statically without reusing addresses. Though this is not yet common.
I mostly responded to this above. However I do think this may be too complicated for the 'average' person to verify.
I would argue that the benefits gained by using a single address in these scenarios (especially the latter) outweigh the drawbacks.
Considering that the donor's ability to deduct donations is lost completely for donations over $250 if the recipient cannot issue receipts, and in the US an organization accepting quid-pro-quo donations without issuing receipts (which they cannot do if they're reusing addresses) is in violation of the tax code and could be subject to fines, I question your cost/benefit analysis in that context.
I would now agree when it comes to 501(c)(3) charities, however there are other "good causes" that are not tax deductible , some examples would be the forum, political parties (there is a limit as to how much a person can donate per time period today - this may change in an upcoming supreme court case), Snowden, wikileaks
