Contracts and escrow scripts

[mrvision]

I am interested in the content of this article: https://en.bitcoin.it/wiki/Contracts

Specially in this:

In other words, one wants to lock up some coins so a third party has to agree in order for them to be spent:

• Agree with the merchant on a dispute mediator (e.g., ClearCoin).
• Ask the merchant for a public key (K1). Ask the mediator for a public key (K2). Create a new key for yourself (K3).
• Send the merchant K2. The merchant challenges the mediator with a random nonce. The mediator signs the nonce with the private form of K2, thus proving it really belongs to merchant.

Create a transaction (Tx1) with an output script as follows and broadcast it:

2 <K1> <K2> <K3> 3 CHECKMULTISIGVERIFY

Now the coins are locked in such a way that they can only be spent by the following methods:

• Client and the merchant agree (either a successful trade, or merchant agrees to reimburse client without mediation)
• Client and the mediator agree (failed trade, mediator sides with client, like a charge-back)
• The mediator and the merchant agree (goods delivered, merchant gets client's coins despite the dispute)

I'm interested in create a website which allows user A to establish contact with user B so they agree to exchange something for bitcoins...
Instead of keeping the bitcoins in my server i would like to use this kind of script in order to start the mediation if something goes wrong.

So my question...
How do i begin? (i already run an escrow service, but keeping in my wallet the bitcoins until they agree everthing is ok)
Is there a tutorial for this? I know everything is new... but i don't know even if there's a friendly client so users can create this kind of transactions...

[DeathAndTaxes]

Currently there is no full client support.  The reference client supports multi-sig but it requires ALL (in this case 3) keys to the in the SAME wallet.

The "missing link" is support in clients/protocol to support partial signing.  i.e. deal goes good so A partially signs and passes it to B who partially signs and submits it to the network.   Until that is implemented making a third party service is unlikely to be user friendly.  So complete the transaction one or more parties would need to extract their private keys and send them to you so you can combine them into a single wallet and sign the multi-sig tx.  I don't think anyone is going to do that. 

[kjj]

Currently there is no full client support.  The reference client supports multi-sig but it requires ALL (in this case 3) keys to the in the SAME wallet.

The "missing link" is support in clients/protocol to support partial signing.  i.e. deal goes good so A partially signs and passes it to B who partially signs and submits it to the network.   Until that is implemented making a third party service is unlikely to be user friendly.  So complete the transaction one or more parties would need to extract their private keys and send them to you so you can combine them into a single wallet and sign the multi-sig tx.  I don't think anyone is going to do that. 

The raw transaction API will be able to do this soon.  The pull for it (#1818) was merged into master, but I don't think it made it into the 0.7.1 release.  You can use it now if you apply the pull and compile your own bitcoind.  Or, wait until 0.8.0 is released Soon^TM.

If you are going to start doing this, take a look at BIP 10.  It was made for something else, but I think it should work just fine here for passing the stuff around, perhaps with a few changes.

Also see this thread for more information on using it.  In particular, read Gavin's notes.  When you create a multisig address using the API, you get a script, a hash, and the address.  You need the script and the hash when you go to redeem transactions sent to that address.  You can recreate them if necessary, but the keys have to be in the same order when you do.

[mrvision]

Thanks for your answers! I'm starting reading right now!