There needs to be a new bitcoin address format...

[Mike Hearn]

Allowing Trezor to print a verified human readable (domain) name is the purpose of the payment protocol work.

[1715587460]

1715587460

[1715587460]

1715587460

[1715587460]

1715587460

[1715587460]

1715587460

[tpantlik]

Oh please, do not fall for PKI monstrosity - this system is seriously flawed! (I have my own bitter experience with end-users of which ~100 have absolutely no idea how is SSL/PKI works and even how to use it securely!)

21mil BTC for the creator of trustless PKI replacement!

[Atruk]

Oh please, do not fall for PKI monstrosity - this system is seriously flawed! (I have my own bitter experience with end-users of which ~100 have absolutely no idea how is SSL/PKI works and even how to use it securely!)

21mil BTC for the creator of trustless PKI replacement!

PGP + Due Dilligence

I'll cut you a discount. Just send 5.5 BTC to the address in my signature.

[tpantlik]

Oh please, do not fall for PKI monstrosity - this system is seriously flawed! (I have my own bitter experience with end-users of which ~100 have absolutely no idea how is SSL/PKI works and even how to use it securely!)

21mil BTC for the creator of trustless PKI replacement!

PGP + Due Dilligence

I'll cut you a discount. Just send 5.5 BTC to the address in my signature.

Heh    I should have require a foolproof system 

[MatthewLM]

For all those that hate PKI, explain a better solution.

[Atruk]

Oh please, do not fall for PKI monstrosity - this system is seriously flawed! (I have my own bitter experience with end-users of which ~100 have absolutely no idea how is SSL/PKI works and even how to use it securely!)

21mil BTC for the creator of trustless PKI replacement!

PGP + Due Dilligence

I'll cut you a discount. Just send 5.5 BTC to the address in my signature.

Heh    I should have require a foolproof system 

Isn't it amazing how trustproof and fool proof are nearly opposite ends of the spectrum.

[phelix]

Wasn't Namecoin supposed to provide a part of the solution?

Within namecoin you could tie a name to a bitcoin address.
(sendtoname, namecoin/bitcoin keysharing and even throw away addresses: https://en.bitcoin.it/wiki/BIP_0015#Namecoin_ID )

As long as you don't know if the name is legit you have not really added security, though.

Other than using a (central) authoritah only a web of trust comes to mind.

[casascius]

Oh please, do not fall for PKI monstrosity - this system is seriously flawed! (I have my own bitter experience with end-users of which ~100 have absolutely no idea how is SSL/PKI works and even how to use it securely!)

21mil BTC for the creator of trustless PKI replacement!

Adobe's Acrobat/PDF document signing PKI is an example of one that appears to work and be well-managed.

The operative difference is that those who care about the quality of the signatures have a vested interest in a good PKI and would be the last to complain about a loosey goosey PKI that favors convenience over security.

On the other hand, browser makers are far less in control.  They can't just decide that they will throw out the flawed SSL'iverse in favor of their own PKI scheme, or they'd lose market share.

I don't think the idea of PKI is inherently flawed, it's just that the most prominent one is being mismanaged and suffers from poor design.

[Mike Hearn]

Yeah, I have higher hopes for the DNSSEC PKI. It's how things should have worked from the start, but of course the cost of crypto and the US Govts attempts to stifle it made doing a PKI any earlier unworkable.

Unfortunately DNSSEC is still pretty new. It'd make sense to integrate it into the payment protocol after v1 is successfully deployed.

[casascius]

How about the following things that would require no PKI:

1. Some way for a user to know if he's paying someone he has paid before, versus someone he is now paying for the first time.  (Example: imagine paying your power bill with bitcoins.  Pretend you like having a paper power bill.  Every month you get a power bill in the mail and you pay it by scanning a QR code bitcoin address unique to each month's bill.  One month, a scammer sends you a realistic looking power bill but has his bitcoin address on it.  Your bitcoin client ought to have a means to flag something's unusual... this WILL happen, it's just a matter of time!)

2. Some way for a user to get a public key and know that he is paying the owner of that public key.  (Yes, that's how Bitcoin works inherently, but I mean a secondary public key that allows a user to confirm that a certain person must own the address)

3. The "Bitcoin Messaging" system previously discussed in other threads.  This would provide very similar functionality to PGP, except that keys are Bitcoin addresses.  Importantly, functionality would include ensuring you're paying the same person you're talking to, and/or paying the same person whose public key you can verify somewhere else.  As a simple minded example, before paying someone, you could send a bitcoin message to their address and confirm their ability to confirm, verbally for example, that they received it.  If they can confirm they can decrypt the message, you can feel good paying them at the same address.

[Realpra]

... Ideally their client should be smart enough to either say "You're paying Casascius" or "I don't know who you're paying, so you better be sure about this!"

I'm not sure this is possible, the address derives from a key only you know, if it were to derive from your brand name everyone would know the private key.

Seems to me there's no way to get both.

I would suggest letting a beefed computer run a week or a month to create a vanity address for your company and then use that. 1 layer of extra security anyway.
The more serious the company the more money and CPU you could put into it.

[phelix]

What about using data from the blockchain to determine the trustworthiness of an address? If it is not a throw away address it would say a lot.

First seen
Number of tx
Coins received

A hacker would probably use a fresh address. At least for donation addresses this would work well.

You could even calculate a bitcoin inherent web of trust from the addresses you own to the address in question.

[Mike Hearn]

1. Some way for a user to know if he's paying someone he has paid before, versus someone he is now paying for the first time.

It can be useful. You can do it with the existing payment protocol by including a signature with no PKI data. Use ECDSA key recovery on the signature and then record the derived pubkey.

2. Some way for a user to get a public key and know that he is paying the owner of that public key.

That's what the payment protocol does.

[caveden]

Adobe's Acrobat/PDF document signing PKI is an example of one that appears to work and be well-managed.

Well, it works, yes... but it is expensive! I work for a company that among other things has a system that does digital signatures for official documents. They are required to pay 0€15 for each signature they issue, not to mention the enormous costs for being able to issue these signatures in the first place. And that's paying exclusively for Adobe's "recognition". Adobe does't actually do anything, they have absolutely no extra cost when these signatures are issued. But if you want their recognition, open your pockets!

I hope that this implementation for bitcoin is done in such a way that more competition in the "authority market" is available, so that prices are not so high.

[niko]

Interesting ideas. At this moment I wouldn't dare sending someone 1000 coins without at least confirming the last few letters of the address over the phone or through another independant channel.

Be careful - it's pretty easy for someone to generate an address that has the last few characters they want (and first few, for that matter).  People do it all the time with vanity addresses, but it could just as easily be done to try and defeat a simple 'over the phone' check of a few characters of the address.

roy

I thought last few bytes are the checksum. How easy is it to generate a key pair with the public address ending in 4BpiZ?

[becoin]

where someone can paste an address into their Bitcoin client and see a confirmation: "Confirmed, you are paying Rocky Mountain Power Company"

How will you force this user to distinguish between "Confirmed, you are paying Rocky Mountain Power Company" and "Confirmed, you are paying Pocky Mountain Power Company", or "Confirmed, you are paying Rocky Mountin Power Company"?

the whole point of this is so that the signing keys are not on the same system that is distributing the addresses.

Absolutely. Many people just don't understand that there is a difference between the monetary system that is supporting the very existence of a currency and the payment system that is using this currency. There is a reason why these two systems must be kept separate. What casascius is pointing out as an issue has to be solved by improvements in different competing payment systems using bitcoin as a currency. Don't mess with the blockchain, mining or transaction relaying!

[deepceleron]

I thought last few bytes are the checksum. How easy is it to generate a key pair with the public address ending in 4BpiZ?

Unlike the first characters of a Bitcoin address, the possible last characters (including the checksum) are evenly distributed among the Base58 characters, i.e. the chance of the last character of any address you generate being "Z" is 1 in 58. On average, for every 58 addresses you generate, one will end with "Z", and the average time to find a "Z" will be 58 key generations (a 50% chance).

We only need to scale the probability up; for five characters, the chance is 1 in (58^5) - that's 1 in 656356768. Running my vanitygen at 180Kkey/s, I would have a 50% chance of finding one in 3646 seconds (about an hour). In fact, it took me less time:

vanitygen -r -k BpiZ$

(at result 35, of 58 expected on average):

Address: 17piCjuatkXRi8tPJf43fN2bSNeJi4BpiZ
Privkey: 5KJshpZnAygza2goQNB7gsmyvwEwg8CquLZBPgpHCDU8Dg5xCvP

[casascius]

where someone can paste an address into their Bitcoin client and see a confirmation: "Confirmed, you are paying Rocky Mountain Power Company"

How will you force this user to distinguish between "Confirmed, you are paying Rocky Mountain Power Company" and "Confirmed, you are paying Pocky Mountain Power Company", or "Confirmed, you are paying Rocky Mountin Power Company"?

Hypothetically speaking, a properly run PKI prevents people from obtaining certificates to impersonate others, and maintains a trail of recourse.  Example, something like EV SSL, or Adobe's PDF PKI.  The fact that extended validation is even possible attests to a likelihood that you're at least paying somebody who can be identified.

[casascius]

Adobe's Acrobat/PDF document signing PKI is an example of one that appears to work and be well-managed.

Well, it works, yes... but it is expensive! I work for a company that among other things has a system that does digital signatures for official documents. They are required to pay 0€15 for each signature they issue, not to mention the enormous costs for being able to issue these signatures in the first place. And that's paying exclusively for Adobe's "recognition". Adobe does't actually do anything, they have absolutely no extra cost when these signatures are issued. But if you want their recognition, open your pockets!

I hope that this implementation for bitcoin is done in such a way that more competition in the "authority market" is available, so that prices are not so high.

Adobe folks have got to eat too!

I have an Adobe signing key and I paid for the key, there is no per-document charge for my key.  But even if there was one, there is nothing inherently wrong with that, no law of nature says that everything that does not involve an increment in manual labor per transaction must be free, and there are more variables that define value than just the price.

Ironically, the high price serves as a barrier to entry, which itself adds value.  If you represent institution A and want to authenticate a document from institution B, the fact that Joe Blow can't get a similar looking certificate at a negligible cost adds value.  I wish more people understood why "overpriced" stuff derives the price/value it does, there's always more to it than somebody just wanting to overpay for something just because they're gullible or want the satisfaction of having paid too much for something.

[niko]

I thought last few bytes are the checksum. How easy is it to generate a key pair with the public address ending in 4BpiZ?

Unlike the first characters of a Bitcoin address, the possible last characters (including the checksum) are evenly distributed among the Base58 characters, i.e. the chance of the last character of any address you generate being "Z" is 1 in 58. On average, for every 58 addresses you generate, one will end with "Z", and the average time to find a "Z" will be 58 key generations (a 50% chance).

We only need to scale the probability up; for five characters, the chance is 1 in (58^5) - that's 1 in 656356768. Running my vanitygen at 180Kkey/s, I would have a 50% chance of finding one in 3646 seconds (about an hour). In fact, it took me less time:

vanitygen -r -k BpiZ$

(at result 35, of 58 expected on average):

Address: 17piCjuatkXRi8tPJf43fN2bSNeJi4BpiZ
Privkey: 5KJshpZnAygza2goQNB7gsmyvwEwg8CquLZBPgpHCDU8Dg5xCvP

Thanks for taking time to make it clear. I stand corrected.