Bitcoin-qt Sign Message Feature -- Put header/footer around message.

[Economics]

It seems to me the Bitcoin-qt 'Sign Message' feature is a little harder to use than it should be.  Once all of the fields are filled in, it would be more convenient to output a block of text that contains all of the information that should be pasted in to a message.  Also a simple parser that expects this format should be put into the Verify Message side of things.  For example (taken from a PGP Signed message):

-----BEGIN BITCOIN SIGNED MESSAGE-----
Address:  1Bitcoinasdfasdfsadfsadfsadf

Because anyone can claim to be me. There's no validation of the user
name or email address when someone posts a comment. While I do try to
remove imposters, some may slip through. By signing my comments using
this technique, anyone can independently verify that I was the author of
the message by validating the signature.
-----BEGIN BITCOIN SIGNATURE-----
Version: Bitcoin-qt (1.0)

iD8DBQFFxqRFCMEe9B/8oqERAqA2AJ91Tx4RziVzY4eR4Ms4MFsKAMqOoQCgg7y6e5AJIRuLUIUikjNWQIW
-----END BITCOIN SIGNATURE-----


--E

[slashopt]

I was just thinking the same thing.

[etotheipi]

I hate the current incarnation of message signing.  This is why I put out a bounty to get a module implemented in Armory that is backwards compatible with the current Bitcoin-Qt signing (v0), but then expands it (v1) with RFC2440-like formatting, both a clearsign and a base64-encoded version.  The idea was that if I implement it in Armory and try to follow an existing standard, the others might follow:

https://bitcointalk.org/index.php?topic=179422.0

So jackjack got the bounty, and it looks like his solution does exactly what was requested.  I just have to integrate it into Armory and then brag about it.  Then maybe the other apps will do it.  For sure, you should never have to type/copy multiple fields, and what you do end up with should spit out a single window that says "The following message has a valid signature from address X: <...>".  And not show the message if it's not a valid signature. 

[Economics]

Let us know when it's in Armory and we can push for this to be placed into the standard bitcoin client.

--E

[jim618]

I've started using "Economics style" Bitcoin signed messages.

Have a look at the latest release text for MultiBit 0.5.11:

https://bitcointalk.org/index.php?topic=143274.msg2358117#msg2358117

It is virtually identical to your proposed structure except I have moved the signing address into the signature block. This I think has two advantages:

+ The message section purely contains the user's message
+ You can have multiple, independent signatures of the same message and just append the signature blocks.

It is hand crafted at the moment but if it becomes more widely used I expect parsers will appear for the format.

[Dabs]

The bitcoin signature, as implemented, merely proves that whoever made the signature has the private key to the bitcoin address. That is all. No matter what the text or message says, you can't prove what is the veracity or truthfulness of that statement.

So, I've merely used the signing feature to ask people to prove to me that they own the address, by signing a "secret" or something. I usually limit it to one single line, so we don't encounter problems. For example, I can sign the hash string.

1Lotto3CMJwLLpRUPHxkmDXbXqhHC9Jffo
5aa63308ef80e79e36fcab72fd8c043f9b75cf0e6e79b037b31d22c192ddd2d5
H4RGT4OQNT1cBD4viC5T0kggPztqqpETSjgtPY+he3TyrP0INQMFli5ZWOtVhR42HnGaf16icfSSQFTX/EtejpE=

Or in the case of a gambling site like Satoshi Dice or similar, where they normally pay out your winnings to the same address you sent from, I can ask users to sign the new address.

19svkxfDSoNXM5tVjAGojavZQ4H5N9z4Q
1DabsXmraEr18jdEryck8jzcFku873xmRf
H7aUR3JilvL8RewrwVisHoZkz8kf6r3n7TqdkhZ2aStBe0BH6DP4D0a5oNXmrvxv7xteEOA5bvLho0D 46v/hdb4=

The above gives me enough proof that:
1. The owner of 19sv wants to send any possible winnings to 1Dabs.
2. It doesn't matter who 1Dabs is, whether that is another address the same person controls, or a charity, or even a dead-end address.

The format is bitcoin address, message, signature, one per line, just like above. But the bitcoin-qt client does not give an easy way to get all that data in one click.

I understand that this must also be possible to implement on the bitcoind command line client (or daemon or server) so having it output multiple lines might be a problem, especially when it breaks the lines in the middle or something.

[jim618]

I don't think it is a good idea to encourage people to sign binary data / hex. Only get people to sign text they can read. Couple of reasons:

+ signing could very well be legally binding. You should know what you are signing.
+ an attacker might figure out how to get you to sign a valid transaction. You just signed away your money!

[jackjack]

I don't think it is a good idea to encourage people to sign binary data / hex. Only get people to sign text they can read. Couple of reasons:

+ signing could very well be legally binding. You should know what you are signing.
+ an attacker might figure out how to get you to sign a valid transaction. You just signed away your money!

Do you want to stop selling knives too because people can hurt themselves?

[Dabs]

Bitcoin signing doesn't do anything. Nothing is legally binding as far as bitcoin signing is. All it does is prove that someone controls the private key to that particular bitcoin address.

Sending bitcoin is exactly signing a valid transaction. That's how it works.

[jim618]

Re: 'nothing is legally binding'

IANAL but I think it is probably similar to a signed email so it depends what you are signing.

If I sign a message saying:

'I, jim618, will send you, Dabs, $100 to your bank account (your bank account details are specified here) if you send 1.0 bitcoin to my address 1abcdef... by eob 10 June 2013' and sign it with a well known address I control I think that would stand up in court. Also if you posted it saying the money never arrived and gave the txid and your bank statement I think most people would agree as to what happened.

The point I am making is that you only want people to sign things they understand and not encourage them to sign hex.

[jackjack]

Re: 'nothing is legally binding'

IANAL but I think it is probably similar to a signed email so it depends what you are signing.

If I sign a message saying:

'I will send you, Dabs, $100 to your bank account (your bank account details are specified here) if you send 1.0 bitcoin to my address 1abcdef... by eob 10 June 2013' and sign it with a well known address I control I think that would stand up in court.

The point I am making is that you only want people to sign things they understand and not encourage them to sign hex.

Why not hex if they understand what they are signing?

[jim618]

I lived in China for a year. It was drummed into you not to sign anything written in Mandarin without getting a native Chinese speaker to check it over.

Sure if you know what the hex/Mandarin/Tamil/Thai says sign it. If you don't, don't.

I don't think I am being radical here, it's just common sense.

[jackjack]

I lived in China for a year. It was drummed into you not to sign anything written in Mandarin without getting a native Chinese speaker to check it over.

Sure if you know what the hex/Mandarin/Tamil/Thai says sign it. If you don't, don't.

I don't think I am being radical here, it's just common sense.

I see we agree
I just don't understand why you mention hex: "don't sign what you don't understand" is just common sense as you just said, should that be hex, text, picture, mandarin, etc.

[etotheipi]

All it does is prove that someone controls the private key to that particular bitcoin address.

I've seen this a couple times.  It does not prove that someone owns a particular public key:  it proves that the owner of the particular public key approves of the message that was signed.  It's similar to [the intention of] a regular hand-written signature -- you don't sign blank sheets of paper to prove who you are, but you do sign sheets of paper that identify something you agree with.

[freemoney458]

All it does is prove that someone controls the private key to that particular bitcoin address.

I've seen this a couple times.  It does not prove that someone owns a particular public key:  it proves that the owner of the particular public key approves of the message that was signed.  It's similar to [the intention of] a regular hand-written signature -- you don't sign blank sheets of paper to prove who you are, but you do sign sheets of paper that identify something you agree with.

I think it really depends on the content of the message.
If the message just contains hex-like lists of addresses or the like without any meaningful statement, then the signer just prooves that he controls the private key to the address.
If the message contains a meaningful statement like e.g. a contract, the signature prooves that the owner of the public key approves of the message.

I want to point out, though, that it will still remain difficult to proove e.g. in court that the claimed owner of the public key is really the 'real' owner. If e.g. Jim's private key was stolen, the thief could sign messages instead of Jim. So Jim could claim in court that his private key was stolen and that somebody else (not Jim) signed the message with the stolen key. Regardless if a court or people will believe it, I just want to point out that prooving the ownership of the private keys is not the same as prooving your identity.

In some European countries the governments have started to incorporate the ability of electronic signatures into the identity cards. This is intended to identify yourself online in combination with a PIN. A thief would need to steal the ID card and get hold of the PIN. In the above example of Jim, as soon as Jim detects the theft, he will inform the ID card issuer to invalidate the electronic signature. Later in court he will be able to proove that he informed the issuer, freeing him of any responsibility of his stolen electronic signature. Failing to do so will make him liable in court, because he had the ability and the responsibility to inform the card issuer.
Since invalidating public keys is not possible with bitcoin, Jim will have a chance to claim in court that somebody else signed the message.

[Dabs]

OK ok. Bitcoin signing should not be considered binding except as far as the message is concerned, and common sense will tell you what you should or should not sign with bitcoin.

GPG / PGP signing, can be, or should be considered "legally binding". That one uses more bits (typically 2048 up to 4096) of RSA / El G / whatever public/private key crypto, and most all contracts on this forum and important statements are signed with GPG.

So far, the purposes of bitcoin signing are:
1. prove ownership or control of bitcoin address.
2. approve of message signed, or transfer interest (dividends, shares, chips, prizes, whatever) to another address.
3. sign some hex, which doesn't mean anything or can mean something specific, or is the SHA256 result of a longer string of text, (because this is easier to verify compared to signing an entire paragraph because of line breaks, formatting and stuff like that.)

As far as I am aware, there is no revocation of compromised bitcoin addresses, and private keys are sometimes sold (like I'm selling one, because its the sending address of a transaction I made a few weeks ago for some mining thing.)

I can sign a statement or message that says I am someone else, but that doesn't mean anything (or it should not be mistaken for the truth.) It's better to just sign to prove control or ownership.