Feature request : signing a text with a wallet key

[grondilu]

I'd like to be able to use one of my wallet keys to sign an ASCII text.

syntax of the command would be :

Code:

$ bitcoind signwithaddress BITCOIN_ADRESS < somefile > somefile.asc
$ bitcoind verifysignature < somefile.asc
correct signature done on DATE by address BITCOIN_ADRESS
Message was :
....

somefile.asc could be written in a form such as :

---- BEGIN ECDSA SIGNED MESSAGE ----
...
---- END ECDSA SIGNED MESSAGE ----

Or something like that.

[1715139631]

1715139631

[1715139631]

1715139631

[caveden]

This would be nice.

Actually it would be even nicer if we could treat our wallet.dat file as a generic keystore, importing and exporting keys.
This would allow merging and splitting of wallets as well, besides signatures as suggested above.

[grondilu]

Actually it would be even nicer if we could treat our wallet.dat file as a generic keystore, importing and exporting keys.
This would allow merging and splitting of wallets as well, besides signatures as suggested above.

+1

[gene]

This violates the "one job and do it well" philosophy. There already exist established standards for cryptographic signatures.

[grondilu]

This violates the "one job and do it well" philosophy. There already exist established standards for cryptographic signatures.

Ok then someone tells me how I can :

- extract an ECDSA private key from a wallet file ;
- use this key to sign data ;
- verify data signed this way ;

[gene]

This violates the "one job and do it well" philosophy. There already exist established standards for cryptographic signatures.

Ok then someone tells me how I can :

- extract an ECDSA private key from a wallet file ;
- use this key to sign data ;
- verify data signed this way ;

My point is that bitcoin is a currency. It shouldn't be in the business of general-use public key crypto. If you want to sign data, something like gpg would do a better job. You can already associate a gpg key to an account. I think it would be best to avoid encumbering bitcoin with redundant functionality. We should be mindful that with features come code. Code which must be written, debugged, maintained... and code which may potentially be exploited. The slimmer bitcoin remains, the better.

[grondilu]

We should be mindful that with features come code. Code which must be written, debugged, maintained... and code which may potentially be exploited. The slimmer bitcoin remains, the better.

Well, I guess you're right.

[davout]

This violates the "one job and do it well" philosophy. There already exist established standards for cryptographic signatures.

That's a unix principle, not a bitcoin one.

I like this feature, it's not overloading the protocol in any way and I can see a bunch of potential uses.

Opened a git issue : https://github.com/bitcoin/bitcoin/issues/issue/6

[gene]

This violates the "one job and do it well" philosophy. There already exist established standards for cryptographic signatures.

That's a unix principle, not a bitcoin one.

I like this feature, it's not overloading the protocol in any way and I can see a bunch of potential uses.

Opened a git issue : https://github.com/bitcoin/bitcoin/issues/issue/6

It all depends on what you want bitcoin to be. If you wish for it to become a monolithic application which can perform arbitrary cryptographic functions, by all means, go for it. I think this would be exactly the wrong way to go. I want bitcoin to succeed as a currency. The slimmer the standard and codebase, the easier it is to develop portable implementations and improve chances for adoption. Really, how hard is it to associate a pgp key to an account?

Security is also of paramount importance for bitcoin, and you can't exploit code that doesn't exist.

[caveden]

My point is that bitcoin is a currency. It shouldn't be in the business of general-use public key crypto.

Signing with a bitcoin private key provides proof of ownership. This may have many use cases. It's a good feature.

Also, being able to split/merge wallets is interesting too. Today maybe not much, since transfers are free. But they won't remain free forever, and even today, each transfer does imply in a small cost to the entire network. Merging/splitting wallets would be a way to move money around without using the chain. It's also a good feature to have.

You can already associate a gpg key to an account.

Can you? I don't know how... I thought the account feature wasn't even public... can anyone knows how much I own on account X just by checking the block chain?
How do I create a key related to this account and use it to sign something, proving that I am the owner of such amount?

[caveden]

It all depends on what you want bitcoin to be. If you wish for it to become a monolithic application which can perform arbitrary cryptographic functions, by all means, go for it.

It doesn't need to be monolithic. The code that manages the wallet doesn't have to be the same that interacts to the network. They'd better not be, imho.

The wallet is a specific type of keystore. As a keystore, it would be nice to be able to import/export keys, and actually using them.

For example, another use case would be to encrypt some message for the owner of address X only. It could be encrypted using the public key of such address. The receiver must be able to retrieve the corresponding private key and use it to decrypt the message.

[gene]

My point is that bitcoin is a currency. It shouldn't be in the business of general-use public key crypto.

Signing with a bitcoin private key provides proof of ownership. This may have many use cases. It's a good feature.

Proof of ownership of an account number? Or of funds in an account? Proof of ownership of an account number can be done with pgp.

Also, being able to split/merge wallets is interesting too. Today maybe not much, since transfers are free. But they won't remain free forever, and even today, each transfer does imply in a small cost to the entire network. Merging/splitting wallets would be a way to move money around without using the chain. It's also a good feature to have.

Perhaps, but I see this as an issue separate from signatures.

You can already associate a gpg key to an account.

Can you? I don't know how... I thought the account feature wasn't even public... can anyone knows how much I own on account X just by checking the block chain?
How do I create a key related to this account and use it to sign something, proving that I am the owner of such amount?

You can associate a public key to an arbitrary identity, not just a name or email address. Gpg allows this. If you want to prove you hold certain funds in an account, I am not sure how extending bitcoin to perform cryptographic signatures can help.

[davout]

Proof of ownership of an account number? Or of funds in an account? Proof of ownership of an account number can be done with pgp.

Proof of ownership of the actual funds.

Can you? I don't know how... I thought the account feature wasn't even public... can anyone knows how much I own on account X just by checking the block chain?
How do I create a key related to this account and use it to sign something, proving that I am the owner of such amount?

You can associate a public key to an arbitrary identity, not just a name or email address. Gpg allows this. If you want to prove you hold certain funds in an account, I am not sure how extending bitcoin to perform cryptographic signatures can help.

You can't associate a key with an account. They're managed internally by the client.

Point is you can prove ownership of funds by signing arbitrary data with a private key, so I see this feature as very useful.

[caveden]

Proof of ownership of an account number? Or of funds in an account? Proof of ownership of an account number can be done with pgp.

I meant the funds. But even the account number, how do you prove it's yours? The account numbers go to the chain somehow?

Also, being able to split/merge wallets is interesting too. Today maybe not much, since transfers are free. But they won't remain free forever, and even today, each transfer does imply in a small cost to the entire network. Merging/splitting wallets would be a way to move money around without using the chain. It's also a good feature to have.

Perhaps, but I see this as an issue separate from signatures.

Well, if you can export keys, you can sign with them using an external tool at least.

You can associate a public key to an arbitrary identity, not just a name or email address. Gpg allows this.

As far as I understand, the link "gpg key" => "arbitrary identity" is possible, since proof of gpg key ownership is possible though signature.
But "arbitrary identity" => "gpg key" I can't see how, since there's no generic way to prove ownership of an arbitrary identity.

Like, I can create a GPG key and link it to your name. But that isn't my name. See what I mean?

If you want to prove you hold certain funds in an account, I am not sure how extending bitcoin to perform cryptographic signatures can help.

You just sign something with the same private key that owns the coins and that's it, you prove you own such coins. The other party just need to check the block chain to confirm.

[gene]

Proof of ownership of an account number? Or of funds in an account? Proof of ownership of an account number can be done with pgp.

Proof of ownership of the actual funds.

Interesting. To what ends? What good is the proof after the proof has been generated?

Can you? I don't know how... I thought the account feature wasn't even public... can anyone knows how much I own on account X just by checking the block chain?
How do I create a key related to this account and use it to sign something, proving that I am the owner of such amount?

You can associate a public key to an arbitrary identity, not just a name or email address. Gpg allows this. If you want to prove you hold certain funds in an account, I am not sure how extending bitcoin to perform cryptographic signatures can help.

You can't associate a key with an account. They're managed internally by the client.

What about this?

Code:

$ gpg -k yourbitcoinaddresshere
pub   1024D/deadb33f 2010-01-11 [expires: never]
uid                  yourbitcoinaddresshere
sub   2048g/beefd34d 2010-01-11 [expires: never]

Point is you can prove ownership of funds by signing arbitrary data with a private key, so I see this feature as very useful.

You can prove ownership of funds at the time you make a signature? What good does that do you after the time of signature?

===

Proof of ownership of an account number? Or of funds in an account? Proof of ownership of an account number can be done with pgp.

I meant the funds. But even the account number, how do you prove it's yours? The account numbers go to the chain somehow?

That's where trust comes in. The old PKI/WOT issue.

Also, being able to split/merge wallets is interesting too. Today maybe not much, since transfers are free. But they won't remain free forever, and even today, each transfer does imply in a small cost to the entire network. Merging/splitting wallets would be a way to move money around without using the chain. It's also a good feature to have.

Perhaps, but I see this as an issue separate from signatures.

Well, if you can export keys, you can sign with them using an external tool at least.

You can associate a public key to an arbitrary identity, not just a name or email address. Gpg allows this.

As far as I understand, the link "gpg key" => "arbitrary identity" is possible, since proof of gpg key ownership is possible though signature.
But "arbitrary identity" => "gpg key" I can't see how, since there's no generic way to prove ownership of an arbitrary identity.

Like, I can create a GPG key and link it to your name. But that isn't my name. See what I mean?

See above.

If you want to prove you hold certain funds in an account, I am not sure how extending bitcoin to perform cryptographic signatures can help.

You just sign something with the same private key that owns the coins and that's it, you prove you own such coins. The other party just need to check the block chain to confirm.

Maybe I am overlooking something critical. What is the point of telling somebody how much money you have at some instant, when at any subsequent time, the proof is no longer valid?

[caveden]

That's where trust comes in. The old PKI/WOT issue.

If you depend on trust you're not proving anything. Normally proofs are asked exactly when there isn't enough confidence.

Maybe I am overlooking something critical. What is the point of telling somebody how much money you have at some instant, when at any subsequent time, the proof is no longer valid?

The proof is valid while the funds remain in the same address. They may remain there for a long time.

[Gavin Andresen]

I like this feature request; I think it will enable even more interesting uses of bitcoin.  I created a feature request at github for it.

Example:  a store that accepts bitcoins could verify that a customer sending in a question about some transaction actually IS the same person who sent them the bitcoins, by asking the customer to sign their message using one of the same bitcoin addresses they used to sign the coins.

If the "store" is a privacy-focused VPS provider and the question is "Hey, I lost the root password to the virtual server, could you generate a new one and encrypt it with this gpg public key", then tying that message to a bitcoin transactions is extremely useful.

[davout]

Interesting. To what ends? What good is the proof after the proof has been generated?

It's still good and can be re-checked at any time against the block chain data.

What about this?

Code:

$ gpg -k yourbitcoinaddresshere
pub   1024D/deadb33f 2010-01-11 [expires: never]
uid                  yourbitcoinaddresshere
sub   2048g/beefd34d 2010-01-11 [expires: never]

Point is you can prove ownership of funds by signing arbitrary data with a private key, so I see this feature as very useful.

You can prove ownership of funds at the time you make a signature? What good does that do you after the time of signature?

That's basically what's being discussed here, being able to use the bitcoin wallet as a keystore, which it ultimately is.
Also, as stated earlier, signatures prove you own the private key that matches an address, an address balance can be checked at any time.

That's where trust comes in. The old PKI/WOT issue.

No trust is involved, at any point.

Well, if you can export keys, you can sign with them using an external tool at least.

The point is not to sign the keys, but sign using the keys.

See above.

That is pretty much what is being requested as a feature.

If you want to prove you hold certain funds in an account, I am not sure how extending bitcoin to perform cryptographic signatures can help.

Performing the signatures or exporting the keys pretty much solve the problem of easily proving ownership of funds.
I would like to see the signature part in the main client, it does not add overhead to the protoco/blockchainl *at all* and can be forked and patched by you if you disagree with the consensus that seems to emerge.

Maybe I am overlooking something critical. What is the point of telling somebody how much money you have at some instant, when at any subsequent time, the proof is no longer valid?

You are overlooking lots of things and you should probably spend some time reading about how bitcoin works.

[Gavin Andresen]

Oh, and RE: extracting private keys from the wallet:

I'm less excited about that idea.  What if the private keys are stored in a tamper-proof "trusted security module" hardware doo-hickey, and are impossible to export?

[grondilu]

Gosh I've just noticed that this thread has gone long.

I haven't read everything, but I'd like to explain why I wanted this feature.

I am writing a CGI script for my private stockholdings brokerage system.

To that end, instead of using passwords, I wanted to use private keys.  So naturally I was planning to use GnuPG.  But during writing, I realised at some point the owner should send a bitcoin address where to receive dividends.  It seemed to me that I was using two keys pairs (a GnuPG one, and a ECDSA one), in order to identify the same person.  Since only ECDSA is really necessary (dividends have to go somewhere in the end), I realised that it might be better to identify owner with this pair.  It would also be better for confidentiallity (since most GnuPG keys use real names).

[caveden]

What if the private keys are stored in a tamper-proof "trusted security module" hardware doo-hickey, and are impossible to export?

If it's impossible it's impossible Nothing to be done.
But why not being able to export them when it is possible? It's your keystore anyway, you should be able to manipulate it.

[grondilu]

I agree with gene when he says it should not be a bitcoin feature.  I was wrong to ask for an other subcommand of the bitcoind command.


But could someone please work on a completely separate application that would read the wallet and use private ECDSA keys to sign documents ?

[gene]

That's where trust comes in. The old PKI/WOT issue.

If you depend on trust you're not proving anything. Normally proofs are asked exactly when there isn't enough confidence.

You are correct in making the distinction between trust and "proof" via cryptographic transforms, so forgive me if I am repeating something you already understand. I am also writing to others who may not be as familiar with some of these concepts. However, when it comes to a digital ID (be it a bitcoin address or a PGP ID) there are some qualities that you can take at face value. For example, if a digital signature matches a public key, you can be quite certain that the corresponding private key created it. You are less certain, however, about who actually controls the private key. You now face an issue of trust. Do you trust the person to not allow his key to be stolen? Do you trust the people that vouched that a key matches a certain name? Do you trust the ID card or passport that says that John Smith is who he says he is and that the name matches the key? The issues are orthogonal.

So, if I have a bitcoin ID, the question (or at least what I interpreted as the question) is "how do I let someone know that this really is my account number and not to send money to other accounts who claim to be me?" Again, this is a trust issue. Typically, it is handled using either a centralized chain of trust (PKI {SSL certs}) or a distributed chain of trust (Web of Trust {PGP, CaCert(actually a hybrib), etc}). What the OP suggested was essentially to use bitcoin's private keys as a general form of digital ID, similar to the way PGP keys are already used. My point was that such functionality already exists in well-tested and standardized tools, such as GnuPG and that reproducing those features would not help bitcoin. In fact, by invoking well-known arguments pertaining to the unwelcome effects of increasing codebase complexity, I conjecture that the additional code would likely hurt it.

Incidentally, all these issues of trust have been well explored for many years, with much credit to the cypherpunks in the 90s (and digital cash, of course).

Maybe I am overlooking something critical. What is the point of telling somebody how much money you have at some instant, when at any subsequent time, the proof is no longer valid?

The proof is valid while the funds remain in the same address. They may remain there for a long time.

Emphasis mine. In general, the balance can change immediately. If you are saying what I think you are saying, then this functionality offers sharply limited practical use. If I am trying to buy something that costs 20BTC and I only have 10BTC, the transaction will fail immediately. At no point does the seller need to know how much money I have in my account. All he really has to know is if I produce enough to complete the transaction. Bitcoin is not a system of credit, it is a currency. Its entire appeal is that it behaves like cash.

<lots of stuff by davout>

I think that we're talking past each other.

Can you please explain a situation where one would like to prove the amount of money in an account at some point in time? Are you planning on paying taxes? The benefits would have to outweigh the considerable drawbacks of implementation and maintenance, requiring a compelling argument.

That is pretty much what is being requested as a feature.

The OP requested (very concisely) the ability to use a bitcoin private key to sign data. I can detect no mention of anything else in what he wrote.

I agree with gene when he says it should not be a bitcoin feature.  I was wrong to ask for an other subcommand of the bitcoind command.

It wasn't wrong for you to ask. That's what discussions are for.

[jgarzik]

Oh, and RE: extracting private keys from the wallet:

I'm less excited about that idea.  What if the private keys are stored in a tamper-proof "trusted security module" hardware doo-hickey, and are impossible to export?

I put this under the category of "I own my data, and should be able to do with it what I want."

Being able to import and export bitcoin keypairs to/from wallets seems an obvious need to me.

[davout]

Can you please explain a situation where one would like to prove the amount of money in an account at some point in time? Are you planning on paying taxes? The benefits would have to outweigh the considerable drawbacks of implementation and maintenance, requiring a compelling argument.

Well, I can think of plenty of cases where I want to check that someone actually has the funds he claims before conducting some business. None of them involving taxes.

You seem to think that such a signature would be valid only at a certain point of time, it isn't the case.
If I sign arbitrary data with one of my private keys, it just basically means that I get to spend the funds associated with the bitcoin address, the available amount to an address is publicly visible from the blockchain.

So at the time of signature i can say "okay this person has 10 BTC available", I can also come back two weeks later and see that the signature only credits its owner with 1.42 BTC.

[gene]

Can you please explain a situation where one would like to prove the amount of money in an account at some point in time? Are you planning on paying taxes? The benefits would have to outweigh the considerable drawbacks of implementation and maintenance, requiring a compelling argument.

Well, I can think of plenty of cases where I want to check that someone actually has the funds he claims before conducting some business. None of them involving taxes.

You seem to think that such a signature would be valid only at a certain point of time, it isn't the case.
If I sign arbitrary data with one of my private keys, it just basically means that I get to spend the funds associated with the bitcoin address, the available amount to an address is publicly visible from the blockchain.

So at the time of signature i can say "okay this person has 10 BTC available", I can also come back two weeks later and see that the signature only credits its owner with 1.42 BTC.

I think I understand, but can't we already do that via blockexplorer? Why not just do something like this:

I identify myself as Joe and generate a corresponding PGP key (sorry to keep going back to PGP, but it is easier than saying "your public key software of choice"). I can then send a signed message with by bitcoin address to a recipient who already trusts that I am Joe and that it is my PGP key. Simply copy the bitcoin address from your gui or whatever and pgp/gpg away. In fact, I already do exactly this with some regularity, although my name may or may not really be Joe.

[davout]

I understand, but can't we already do that via blockexplorer? Why not just do something like this:

I identify myself as Joe and generate a corresponding PGP key (sorry to keep going back to PGP, but it is easier than saying "your public key software of choice"). I can then send a signed message with by bitcoin address to a recipient who already trusts that I am Joe and that it is my PGP key. Simply copy the bitcoin address from your gui or whatever and pgp/gpg away. In fact, I already do exactly this with some regularity, although my name may or may not really be Joe.

This is what you are getting wrong :
 - your bitcoin address is derived from your *public* key, there is not point in signing anything with this key or with your bitcoin address
 - you sign outgoing transactions with your *private* key

So if you're able to sign arbitrary data with your *private* key that means you get to spend whatever amount is associated with the *public* key (or its derived form, the bitcoin address) that is visible in the bitcoin block explorer.

There is no need for anyone to trust you to be Helmut, and additionnally trust that 123456 is Helmut's public key.

[gene]

I understand, but can't we already do that via blockexplorer? Why not just do something like this:

I identify myself as Joe and generate a corresponding PGP key (sorry to keep going back to PGP, but it is easier than saying "your public key software of choice"). I can then send a signed message with by bitcoin address to a recipient who already trusts that I am Joe and that it is my PGP key. Simply copy the bitcoin address from your gui or whatever and pgp/gpg away. In fact, I already do exactly this with some regularity, although my name may or may not really be Joe.

This is what you are getting wrong :
 - your bitcoin address is derived from your *public* key, there is not point in signing anything with this key or with your bitcoin address
 - you sign outgoing transactions with your *private* key

This I understand this very well.

So if you're able to sign arbitrary data with your *private* key that means you get to spend whatever amount is associated with the *public* key (or its derived form, the bitcoin address) that is visible in the bitcoin block explorer.

Sure. If I have access to the private key (the wallet), then I can spend all my money.

There is no need for anyone to trust you to be Helmut, and additionnally trust that 123456 is Helmut's public key.

Of course. Nobody needs to know to any degree of certainty which bitcoin accounts are mine. Isn't that rather the point of digital cash? Now, If I want to sign arbitrary data (as per the OP), I would rather use existing software and would hope that such redundancy would be avoided in bitcoin. If I want to make sure that my factory only sends bitcoins that I earned while building Cadillacs to my account, I can make sure by signing a message with one of my bitcoin IDs with my PGP key which they trust is mine.

[davout]

Of course. Nobody needs to know to any degree of certainty which bitcoin accounts are mine. Isn't that rather the point of digital cash? Now, If I want to sign arbitrary data (as per the OP), I would rather use existing software and would hope that such redundancy would be avoided in bitcoin. If I want to make sure that my factory only sends bitcoins that I earned while building Cadillacs to my account, I can make sure by signing a message with one of my bitcoin IDs with my PGP key which they trust is mine.

PGP is cool, but how about signing data with your bitcoin private keys ? Oops, you can't (well you technically can with gavins python tools).
One of the properties of cash is that I can show you the money before you go get the goods, I'd love to be able to do the same thing with bitcoin in a simple way.

[MoonShadow]

Yeah, the ability to prove without a doubt to a seller that I have control over a given address, and therefore the funds that he can see in his blockchain, would be great.  Particularly without the need to prove that to the entire world.

[gene]

PGP is cool, but how about signing data with your bitcoin private keys ? Oops, you can't (well you technically can with gavins python tools).
One of the properties of cash is that I can show you the money before you go get the goods, I'd love to be able to do the same thing with bitcoin in a simple way.

Ok, you want to use your private key for bitcoin instead of a private key in PGP; see my first post in this thread. I think you'll face some resistance because this is redundant functionality. As for seeing the amount in a certain account, can't you already do this is blockexplorer (a distinct application)?

Yeah, the ability to prove without a doubt to a seller that I have control over a given address, and therefore the funds that he can see in his blockchain, would be great.  Particularly without the need to prove that to the entire world.

But you need to have established trust through some other mechanism beforehand. Establishing trust is an inherently "out of band" process. See my points about PKI and Webs of Trust.

[davout]

PGP is cool, but how about signing data with your bitcoin private keys ? Oops, you can't (well you technically can with gavins python tools).
One of the properties of cash is that I can show you the money before you go get the goods, I'd love to be able to do the same thing with bitcoin in a simple way.

Ok, you want to use your private key for bitcoin instead of a private key in PGP; see my first post in this thread. I think you'll face some resistance because this is redundant functionality. As for seeing the amount in a certain account, can't you already do this is blockexplorer (a distinct application)?

It is not redundant, balance is linked to a bitcoin private key, not to any PGP one.

Yeah, the ability to prove without a doubt to a seller that I have control over a given address, and therefore the funds that he can see in his blockchain, would be great.  Particularly without the need to prove that to the entire world.

But you need to have established trust through some other mechanism beforehand. Establishing trust is an inherently "out of band" process. See my points about PKI and Webs of Trust.

No you do not need any trust. Don't take it bad, but please educate yourself a little bit more about bitcoin internals.

[Mike Hearn]

Yeah, being able to sign messages with your BitCoin keys would be useful and not redundant with other functionality. All I can do with PGP is attempt to build up trust in my keys through things I write or people I meet, hence the whole web of trust concept.

But for the purposes of business, you don't need to trust somebody anywhere near as much if they can prove they have the money you want at hand. The alternative is to do a small sentinel transaction of some pre-agreed amount to prove you have the cash you claim to, but that'd just pollute the block chain with non economic activity. Being able to sign arbitrary data is better.

It'd potentially also allow for a more user friendly signature format to be developed than what PGP provides, eg, rules that state "remove all whitespace and all formatting before signing" would make signatures more robust in the face of common things like HTML/text conversion and copy/paste.

[ribuck]

Can you please explain a situation where one would like to prove the amount of money in an account at some point in time?

Suppose your are auctioning something at the Bidding Pond. Suddenly you get a bid for a million bitcoins. You may want the bidder to flash the cash, to persuade you to take their bid seriously.

[caveden]

I put this under the category of "I own my data, and should be able to do with it what I want."

Being able to import and export bitcoin keypairs to/from wallets seems an obvious need to me.

+1

I think the same. Since it was chosen to use a specific type of keystore to hold bitcoin keys, there should be a way to manipulate the keys in this keystore.

What would be really ideal from an architectural point of view would be a client that is decoupled from the keystore type. Just by configuring something and implementing an interface you could plug another type of keystore and use it.
But, well, that has a lower priority, I'd say.

[j16sdiz]

I put this under the category of "I own my data, and should be able to do with it what I want."

Being able to import and export bitcoin keypairs to/from wallets seems an obvious need to me.

+1

The usage of BerkeleyDB make me feel uncomfortable. BDB is known to change format between versions. And this make making alternative implementation harder.  

Exporting to something simpler (i.e. parsable with no external library) would be nice.

[da2ce7]

sounds like a great idea I can see many uses for it.

[da2ce7]

sounds like a great idea I can see many uses for it.

It should be easy to extract the Public Keys, in a standard Armor format.

There should be a way to sign, or decrepit 'anything' with the bitcoin program.

3rd, the bitcoin client should be able to import 3rd party public keys.  Allowing it to 'encrypt to address'.  This could be very useful for sending private messages to people you trade with.

[theymos]

3rd, the bitcoin client should be able to import 3rd party public keys.  Allowing it to 'encrypt to address'.  This could be very useful for sending private messages to people you trade with.

ECDSA doesn't support encryption.

[ByteCoin]

ECDSA doesn't support encryption.

There are many elliptic curve encryption schemes for which the public and private keys are compatible with the ECDSA keys.
One could use ElGamal or MQV or one of the newer signcryption schemes. There are no technical obstacles to implementing encryption.

ByteCoin

[grondilu]

I've just realised that proving you own a particular address is actually not very difficult, even with the current bitcoin client.


Say Alice wants to prove Bob that she owns the bitcoin addres $addr

All she has to do is to send a certain amount of bitcoin to this address.  This amount has to be high enough to convince Bob that it wasn't lost, and it has to have some entropy (so that it can be used to prove that it comes from Alice).

So Alice tells Bob :

A: ok, give me a high enough amount, with a few decimal numbers.
B: hum, let's say pi :   3.14159264
A: wait a sec...
(Alice runs "bitcoind sendtoaddress $addr 3.14159264")
A: here you go, check out the following transaction :  http://bitcoinexplorer.com/q/transaction/...
B: fine, I guess you wouldn't accept to lose 3.14159264 bitcoins just to fool me.  So I beleive you own this address.

[jib]

B: fine, I guess you wouldn't accept to lose 3.14159264 bitcoins just to fool me.  So I beleive you own this address.

Or Alice could be donating the 3.14159264 bitcoins to a charity (which she would have donated to anyway and thus isn't really losing anything). Or she could organise with some third party to trade 3.14159264 bitcoins for something. Or maybe you're wrong and she's willing to lose the bitcoins to fool you. It definitely doesn't show she owns the address.

A simpler and better (but still not entirely secure) way to check ownership is to ask her to send 3.14159264 bitcoins *from* that address back to that address in a single transaction (That's possible, right?).

[grondilu]

A simpler and better (but still not entirely secure) way to check ownership is to ask her to send 3.14159264 bitcoins *from* that address back to that address in a single transaction (That's possible, right?).

True.  Sending *from* the address is good too.

Also, the method doesn't have to be secure, since anyway it is not really very usefull to prove to someone taht you own some money.

Alice could prove Bob she owns enough money, but at the end the moment of truth occurs during the real transaction from Alice to Bob.  It's easy to prove you own any amount of money.  Bacically you could even borrow it during a short period of time.  Big money owners could also sell this kind of proof to people (selling the "proof", not the money).

What I mean is that proving you own some money is actualy quite useless in commercial relations anyway.  But if people really want to do it, they can do so with a relative security within the current bitoin implemenation.

[jib]

the method doesn't have to be secure, since anyway it is not really very usefull to prove to someone taht you own some money.

If it's not useful, we don't need a method at all, and if it is useful, we need a secure method. Either way, we don't need a dangerously flawed and useless one like your suggestion.

[grondilu]

If it's not useful, we don't need a method at all, and if it is useful, we need a secure method. Either way, we don't need a dangerously flawed and useless one like your suggestion.

True.  We actualy don't need it.

My initial post was intended to allow people to prove they own a private key.  It was intended to claim ownership of future paiements into the bitcoin address.  The idea was to ease a process a asset transfer.  It's completely different than proving you own a certain amount of money, which is in my opinion quite impossible  (since money could have been borrowed).

Also, proving you own some money doesn't prevent you from lying about your intent to spend it.

[MoonShadow]

Also, proving you own some money doesn't prevent you from lying about your intent to spend it.

It's not important that you could be lying about your intent, nor is it important that it may be borrowed.  It's like a credit check without the bullsh*t.  "Wanna by my car with Bitcoin?  Sure buddy, but before I waste an hour of my life showing you my peach of a used car, prove that you can produce the coin."

[gene]

PGP is cool, but how about signing data with your bitcoin private keys ? Oops, you can't (well you technically can with gavins python tools).
One of the properties of cash is that I can show you the money before you go get the goods, I'd love to be able to do the same thing with bitcoin in a simple way.

Ok, you want to use your private key for bitcoin instead of a private key in PGP; see my first post in this thread. I think you'll face some resistance because this is redundant functionality. As for seeing the amount in a certain account, can't you already do this is blockexplorer (a distinct application)?

It is not redundant, balance is linked to a bitcoin private key, not to any PGP one.

This functionality is redundant with that offered by the (existing, well understood, established, portable, and widely implemented) OpenPGP standard, and others. Saying that it isn't redundant because bitcoin doesn't already offer it doesn't make much sense. This kind of thinking is how the world ended up with atrocities like MS Outlook. I've said before that I like the Unix Way (TM) of doing things, and this is because there is just less room for disaster.

Yeah, the ability to prove without a doubt to a seller that I have control over a given address, and therefore the funds that he can see in his blockchain, would be great.  Particularly without the need to prove that to the entire world.

But you need to have established trust through some other mechanism beforehand. Establishing trust is an inherently "out of band" process. See my points about PKI and Webs of Trust.

No you do not need any trust.

I bolded a section in your previous reply. My question stands. How can you ever establish an identity (such as when saying that you control a bitcoin account) without some external  bootstrapping mechanism? You can't ever "prove without a doubt" that you control a private key. The best you can do is convince someone to trust you to identify yourself correctly and not divulge your private key. I wonder if you understand the distinction that I am trying to draw.

And by bitcoin's nature, which you seem to think I never bothered to try to understand, you cannot keep secret the balance of an account after disclosing the ID. For an arbitrary account number (for which there is a record after a transaction), anyone can check its balance at any time, whether or not anyone knows who has ever controlled it.

[davout]

This functionality is redundant with that offered by the (existing, well understood, established, portable, and widely implemented) OpenPGP standard, and others. Saying that it isn't redundant because bitcoin doesn't already offer it doesn't make much sense. This kind of thinking is how the world ended up with atrocities like MS Outlook. I've said before that I like the Unix Way (TM) of doing things, and this is because there is just less room for disaster.

You cannot prove you hold the funds associated to a given address with PGP, that's what I want as a feature.
Whether I only get to extract the key from the wallet to use it with another tool instead of directly from the bitcoin client is irrelevant.

My question stands. How can you ever establish an identity (such as when saying that you control a bitcoin account) without some a priori  mechanism of establishing trust? You can't ever "prove without a doubt" that you control a private key. The best you can do is convince someone to trust you to identify yourself correctly and not divulge your private key. I wonder if you understand the distinction that I am trying to draw.

Identification is irrelevant here...

And by bitcoin's nature, which you seem to think I never bothered to try to understand,

i don't doubt you tried

you cannot keep secret the balance of an account after disclosing the ID. For an arbitrary account number (for which there is a record after a transaction), anyone can check its balance at any time, whether or not anyone knows who has ever controlled it.

accounts are very different things than addresses, lurk a little more

[grondilu]

Give it up, davout.  Gene is right.   It's a feature that is not necessary to bitcoin, and that could be implemented with an external, optionnal, program.

Therefore, there is no reason to add it in the official client.  It would give unecessary additional work for programmers and would add potential points of failure.

But I wish someone will eventually implement it as an external tool.

[davout]

Give it up, davout.  Gene is right.   It's a feature that is not necessary to bitcoin, and that could be implemented with an external, optionnal, program.

As I said, there is at least the need to be able to export the keys, which isn't possible with the current client.
Other people have also expressed interest in this feature, so let's just see where it takes us

But I wish someone will eventually implement it as an external tool.

You can use gavin's python tools to export the keys and fiddle with them externally and that is good since you can achieve the desired functionality, but there's no guarantee he'll have time to maintain them and keep them compatible with future versions.

I think it's an important property of cash to be able to show without giving, don't you ?

[grondilu]

You can use gavin's python tools to export the keys and fiddle with them externally and that is good since you can achieve the desired functionality, but there's no guarantee he'll have time to maintain them and keep them compatible with future versions.

I think it's an important property of cash to be able to show without giving, don't you ?

I guess.  However I keep thinking it should not be integrated inside the client but as some kind of a bitcoin-tools package, amongst which we could also find the explorer functions of blockexplorer.com.

I didn't know about gavin's tools.  I'll give it a look.

[davout]

I didn't know about gavin's tools.  I'll give it a look.

Here they are :
https://github.com/gavinandresen/bitcointools

[gene]

I think it's an important property of cash to be able to show without giving, don't you ?

Why? I don't have to prove to a shopkeeper that I have enough money to just look around in his store. If I want to buy the item and I don't have enough money in my pockets, the transaction will fail at the point of sale. He loses nothing, and I lose nothing. This analogy generalizes, too. Again: credit vs. cash. Bitcoin is digital cash.

[caveden]

Give it up, davout.  Gene is right.   It's a feature that is not necessary to bitcoin, and that could be implemented with an external, optionnal, program.

The default implementation uses a specific (custom) type of keystore, as far as I know. So it would be better if it provides the means to manipulate the keys in it. In terms of maintenance, being an external tool or not it will remain a job for the same developer community since this tool would be completely linked to bitcoin's specific type of keystore.

What I mean is, your unix motto of "do just one thing, but do it well' doesn't apply while the bitcoin client remains coupled to a custom type of keystore. It is already doing more than one thing.

The ideal scenario would be a client not strongly coupled to any type of keystore. In this case, one could make a build/config of the client that uses a more standardized type of keystore which already has all the tools to manipulate the keys in it.

[bfever]

I think it's an important property of cash to be able to show without giving, don't you ?

Why? I don't have to prove to a shopkeeper that I have enough money to just look around in his store. If I want to buy the item and I don't have enough money in my pockets, the transaction will fail at the point of sale. He loses nothing, and I lose nothing. This analogy generalizes, too. Again: credit vs. cash. Bitcoin is digital cash.

I have to agree with davout that exporting the private key is something useful in a scenario where you want to pay in bitcoins without having a bitcoin client with you (on a smart phone or other device with Internet access), only something like a smart card which holds securely the private key of one of your bitcoin addresses: it can sign the payment transaction. See this topic I opened: http://bitcointalk.org/index.php?topic=2898.0

Gene: how are you able to pay some bitcoins with your PGP key at the store ? Without the private key of the bitcoin address, nobody can sign the transaction to validate it ! Or am I the one missing something here ?

But I can agree with grondilu that this can be part of external tools that manipulate your wallet.dat (on your PC) and make the transaction (at the merchant's store).

Going to take a look at gavin's tools if I have some spare time...

[Hal]

See also the program referenced in post 15 of this thread:

http://bitcointalk.org/index.php?topic=2507.0;all

I think grondilu has some code samples showing how to sign with these openssl keys.

[Hal]

Here's where grondilu describes his scripts to sign arbitrary data with wallet keys using openssl. Very impressive.

http://bitcointalk.org/index.php?topic=2694.msg39658#msg39658