Feature request : signing a text with a wallet key

[caveden]

What if the private keys are stored in a tamper-proof "trusted security module" hardware doo-hickey, and are impossible to export?

If it's impossible it's impossible Nothing to be done.
But why not being able to export them when it is possible? It's your keystore anyway, you should be able to manipulate it.

[1713554777]

1713554777

[1713554777]

1713554777

[1713554777]

1713554777

[grondilu]

I agree with gene when he says it should not be a bitcoin feature.  I was wrong to ask for an other subcommand of the bitcoind command.


But could someone please work on a completely separate application that would read the wallet and use private ECDSA keys to sign documents ?

[gene]

That's where trust comes in. The old PKI/WOT issue.

If you depend on trust you're not proving anything. Normally proofs are asked exactly when there isn't enough confidence.

You are correct in making the distinction between trust and "proof" via cryptographic transforms, so forgive me if I am repeating something you already understand. I am also writing to others who may not be as familiar with some of these concepts. However, when it comes to a digital ID (be it a bitcoin address or a PGP ID) there are some qualities that you can take at face value. For example, if a digital signature matches a public key, you can be quite certain that the corresponding private key created it. You are less certain, however, about who actually controls the private key. You now face an issue of trust. Do you trust the person to not allow his key to be stolen? Do you trust the people that vouched that a key matches a certain name? Do you trust the ID card or passport that says that John Smith is who he says he is and that the name matches the key? The issues are orthogonal.

So, if I have a bitcoin ID, the question (or at least what I interpreted as the question) is "how do I let someone know that this really is my account number and not to send money to other accounts who claim to be me?" Again, this is a trust issue. Typically, it is handled using either a centralized chain of trust (PKI {SSL certs}) or a distributed chain of trust (Web of Trust {PGP, CaCert(actually a hybrib), etc}). What the OP suggested was essentially to use bitcoin's private keys as a general form of digital ID, similar to the way PGP keys are already used. My point was that such functionality already exists in well-tested and standardized tools, such as GnuPG and that reproducing those features would not help bitcoin. In fact, by invoking well-known arguments pertaining to the unwelcome effects of increasing codebase complexity, I conjecture that the additional code would likely hurt it.

Incidentally, all these issues of trust have been well explored for many years, with much credit to the cypherpunks in the 90s (and digital cash, of course).

Maybe I am overlooking something critical. What is the point of telling somebody how much money you have at some instant, when at any subsequent time, the proof is no longer valid?

The proof is valid while the funds remain in the same address. They may remain there for a long time.

Emphasis mine. In general, the balance can change immediately. If you are saying what I think you are saying, then this functionality offers sharply limited practical use. If I am trying to buy something that costs 20BTC and I only have 10BTC, the transaction will fail immediately. At no point does the seller need to know how much money I have in my account. All he really has to know is if I produce enough to complete the transaction. Bitcoin is not a system of credit, it is a currency. Its entire appeal is that it behaves like cash.

<lots of stuff by davout>

I think that we're talking past each other.

Can you please explain a situation where one would like to prove the amount of money in an account at some point in time? Are you planning on paying taxes? The benefits would have to outweigh the considerable drawbacks of implementation and maintenance, requiring a compelling argument.

That is pretty much what is being requested as a feature.

The OP requested (very concisely) the ability to use a bitcoin private key to sign data. I can detect no mention of anything else in what he wrote.

I agree with gene when he says it should not be a bitcoin feature.  I was wrong to ask for an other subcommand of the bitcoind command.

It wasn't wrong for you to ask. That's what discussions are for.

[jgarzik]

Oh, and RE: extracting private keys from the wallet:

I'm less excited about that idea.  What if the private keys are stored in a tamper-proof "trusted security module" hardware doo-hickey, and are impossible to export?

I put this under the category of "I own my data, and should be able to do with it what I want."

Being able to import and export bitcoin keypairs to/from wallets seems an obvious need to me.

[davout]

Can you please explain a situation where one would like to prove the amount of money in an account at some point in time? Are you planning on paying taxes? The benefits would have to outweigh the considerable drawbacks of implementation and maintenance, requiring a compelling argument.

Well, I can think of plenty of cases where I want to check that someone actually has the funds he claims before conducting some business. None of them involving taxes.

You seem to think that such a signature would be valid only at a certain point of time, it isn't the case.
If I sign arbitrary data with one of my private keys, it just basically means that I get to spend the funds associated with the bitcoin address, the available amount to an address is publicly visible from the blockchain.

So at the time of signature i can say "okay this person has 10 BTC available", I can also come back two weeks later and see that the signature only credits its owner with 1.42 BTC.

[gene]

Can you please explain a situation where one would like to prove the amount of money in an account at some point in time? Are you planning on paying taxes? The benefits would have to outweigh the considerable drawbacks of implementation and maintenance, requiring a compelling argument.

Well, I can think of plenty of cases where I want to check that someone actually has the funds he claims before conducting some business. None of them involving taxes.

You seem to think that such a signature would be valid only at a certain point of time, it isn't the case.
If I sign arbitrary data with one of my private keys, it just basically means that I get to spend the funds associated with the bitcoin address, the available amount to an address is publicly visible from the blockchain.

So at the time of signature i can say "okay this person has 10 BTC available", I can also come back two weeks later and see that the signature only credits its owner with 1.42 BTC.

I think I understand, but can't we already do that via blockexplorer? Why not just do something like this:

I identify myself as Joe and generate a corresponding PGP key (sorry to keep going back to PGP, but it is easier than saying "your public key software of choice"). I can then send a signed message with by bitcoin address to a recipient who already trusts that I am Joe and that it is my PGP key. Simply copy the bitcoin address from your gui or whatever and pgp/gpg away. In fact, I already do exactly this with some regularity, although my name may or may not really be Joe.

[davout]

I understand, but can't we already do that via blockexplorer? Why not just do something like this:

I identify myself as Joe and generate a corresponding PGP key (sorry to keep going back to PGP, but it is easier than saying "your public key software of choice"). I can then send a signed message with by bitcoin address to a recipient who already trusts that I am Joe and that it is my PGP key. Simply copy the bitcoin address from your gui or whatever and pgp/gpg away. In fact, I already do exactly this with some regularity, although my name may or may not really be Joe.

This is what you are getting wrong :
 - your bitcoin address is derived from your *public* key, there is not point in signing anything with this key or with your bitcoin address
 - you sign outgoing transactions with your *private* key

So if you're able to sign arbitrary data with your *private* key that means you get to spend whatever amount is associated with the *public* key (or its derived form, the bitcoin address) that is visible in the bitcoin block explorer.

There is no need for anyone to trust you to be Helmut, and additionnally trust that 123456 is Helmut's public key.

[gene]

I understand, but can't we already do that via blockexplorer? Why not just do something like this:

I identify myself as Joe and generate a corresponding PGP key (sorry to keep going back to PGP, but it is easier than saying "your public key software of choice"). I can then send a signed message with by bitcoin address to a recipient who already trusts that I am Joe and that it is my PGP key. Simply copy the bitcoin address from your gui or whatever and pgp/gpg away. In fact, I already do exactly this with some regularity, although my name may or may not really be Joe.

This is what you are getting wrong :
 - your bitcoin address is derived from your *public* key, there is not point in signing anything with this key or with your bitcoin address
 - you sign outgoing transactions with your *private* key

This I understand this very well.

So if you're able to sign arbitrary data with your *private* key that means you get to spend whatever amount is associated with the *public* key (or its derived form, the bitcoin address) that is visible in the bitcoin block explorer.

Sure. If I have access to the private key (the wallet), then I can spend all my money.

There is no need for anyone to trust you to be Helmut, and additionnally trust that 123456 is Helmut's public key.

Of course. Nobody needs to know to any degree of certainty which bitcoin accounts are mine. Isn't that rather the point of digital cash? Now, If I want to sign arbitrary data (as per the OP), I would rather use existing software and would hope that such redundancy would be avoided in bitcoin. If I want to make sure that my factory only sends bitcoins that I earned while building Cadillacs to my account, I can make sure by signing a message with one of my bitcoin IDs with my PGP key which they trust is mine.

[davout]

Of course. Nobody needs to know to any degree of certainty which bitcoin accounts are mine. Isn't that rather the point of digital cash? Now, If I want to sign arbitrary data (as per the OP), I would rather use existing software and would hope that such redundancy would be avoided in bitcoin. If I want to make sure that my factory only sends bitcoins that I earned while building Cadillacs to my account, I can make sure by signing a message with one of my bitcoin IDs with my PGP key which they trust is mine.

PGP is cool, but how about signing data with your bitcoin private keys ? Oops, you can't (well you technically can with gavins python tools).
One of the properties of cash is that I can show you the money before you go get the goods, I'd love to be able to do the same thing with bitcoin in a simple way.

[MoonShadow]

Yeah, the ability to prove without a doubt to a seller that I have control over a given address, and therefore the funds that he can see in his blockchain, would be great.  Particularly without the need to prove that to the entire world.

[gene]

PGP is cool, but how about signing data with your bitcoin private keys ? Oops, you can't (well you technically can with gavins python tools).
One of the properties of cash is that I can show you the money before you go get the goods, I'd love to be able to do the same thing with bitcoin in a simple way.

Ok, you want to use your private key for bitcoin instead of a private key in PGP; see my first post in this thread. I think you'll face some resistance because this is redundant functionality. As for seeing the amount in a certain account, can't you already do this is blockexplorer (a distinct application)?

Yeah, the ability to prove without a doubt to a seller that I have control over a given address, and therefore the funds that he can see in his blockchain, would be great.  Particularly without the need to prove that to the entire world.

But you need to have established trust through some other mechanism beforehand. Establishing trust is an inherently "out of band" process. See my points about PKI and Webs of Trust.

[davout]

PGP is cool, but how about signing data with your bitcoin private keys ? Oops, you can't (well you technically can with gavins python tools).
One of the properties of cash is that I can show you the money before you go get the goods, I'd love to be able to do the same thing with bitcoin in a simple way.

Ok, you want to use your private key for bitcoin instead of a private key in PGP; see my first post in this thread. I think you'll face some resistance because this is redundant functionality. As for seeing the amount in a certain account, can't you already do this is blockexplorer (a distinct application)?

It is not redundant, balance is linked to a bitcoin private key, not to any PGP one.

Yeah, the ability to prove without a doubt to a seller that I have control over a given address, and therefore the funds that he can see in his blockchain, would be great.  Particularly without the need to prove that to the entire world.

But you need to have established trust through some other mechanism beforehand. Establishing trust is an inherently "out of band" process. See my points about PKI and Webs of Trust.

No you do not need any trust. Don't take it bad, but please educate yourself a little bit more about bitcoin internals.

[Mike Hearn]

Yeah, being able to sign messages with your BitCoin keys would be useful and not redundant with other functionality. All I can do with PGP is attempt to build up trust in my keys through things I write or people I meet, hence the whole web of trust concept.

But for the purposes of business, you don't need to trust somebody anywhere near as much if they can prove they have the money you want at hand. The alternative is to do a small sentinel transaction of some pre-agreed amount to prove you have the cash you claim to, but that'd just pollute the block chain with non economic activity. Being able to sign arbitrary data is better.

It'd potentially also allow for a more user friendly signature format to be developed than what PGP provides, eg, rules that state "remove all whitespace and all formatting before signing" would make signatures more robust in the face of common things like HTML/text conversion and copy/paste.

[ribuck]

Can you please explain a situation where one would like to prove the amount of money in an account at some point in time?

Suppose your are auctioning something at the Bidding Pond. Suddenly you get a bid for a million bitcoins. You may want the bidder to flash the cash, to persuade you to take their bid seriously.

[caveden]

I put this under the category of "I own my data, and should be able to do with it what I want."

Being able to import and export bitcoin keypairs to/from wallets seems an obvious need to me.

+1

I think the same. Since it was chosen to use a specific type of keystore to hold bitcoin keys, there should be a way to manipulate the keys in this keystore.

What would be really ideal from an architectural point of view would be a client that is decoupled from the keystore type. Just by configuring something and implementing an interface you could plug another type of keystore and use it.
But, well, that has a lower priority, I'd say.

[j16sdiz]

I put this under the category of "I own my data, and should be able to do with it what I want."

Being able to import and export bitcoin keypairs to/from wallets seems an obvious need to me.

+1

The usage of BerkeleyDB make me feel uncomfortable. BDB is known to change format between versions. And this make making alternative implementation harder.  

Exporting to something simpler (i.e. parsable with no external library) would be nice.

[da2ce7]

sounds like a great idea I can see many uses for it.

[da2ce7]

sounds like a great idea I can see many uses for it.

It should be easy to extract the Public Keys, in a standard Armor format.

There should be a way to sign, or decrepit 'anything' with the bitcoin program.

3rd, the bitcoin client should be able to import 3rd party public keys.  Allowing it to 'encrypt to address'.  This could be very useful for sending private messages to people you trade with.

[theymos]

3rd, the bitcoin client should be able to import 3rd party public keys.  Allowing it to 'encrypt to address'.  This could be very useful for sending private messages to people you trade with.

ECDSA doesn't support encryption.

[ByteCoin]

ECDSA doesn't support encryption.

There are many elliptic curve encryption schemes for which the public and private keys are compatible with the ECDSA keys.
One could use ElGamal or MQV or one of the newer signcryption schemes. There are no technical obstacles to implementing encryption.

ByteCoin