FAQ on the payment protocol

[marcus_of_augustus]

But in the final analysis you are bolting on "just trust us we're the good guys" payment protocol onto a labelled "trust no-one currency system".

Sounds like a bait and switch. The CA system is prime for MITM because it introduces a third party into every secure connect negotiation, it is complex enough to seem like it must be secure if you don't dig down into it ... but it is broken as all fuck and that's why the NSA loves and pushes it endlessly, eh Mike?

I'm just counting the days until ALL bitcoin transactions are going to be required by legal or regulatory measures to be via the surveillance dragnet payment protocol ... it's pretty transparent where this is heading.

Edit: ""We have over 960 Ph.D.s, over 4,000 computer scientists, over a thousand mathematicians." -Gen. Keith "Starship" Alexander - NSA

[1714032810]

1714032810

[1714032810]

1714032810

[1714032810]

1714032810

[justusranvier]

I'm just counting the days until ALL bitcoin transactions are going to be required by legal or regulatory measures to be via the surveillance dragnet payment protocol ... it's pretty transparent where this is heading.

Even with the cooperation of the core devs I don't see that being effectively enforced. How do you make all the Chinese, Russian, and European miners and nodes play ball?

[Mike Hearn]

Believe in whatever wild conspiracy theories you like. There's no way I can give a good rebuttal to things that aren't happening. The rationale for these changes has been laid out in detail. If you think you found a government-proof way to achieve the same goals without the CA infrastructure, please do go ahead and implement it.

[jgarzik]

Believe in whatever wild conspiracy theories you like. There's no way I can give a good rebuttal to things that aren't happening. The rationale for these changes has been laid out in detail. If you think you found a government-proof way to achieve the same goals without the CA infrastructure, please do go ahead and implement it.

In all fairness, it has become a FAQ.  Given NSA/PRISM fun, it seems likely to remain so, no matter the hard evidence.  I got several variants of this question/complaint at the Atlanta crypto-currency conference, and reddit mirrored more of the same.

The core points I like to mention are

• There is a high likelihood that SSL & standard CAs are being used anyway.  It is probably a browser launching a payment from an https:// supplied page
• The payment protocol does not mandate SSL + standard CAs.  Other methods, including decentralized methods, are possible.

Perhaps it would be a good idea to specify a decentralized example.  PGP comes to mind, or a self-signed ECDSA scenario of bitcoin address or SIN.

[Peter Todd]

Perhaps it would be a good idea to specify a decentralized example.  PGP comes to mind, or a self-signed ECDSA scenario of bitcoin address or SIN.

I wrote a post on adding OpenPGP to the payment protocol the other day.

[🏰 TradeFortress 🏰]

What about certificate pinning to domains? MITMs with the co-operation of a rogue or forced CA will have very limited effectiveness.

[marcus_of_augustus]

What is needed is an electronic payment system based on cryptographic proof instead of trust,
allowing any two willing parties to transact directly with each other without the need for a trusted
third party.

Nakamoto, "Bitcoin: A Peer-to-Peer Electronic Cash System" Paragraph 2.

So could it be extensible to Namecoin stored self-signed certificate fingerprints?

Getting wedded to the broken CA system is a poor idea and your petulant non-rebuttals so far make me wonder if you already know you are on a hiding to nothing on this one.

[Hyena]

I hate the CA system. As merchant I don't want to pay to some CAs just to have them confirm who I am. I use self signed certificates when necessary. Bitcoin ALREADY HAS message signing. USE THIS.
By just looking at BIP it disgusts me. I really hope you're not going to change the underlying bitcoin protocol to introduce your bip. Better start using namecoin, really!

[Mike Hearn]

In all fairness, it has become a FAQ.  Given NSA/PRISM fun, it seems likely to remain so, no matter the hard evidence.  I got several variants of this question/complaint at the Atlanta crypto-currency conference, and reddit mirrored more of the same.

Well, direct them to this thread. It's titled "FAQ on the payment protocol" for a reason. And it goes in depth on why PGP doesn't work for this. I'd hope that this thread can put it to bed once and for all.

The core points I like to mention are

• There is a high likelihood that SSL & standard CAs are being used anyway.  It is probably a browser launching a payment from an https:// supplied page
• The payment protocol does not mandate SSL + standard CAs.  Other methods, including decentralized methods, are possible.

These points are sound. However, the second point leads to the question "why not do a decentralised method to start with?" to which the answer of course is complicated, but boils down to "the CA infrastructure is not actually centralised". So even though the payment protocol leaves choice of PKI open, I don't make the last point anymore because it just leads people round in circles.

Ultimately this stuff boils down to the same arguments that go around endlessly about Bitcoin scalability. If running a Bitcoin node is "hard" where "hard" is left vague and undefined, is Bitcoin now "centralised"? The language is too vague to achieve any reasonable debate. The fact is that literally anyone can run a CA, the very name "authority" is meaningless in that sense, but running one well is quite hard for fundamental reasons. That's why Verisign run a CA and you don't - because you would suck at it. If you stopped sucking at it, then you'd be doing it professionally, at which point you would probably need to charge fees and then people would decide you're an authoritarian Pillar of Centralisation. Back to square one.

The payment protocol is in some sense doomed to be like the question, "do ASICs make bitcoin centralised?". I still see that come up repeatedly. People who enjoy flaming forums will never be satisfied, everyone else will just get on with it.

[Mike Hearn]

What about certificate pinning to domains? MITMs with the co-operation of a rogue or forced CA will have very limited effectiveness.

If you have DNSSEC you don't need the CA infrastructure for domain name validation. However DNSSEC does not remove CA's. It just merges them with DNS registrars instead. You can't pin certs to domains without that because otherwise, DNS itself can be MITM'd.

Rogue/forced CA's can be detected once cert transparency is online and rolled out. It will take a long time to upgrade everything, but when it's done certs can't be issued in secret anymore, which means bogus actions by a CA can be detected.

Anyway, as pointed out a million times already, the NSA are not going to forge payment requests from Amazon. This just isn't something they're going to care about. Lots of other types of criminals DO care about it, but the CA system is designed to handle those kinds of attackers, who are the ones we really care about. The NSA would be interested in snooping around, but payment requests don't give them any more info than they already have.

[phelix]

Wait a minute. How do people go to mtgox? They enter "mtgox.com" in their browser and trust their system to take them to the right place.

If you go to mtgox.com then you see MtGox Co. Ltd [JP] in the browser address bar (on Chrome). So if someone told you about this Japanese company called Mt Gox then you know you're at the right place and the website was verified as being owned by a real company with that name.

Sure I will rely on some rumor about some Japanese company called MtCocks Co. Ltd [JP]...   

Probably most people even go there the first time by clicking some random link on the internets. If you fall for rntgox.com or some special character trick - bad luck. If the fake site is good and has a certificate for rntgox.com or even for "MtGox Corp. Lim. (cn)" - bad luck.

With the CA system that's not "Bad luck" it's a failure that would get investigated, at least in theory.

That would certainly help to bring back all the Bitcoins.

With Namecoin, sure, it's just bad luck. You lose your money. That's kind of the outcome we DON'T want, right?

The point is that there is no advantage of the current CA system. But it is expensive and potentially government controlled.

direct Unicode entries are not supported

Yes, brilliant, they "solve" the problem by simply not supporting any alphabet other than the English alphabet. That's not a solution, that's a cop-out.

CA system has the same problem. Do you know a better solution? Obviously humans can only distinguish between a limited number of characters. Is base58 a cop-out, too?

edit: I'm not saying the payment protocol should be implemented only with Namecoin domains/ids right now. But somehow I have a dislike against the current CA system, especially in combination with Bitcoin. It is just unbitcoinish.

It's a free market for providers that are unified by common cryptographic protocols. Does that remind you of something? The market for mining blocks, perhaps?

No.

Believe in whatever wild conspiracy theories you like. There's no way I can give a good rebuttal to things that aren't happening. The rationale for these changes has been laid out in detail. If you think you found a government-proof way to achieve the same goals without the CA infrastructure, please do go ahead and implement it.

In all fairness, it has become a FAQ.  Given NSA/PRISM fun, it seems likely to remain so, no matter the hard evidence.  I got several variants of this question/complaint at the Atlanta crypto-currency conference, and reddit mirrored more of the same.

Given there are quite some voices of doubt in the community (see Hyena above) the question is does this have to go into the standard client right from the beginning?

Maybe this topic should be:
"VOTE on the payment protocol and the CA system to be included in standard client"

[Mike Hearn]

CA system has the same problem. Do you know a better solution? Obviously humans can only distinguish between a limited number of characters. Is base58 a cop-out, too?

CA's verify DNS names and registrars are supposed to have policies in place to stop this kind of attack. But CA's are expected to also have some way to spot such attacks. For instance see here:

https://bugzilla.mozilla.org/show_bug.cgi?id=711366

Search for "homograph" and you can see how Atos plans to handle it. Their solution probably works, but it requires human intervention. This is the kind of reason there are fees attached to getting a cert - it represents actual work.

It's a free market for providers that are unified by common cryptographic protocols. Does that remind you of something? The market for mining blocks, perhaps?

No.

It should! Anyone can be a miner, in theory. In practice these days it requires some skill, time and capital investment, which is why it's done for profit.

Signing identities is the same. Anyone can do it. You can do it right now, just run a few openssl commands and you made yourself a root CA. But doing it well takes some effort, time and investment, which is why it's done for profit.

If you can't see the parallels, look closer.

[Peter Todd]

It's a free market for providers that are unified by common cryptographic protocols. Does that remind you of something? The market for mining blocks, perhaps?

No.

It should! Anyone can be a miner, in theory. In practice these days it requires some skill, time and capital investment, which is why it's done for profit.

Signing identities is the same. Anyone can do it. You can do it right now, just run a few openssl commands and you made yourself a root CA. But doing it well takes some effort, time and investment, which is why it's done for profit.

If you can't see the parallels, look closer.

Lol.

I like how you're dumb enough to compare mining, a industry with barriers to entry of as little as a few hundred dollars, (including paid time) to a industry where to make any money at all you have to convince some large user-base to adopt your product. Mozilla has 57 trusted root CA's, and the majority of those are very niche ones from large corporations and government-sponsored CA's. As for the "free-market" ones, you've got Symantec with 42% market share, Comodo Group with 26%, and Go Daddy with 14%, and GlobalSign with 7.7% - the four largest companies in the industry have 90% of the market. Not exactly a sign of a competitive free-market at work.

The reality is if Symantec was told to create some fake certificates because the FBI needed to confiscate some Bitcoins they would do as they were told. More importantly doing that wouldn't get them blacklisted because of their 42% market share - no browser is going to break almost half of the sites their users need access to.


You know, you've really got a way of arguing that's remarkably good at undermining your own position. I kinda like the payment protocol, and I want to see it implemented in it's current form so we've got something to use while better solutions for the CA problem are developed; please go away and let more reasonable people talk about it and the nuances involved before you turn public opinion against it.

[Mike Hearn]

I never cease to be amazed at how quickly and easily you insult anyone who you disagree with, Peter. It's a nasty habit that limits your effectiveness.

You understood my point perfectly well. You can become your own CA for much less than a few hundred dollars. Are you going to be handling millions of customers with that kind of investment? Duh, no. You can become a miner for a few hundred dollars. Are you going to be making as many blocks as ASICMiner? No.

Basically any activity that involves serious work turns into a market, and that market often ends up with big players. That does not make it less of a market.

If you think all the existing players in that market suck, go ahead and shake it up, just like StartSSL did.

As to revocation - we'd have to see what the browser makers do if/when a really large CA turns out to be routinely minting fake certs. So far if it's happening it has never been detected. Certs are a commodity, any CA can make one, so there's no particular reason to hold back. They can and have scheduled end dates for CA's to be revoked in the past, as they did with DigiNotar which was widely used in the Netherlands. It means people get a couple of months to buy a new cert from somewhere else, then browsers get updated and any site that fell behind sees errors. Painful for the people using the revoked CA but not infeasible.

But even if browser makers decided not to do that for some reason, wallet developers could certainly make different decisions. There's no requirement to use the same policies.

[phelix]

You understood my point perfectly well. You can become your own CA for much less than a few hundred dollars.

Sweet. I'll set up a Namecoin based CA then. 

Seriously, what about having a vote on the payment protocol / CA stuff going into the standard client? That would give the thing some backing if it was successful.

[giszmo]

But even if browser makers decided not to do that for some reason, wallet developers could certainly make different decisions. There's no requirement to use the same policies.

I guess that's the most important point. People yell about the CA market not being a market because it has so few players yet I guess we will see yet fewer CAs in wallets than in browsers plus maybe one or two bitcoin internal CAs that are excluded in firefox. We will see which CAs will cause problems first.

[jgarzik]

Believe in whatever wild conspiracy theories you like. There's no way I can give a good rebuttal to things that aren't happening. The rationale for these changes has been laid out in detail. If you think you found a government-proof way to achieve the same goals without the CA infrastructure, please do go ahead and implement it.

In all fairness, it has become a FAQ.  Given NSA/PRISM fun, it seems likely to remain so, no matter the hard evidence.  I got several variants of this question/complaint at the Atlanta crypto-currency conference, and reddit mirrored more of the same.

Given there are quite some voices of doubt in the community (see Hyena above) the question is does this have to go into the standard client right from the beginning?

Maybe this topic should be:
"VOTE on the payment protocol and the CA system to be included in standard client"

By virtue of existing https use, the voting is active and ongoing.

The only robust, deployed systems in active use are SSL and PGP.

[Peter Todd]

You understood my point perfectly well. You can become your own CA for much less than a few hundred dollars. Are you going to be handling millions of customers with that kind of investment? Duh, no. You can become a miner for a few hundred dollars. Are you going to be making as many blocks as ASICMiner? No.

Basically any activity that involves serious work turns into a market, and that market often ends up with big players. That does not make it less of a market.

If you think all the existing players in that market suck, go ahead and shake it up, just like StartSSL did.

I'm sure you know enough economics that I'm talking about return on investment curves: for mining that curve is fairly flat, and your ROI is similar regardless of what scale you are mining at. (and actually, smaller scale can be more profitable because getting rid of a small amount of waste heat is a lot easier than getting rid of a large amount)

StartSSL on the other hand proves my point: with CA's you have a very large upfront investment before you make any money at all. In StartCOM's case they operated their StartSSL CA as a money losing educational project that took years before browsers started included them in their certificates. It's a huge barrier to entry, one that makes the CA market entirely unlike mining.

Just an example of how you love to make arguments that even you should know don't make much sense. In this case that habit of yours is extremely harmful, because that kind of dishonesty gives credence to those writing technically unsophisticated paranoia; non-technical people who understand that your economic argument made no sense are likely to make the assumption that what you're saying about security is bogus too.

By virtue of existing https use, the voting is active and ongoing.

The only robust, deployed systems in active use are SSL and PGP.

You can add Tor to that list, specifically bookmarks of .onion sites.

A decent idea for a payment protocol extension would be to work out what kind of UI and other details would make sense to make it possible for a user to add a .onion URL to their second-factor wallet so they could verify a payment request against a .onion URL correctly.

A logical next step would be to do some work on a reputation/timestamping/something else entirely system, to make it easier to detect the case where the .onion URL you got was itself invalid and not the one that the majority of users of the site use. Done right this stuff could eventually lead to a namecoin-style system, but with typo-squatting less useful among other things.

[Hyena]

I believe bitcoin qt should only provide features strictly in the context of the bitcoin protocol. If you want BIP make a new program for that, different from bitcoin (qt) so that I don't have to install this crap.

If you are going to insert bloatware into bitcoin standard client then this is no longer a standard client for bitcoin protocol. What next? Adding support for http://www.bitcointrezor.com/ to the standard bitcoin wallet? This is getting ridiculous and it's time for a new bitcoin qt branch as soon as the devs go rogue and start adding bloat code and what not.

[jgarzik]

What next? Adding support for http://www.bitcointrezor.com/ to the standard bitcoin wallet?

Absolutely.  It would be quite nice if wallets support Trezor, including Bitcoin-QT.