On 02/05/2015 04:49 PM, Paul Puey wrote: > The trust can be considered bootstrapped by visual verification of the > address prefix. Another (unspendable) address can trivially match the prefix. Imagine someone walking around in a mall with a phone in the pocket with a malicious app, just disrupting business by causing money to be burned. Manual verification doesn't fix this attack. > If we are really concerned about someone jamming a Bluetooth signal > in a coffeeshop then the UI can encourage verification of the prefix. I don't think it would be great to constrain a standard implementation to low cost purchases or the need for manual verification, but again manual prefix verification isn't actually a solution. > Much like how regular Bluetooth requires 'pairing' via entering a 4-6 > digit code. An appeal to the security of BT bootstrapping isn't exactly flattering. You know I love Airbitz, and I know you guys are extremely privacy conscious. I personally would have no problem using this feature under certain circumstances. My question is only whether it would be wise to standardize on the proposal as-is. e > On Feb 5, 2015, at 3:46 PM, Eric Voskuil > wrote: > > On 02/05/2015 03:36 PM, MⒶrtin HⒶboⓋštiak wrote: >>> A BIP-70 signed payment request in the initial broadcast can resolve the >>> integrity issues, but because of the public nature of the broadcast >>> coupled with strong public identity, the privacy compromise is much >>> worse. Now transactions are cryptographically tainted. >>> >>> This is also the problem with BIP-70 over the web. TLS and other >>> security precautions aside, an interloper on the communication, desktop, >>> datacenter, etc., can capture payment requests and strongly correlate >>> transactions to identities in an automated manner. The payment request >>> must be kept private between the parties, and that's hard to do. >> >> What about using encryption with forward secrecy? Merchant would >> generate signed request containing public ECDH part, buyer would send >> back transaction encrypted with ECDH and his public ECDH part. If >> receiving address/amount is meant to be private, use commit protocol >> (see ZRTP/RedPhone) and short authentication phrase (which is hard to >> spoof thanks to commit protocol - see RedPhone)? > > Hi Martin, > > The problem is that you need to verify the ownership of the public key. > A MITM can substitute the key. If you don't have verifiable identity > associated with the public key (PKI/WoT), you need a shared secret (such > as a secret phrase). But the problem is then establishing that secret > over a public channel. > > You can bootstrap a private session over the untrusted network using a > trusted public key (PKI/WoT). But the presumption is that you are > already doing this over the web (using TLS). That process is subject to > attack at the CA. WoT is not subject to a CA attack, because it's > decentralized. But it's also not sufficiently deployed for some scenarios. > > e >