On Fri, Apr 4, 2014 at 4:56 PM, slush <slush@centrum.cz> wrote:

I'm cracking my head for many months with the idea of using TREZOR for web auth purposes. Unfortunately I'm far from any usable solution yet.

My main comments to your BIP: Don't use bitcoin addresses directly and don't encourage services to use this "login" for financial purposes. Mike is right, mixing authentication and financial services is wrong. Use some function to generate other private/public key from bitcoin's seed/private key to not leak bitcoin-related data to website.

I'm probably very naive, but the fact that the authentication key is your Bitcoin address was for me a great feature :)

What are the risks associated of id yourself with a bitcoin address you plan to use on the website for transaction ?

I mean, what is the difference between doing that, and id with a login/pass and add your bitcoin address in a settings field ? (knowing you could always find a mechanism to transfer the account to another bitcoin address if needed)

Eric