Pieter, it was more rhetorical question than asking for explanation, but thanks anyway. As an Internet application developer, I of course understand security issues while using HTTPS and CA. I have a gut feeling that there simply does not exist any single solution which is both easy to use and secure enough. At least nobody mentioned it yet. And if I need to choose between easy solution or secure solution for aliases, I'll pick that easy one. I mean - we need some solution which will be easy enough for daily use; it is something what we currently don't have. But if I want to be really really sure I'm using correct destination for paying $1mil for a house, I can every time ask for real bitcoin addresses, this is that secure way which we currently have. slush On Mon, Dec 19, 2011 at 2:14 AM, Pieter Wuille wrote: > On Mon, Dec 19, 2011 at 12:58:37AM +0100, slush wrote: > > Maybe I'm retarded, but where's the point in providing alliases > containing > > yet another hash in URL? > > Any DNS-based alias system is vulnerable to spoofing. If I can make > people's > DNS server believe that mining.cz points to my IP, I'll receive payments > to > you... > > If no trusted CA is used to authenticate the communication, there is no way > to be sure the one you are asking how to pay, is the person you want to > pay. > Therefore, one solution is to put a bitcoin address in the identification > string itself, and requiring SSL communication authenticated using the > respective key. > > This makes the identification strings obviously less useful as aliases, > but pure aliases in the sense of human-typable strings have imho > limited usefulness anyway - in most cases these identification strings > will be communicated through other electronic means anyway. > > Furthermore, the embedded bitcoin address could be hidden from the user: > retrieved when first connecting, and stored together with the URI in > an address book. Like ssh, it could warn the user if the key changes > (which wil be ignored by most users anyway, but what do you do about > that?) > > -- > Pieter > > > ------------------------------------------------------------------------------ > Learn Windows Azure Live! Tuesday, Dec 13, 2011 > Microsoft is holding a special Learn Windows Azure training event for > developers. It will provide a great way to learn Windows Azure and what it > provides. You can attend the event by watching it streamed LIVE online. > Learn more at http://p.sf.net/sfu/ms-windowsazure > _______________________________________________ > Bitcoin-development mailing list > Bitcoin-development@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development >