From: Mike Hearn <mike@plan99•net>
To: "Eric Larchevêque" <elarch@gmail•com>
Cc: Bitcoin Dev <bitcoin-development@lists•sourceforge.net>
Subject: Re: [Bitcoin-development] Draft BIP for seamless website authentication using Bitcoin address
Date: Fri, 4 Apr 2014 17:37:35 +0200 [thread overview]
Message-ID: <CANEZrP3exbwE0AuZCXQNEC-UoZ0BmTHTpSG6rZsjbwmpKahtCQ@mail.gmail.com> (raw)
In-Reply-To: <CA+WZAErh6M6BV1imAXZaHQjX+5RKtj7Ma7_-+5KW9BpLw354Sg@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 2614 bytes --]
Hmmm, well TREZOR requires a web plugin. So if nobody installs plugins then
we have a problem :) But regardless, actually like I said, you don't need a
plugin. Browsers do it all already. With the <keygen> tag they even create
a private key and upload the public part to be signed for you, it's
seamless for the user. I wanted to give you a link to a demo site, but I
can't find it anymore :(
So there's not even a need for people to upgrade anything! It's all there,
already, for everyone.
If you were to make some upgrades, then you'd want to focus on key
management, which indeed is something the Bitcoin world is trying hard to
solve. But that's a small subcomponent. Making a modified version of
Chrome or Firefox that can take their key from a BIP32 hierarchy or
12-words scheme is certainly possible, but then you could still reuse all
the rest of it.
Something I'd really like to see is TREZOR supporting a simple
request/response protocol that a server can trigger, via the USB plugin,
that would allow a server to display some arbitrary text and get a
confirmation. Slush and I talked about it before. There are a LOT of places
that don't care about Bitcoin but do need some kind of safe second factor
auth where users know what they are confirming (e.g. at Google!). If TREZOR
could be used for these things too, that'd increase demand and help push
down prices for Bitcoin users.
On Fri, Apr 4, 2014 at 5:09 PM, Eric Larchevêque <elarch@gmail•com> wrote:
> On Fri, Apr 4, 2014 at 4:56 PM, slush <slush@centrum•cz> wrote:
>
>> I'm cracking my head for many months with the idea of using TREZOR for
>> web auth purposes. Unfortunately I'm far from any usable solution yet.
>>
>> My main comments to your BIP: Don't use bitcoin addresses directly and
>> don't encourage services to use this "login" for financial purposes. Mike
>> is right, mixing authentication and financial services is wrong. Use some
>> function to generate other private/public key from bitcoin's seed/private
>> key to not leak bitcoin-related data to website.
>>
>>
> I'm probably very naive, but the fact that the authentication key is your
> Bitcoin address was for me a great feature :)
> What are the risks associated of id yourself with a bitcoin address you
> plan to use on the website for transaction ?
>
> I mean, what is the difference between doing that, and id with a
> login/pass and add your bitcoin address in a settings field ? (knowing you
> could always find a mechanism to transfer the account to another bitcoin
> address if needed)
>
> Eric
>
>
[-- Attachment #2: Type: text/html, Size: 3607 bytes --]
next prev parent reply other threads:[~2014-04-04 15:37 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-04 12:15 Eric Larchevêque
2014-04-04 13:08 ` Mike Hearn
2014-04-04 13:22 ` Eric Larchevêque
2014-04-04 13:32 ` Gavin Andresen
2014-04-04 13:47 ` Eric Larchevêque
2014-04-07 20:08 ` Troy Benjegerdes
2014-04-07 21:55 ` Ricardo Filipe
2014-04-07 22:00 ` Eric Martindale
2014-04-04 13:43 ` Mike Hearn
2014-04-04 13:47 ` Jeff Garzik
2014-04-04 13:54 ` Mike Hearn
2014-04-04 14:42 ` Eric Larchevêque
2014-04-04 14:51 ` Mike Hearn
2014-04-04 14:56 ` Eric Larchevêque
2014-04-08 3:28 ` Jeff Garzik
2014-04-08 8:13 ` Mike Hearn
2014-04-08 15:19 ` Jeff Garzik
2014-04-22 6:34 ` Jan Møller
2014-04-22 8:57 ` Eric Larchevêque
2014-04-04 15:00 ` slush
2014-04-04 14:56 ` slush
2014-04-04 15:09 ` Eric Larchevêque
2014-04-04 15:28 ` slush
2014-04-04 15:37 ` Mike Hearn [this message]
2014-04-04 15:42 ` slush
2014-04-04 16:00 ` Eric Larchevêque
2014-04-04 15:03 ` Eric Larchevêque
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CANEZrP3exbwE0AuZCXQNEC-UoZ0BmTHTpSG6rZsjbwmpKahtCQ@mail.gmail.com \
--to=mike@plan99$(echo .)net \
--cc=bitcoin-development@lists$(echo .)sourceforge.net \
--cc=elarch@gmail$(echo .)com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox