>
> Some more use cases might be:
> Waiting in comfort:
>  - Send a payment ahead of time, then wander over and collect the goods
> after X confirmations.
>
> Authorized pickup :
>  - Hot wallet software used by related people could facilitate the use
> of 1 of N multisig funds.  Any one of the N wallets could collect goods
> and services purchased by any of the others.

I like this one, because it shows the power of reusing the transaction data
structure.

>
> Non-monetary gifts:
>  - Sender exports spent keys to a beneficiary, enabling PoP to work as a
> gift claim
>
> Contingent services:
>  - Without Bob's permission, a 3rd party conditions action on a payment
> made from Alice to Bob.  For example, if you donated at least .02 BTC to
> Dorian, you (or combining scenarios, any of your N authorized family
> members), can come to my dinner party.

This is an interesting one.

>
> I tried out your demo wallet and service and it worked as advertised.
>
> Could the same standard also be used to prove that a transaction COULD
> BE created?  To generalize the concept beyond actual payments, you could
> call it something like proof of payment potential.

I guess it's possible, but we'd have to remove the txid from the output,
since there is none. This is a way of saying "I'm in control of these
addresses". The other party/parties can then verify the funds on the
blockchain and watch those addresses for changes. Maybe there are some
interesting use cases here. Ideas?

>
> Why not make these proofs permanently INVALID transactions, to remove
> any possibility of their being mined and spending everything to fees
> when used in this way, and also in cases involving reorganizations?

Yes. Initially I thought it would be enough that the funds are already
spent, but I think you're right here. Reorgs could be a problem. Worse, you
also might want to prove 0-confirmation transactions, in which case it's a
huge security problem. Someone might intercept the PoP and publish it on
the bitcoin network, spending all the funds. But I still would like wallets
to be able to build/verify PoPs with little or no modifications. Could we
possibly change the version number on the PoP to something other than 1?
Maybe 2^4-1? Or a really high lock_time, but it would not make it invalid,
just delayed. Any suggestions here?

>
> I agree that PoP seems complementary to BIP70.
>
>

Thank you very much for your comments!

/Kalle