public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: "Jeremy Spilman" <jeremy@taplink•co>
To: "Bitcoin Dev" <bitcoin-development@lists•sourceforge.net>,
	"Mike Hearn" <mike@plan99•net>
Subject: Re: [Bitcoin-development] BIP70 extension to allow for identity delegation
Date: Sun, 02 Mar 2014 02:38:04 -0800	[thread overview]
Message-ID: <op.xb3btqp7yldrnw@laptop-air> (raw)
In-Reply-To: <CANEZrP1eABw_x8o-Z9ac23e-dVvUWfZJ-hKfAak=-NicPhUv9g@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 3966 bytes --]

On Fri, 28 Feb 2014 03:46:49 -0800, Mike Hearn <mike@plan99•net> wrote:

> 3) Whilst these payment processors currently verify merchants so the  
> security risk is low, in future a lighter-weight model or competing  
> sites that >allow open signups would give a weak security situation: a  
> hacker who compromised your computer could sign up for some popular  
> payment >processor under a false identity (or no identity), and wait  
> until you use your hacked computer to make a payment to someone else  
> using the same >payment processor. They could then do an identity swap  
> of the real payment request for one of their own, and your Trezor would  
> still look the same. >Avoiding this is a major motivation for the entire  
> system!

Let me restate that, it's a huge problem...

Alice's system is compromised,
Mallory intercepts a payment request being sent to Alice from payment  
processor X on behaf of merchant X.
Mallory regenerates a spoof payment request which pays to M, from the same  
payment processor
Alice can't tell Mallory's spoofed PR apart from Merchant X's and thinks  
she's paying Merchant X

It might be a bit challenging for M to generate the new PR on-the-fly  
without being noticed, but that's not a security guarantee.

Perhaps the UI just isn't expressive enough currently to expose this  
situation in any way, let alone reliably alert the user to the issue,  
because there's no way for the payment processor to get authenticated  
fields other than memo into the UI.

Today the only solution is for the payment processor to strictly control  
the 'memo' field so Mallory wouldn't be able to make his own PR that  
looked exactly like merchant Y's. But maybe it's too subtle to make  
payment processors embed that kind of information.

So is the main goal is to provide a structured way to embed this  
information in the PR and expect that user interfaces will display them to  
end users? If that's the case, I don't think we need an entirely secondary  
certificate, or cross signing from a secondary ECDSA key.

A poor solution: If the UI included some sort of certificate viewer, even  
just tied to the OS certificate viewer, and made the cert available for  
inspection, at least the merchant would have a chance to put some fields  
in there which a very advanced user might actually find. But this was  
discussed a while ago and I think the primary problem is the difficulty in  
getting a CA to let you embed any additional fields in your certificate in  
the first place, plus you don't want to generate a new cert for each  
merchant.

A somewhat better option: Some additional fields defined in an extension  
which are reliably shown in the UI. We could try to define specific  
fields, like 'DelegateCN' which would possibly override the primary CN...  
As an aside, I think you can never allow actually overriding the CN  
displayed in the UI directly, the most you can do is add another field in  
the UI to show this string. First I need to know it's from Payment  
Processor X, and then maybe we can let the payment processor make some  
additional claim, like yes you are paying irs.gov. You can't give the  
impression that Payment Processor X is not actually man-in-the-middle.

Maybe the simplest would be a single field expected to contain a delimited  
key/value string (of course JSON) which could be shown as additional lines  
of labeled text in the UI. I don't want to give the "merchant" too much  
dynamic control over what the user's screen will display, but making it  
somewhat dynamic might add some future proofing.

I think any additional extension fields should be hashed using the hash  
function specified in pki_type and signed by X509Certificates.certifcate  
private key. No extended_certs required -- I'm thinking something like;

message PaymentRequest {
// new field
  optional bytes extended_properties = 6;
  optional bytes extended_properties_sig = 7;
}


Thanks,
Jeremy

[-- Attachment #2.1: Type: text/html, Size: 4521 bytes --]

  reply	other threads:[~2014-03-02 10:38 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-02-28 11:46 Mike Hearn
2014-03-02 10:38 ` Jeremy Spilman [this message]
2014-03-02 10:44   ` Mike Hearn
     [not found] ` <1393704464.6290.118.camel@mimiz>
2014-03-01 20:42   ` Kevin Greene
2014-03-02 10:57   ` Mike Hearn
2014-03-02 15:20 ` Andreas Schildbach
2014-03-02 16:14   ` Mike Hearn

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=op.xb3btqp7yldrnw@laptop-air \
    --to=jeremy@taplink$(echo .)co \
    --cc=bitcoin-development@lists$(echo .)sourceforge.net \
    --cc=mike@plan99$(echo .)net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox