Received-SPF: pass (sog-mx-1.v43.ch3.sourceforge.com: domain of petertodd.org
	designates 62.13.149.75 as permitted sender)
	client-ip=62.13.149.75; envelope-from=pete@petertodd.org;
	helo=outmail149075.authsmtp.net; 
Date: Mon, 31 Mar 2014 13:21:14 +0200
From: Peter Todd <pete@petertodd.org>
To: vv01f <vv01f@riseup.net>, Natanael <natanael.l@gmail.com>
Message-ID: <20140331112114.GB30139@tilt>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="VywGB/WGlW4DM4P8"
Content-Disposition: inline
In-Reply-To: <CAAt2M19HNUjr2OET5YjOB9YQKptOtVAmcPXWwoaxPHVTLOMYbg@mail.gmail.com>
	<5339418F.1050800@riseup.net>
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: bitcoin-development@lists.sourceforge.net
Subject: Re: [Bitcoin-development] secure assigned bitcoin address directory
Precedence: list


--VywGB/WGlW4DM4P8
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Mar 31, 2014 at 12:21:03PM +0200, vv01f wrote:
> Some users on bitcointalk[0] would like to have their vanity addresses
> available for others easily to find and verify the ownership over a kind
> of WoT. Right now they sign their own addresses and quote them in the
> forums.
> As I pointed out there already the centralized storage in the forums is
> not secury anyhow and signed messages could be swapped easily with the
> next hack of the forums.
>=20
> Is that use case taken care of in any plans already?
>=20
> I thought about abusing pgp keyservers but that would suit for single
> vanity addresses only.
> It seems webfinger could be part of a solution where servers of a
> business can tell and proof you if a specific address is owned by them.

Good timing! I'm at a hackathon right now working with a group to come
up with a standard for adding Bitcoin addresses to OpenPGP keys. You're
correct in thinking that doing so with standard Bitcoin addresses is a
privacy problem, however we can also define new types of Bitcoin
addresses that address the privacy issue; stealth addresses can handle
the case where you want to pay someone without a formal payment request,
and integrating OpenPGP into the payment protocol handles the scenario
where you want to send or pay to a formal payment request.


On Mon, Mar 31, 2014 at 12:49:14PM +0200, Natanael wrote:
> Does't BIP70 cover this already via Certificate Authorities?

Incidentally on my todo list is to come up for a reasonable standard for
taking X.509 certificates and using them to sign OpenPGP user IDs.
Essentially the certificate authority is then making the statement that
a keypair is authorized to sign on behalf of a domain-name, and in turn
that keypair signs that the email address on the user ID is correct.
It's a best of both worlds option in the same spirit of keybase.io

--=20
'peter'[:-1]@petertodd.org
0000000000000000f4f5ba334791a4102917e4d3f22f6ad7f2c4f15d97307fe2

--VywGB/WGlW4DM4P8
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQGcBAEBCAAGBQJTOU+mAAoJEGJeboN5AaHKX+oL/jPde/D6uECroJem3S3Etohq
aOwmSs5sR4ZFJCbvkQJa3e2OK6EnTQSZkwyNDI6VFZi3GZKznC+CAByAd5AXea6D
gDqx/hWyd1T/P7IrSi+dhmVqi+8CrbECyJlM8ELH37ydz+7D1uklwZlSKmw1mSSe
JJ4JN0EguKhMy/ehTElLuZ2b+jX8nx3DlIIdKesrXnRuCbeiSA6beEMcsZ/WWKqE
fTaTInknEz0muaOCfIbEkBIO3uxhDFi5lHgsLFn1j2Sx+zgjOtNwyHlbRULffgXw
PhEHRgV1ijGQPXWyJZG2hg9hOVtAsppK0hCCkFC04TqlPTVrU8Edy2+Ui9ElhLzr
18lIq+FxnDoayYjmvj3NaCue8Q9U2HghHdFhVCyEKNt+QuOKI5O7tN3tFmQizVVS
bX3q/ktqri8Ia8fN1Beq3vX9WyYTUHsS1vi6ADhpCAHdgft1w7GakL7Ze8MzQpzC
bGBgn39mq34/nAt8LHYTSPGqW28gkUG3rdKFDQ+GBw==
=0cH8
-----END PGP SIGNATURE-----

--VywGB/WGlW4DM4P8--