Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191] helo=mx.sourceforge.net) by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1WK3mf-00032f-K1 for bitcoin-development@lists.sourceforge.net; Sun, 02 Mar 2014 10:38:13 +0000 Received-SPF: pass (sog-mx-1.v43.ch3.sourceforge.com: domain of taplink.co designates 50.117.27.232 as permitted sender) client-ip=50.117.27.232; envelope-from=jeremy@taplink.co; helo=mail.taplink.co; Received: from mail.taplink.co ([50.117.27.232]) by sog-mx-1.v43.ch3.sourceforge.com with smtp (Exim 4.76) id 1WK3me-0003si-Em for bitcoin-development@lists.sourceforge.net; Sun, 02 Mar 2014 10:38:13 +0000 Received: from laptop-air ([192.168.168.135]) by mail.taplink.co ; Sun, 2 Mar 2014 02:38:26 -0800 Content-Type: multipart/alternative; boundary=----------hsfupyWtnaTWPUmT1EHYyk To: "Bitcoin Dev" , "Mike Hearn" References: Date: Sun, 02 Mar 2014 02:38:04 -0800 MIME-Version: 1.0 From: "Jeremy Spilman" Organization: TapLink Message-ID: In-Reply-To: User-Agent: Opera Mail/1.0 (Win32) X-Spam-Score: -0.6 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain -0.0 SPF_PASS SPF: sender matches SPF record -0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 1.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1WK3me-0003si-Em Subject: Re: [Bitcoin-development] BIP70 extension to allow for identity delegation X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Mar 2014 10:38:13 -0000 ------------hsfupyWtnaTWPUmT1EHYyk Content-Type: text/plain; charset=iso-8859-15; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit On Fri, 28 Feb 2014 03:46:49 -0800, Mike Hearn wrote: > 3) Whilst these payment processors currently verify merchants so the > security risk is low, in future a lighter-weight model or competing > sites that >allow open signups would give a weak security situation: a > hacker who compromised your computer could sign up for some popular > payment >processor under a false identity (or no identity), and wait > until you use your hacked computer to make a payment to someone else > using the same >payment processor. They could then do an identity swap > of the real payment request for one of their own, and your Trezor would > still look the same. >Avoiding this is a major motivation for the entire > system! Let me restate that, it's a huge problem... Alice's system is compromised, Mallory intercepts a payment request being sent to Alice from payment processor X on behaf of merchant X. Mallory regenerates a spoof payment request which pays to M, from the same payment processor Alice can't tell Mallory's spoofed PR apart from Merchant X's and thinks she's paying Merchant X It might be a bit challenging for M to generate the new PR on-the-fly without being noticed, but that's not a security guarantee. Perhaps the UI just isn't expressive enough currently to expose this situation in any way, let alone reliably alert the user to the issue, because there's no way for the payment processor to get authenticated fields other than memo into the UI. Today the only solution is for the payment processor to strictly control the 'memo' field so Mallory wouldn't be able to make his own PR that looked exactly like merchant Y's. But maybe it's too subtle to make payment processors embed that kind of information. So is the main goal is to provide a structured way to embed this information in the PR and expect that user interfaces will display them to end users? If that's the case, I don't think we need an entirely secondary certificate, or cross signing from a secondary ECDSA key. A poor solution: If the UI included some sort of certificate viewer, even just tied to the OS certificate viewer, and made the cert available for inspection, at least the merchant would have a chance to put some fields in there which a very advanced user might actually find. But this was discussed a while ago and I think the primary problem is the difficulty in getting a CA to let you embed any additional fields in your certificate in the first place, plus you don't want to generate a new cert for each merchant. A somewhat better option: Some additional fields defined in an extension which are reliably shown in the UI. We could try to define specific fields, like 'DelegateCN' which would possibly override the primary CN... As an aside, I think you can never allow actually overriding the CN displayed in the UI directly, the most you can do is add another field in the UI to show this string. First I need to know it's from Payment Processor X, and then maybe we can let the payment processor make some additional claim, like yes you are paying irs.gov. You can't give the impression that Payment Processor X is not actually man-in-the-middle. Maybe the simplest would be a single field expected to contain a delimited key/value string (of course JSON) which could be shown as additional lines of labeled text in the UI. I don't want to give the "merchant" too much dynamic control over what the user's screen will display, but making it somewhat dynamic might add some future proofing. I think any additional extension fields should be hashed using the hash function specified in pki_type and signed by X509Certificates.certifcate private key. No extended_certs required -- I'm thinking something like; message PaymentRequest { // new field optional bytes extended_properties = 6; optional bytes extended_properties_sig = 7; } Thanks, Jeremy ------------hsfupyWtnaTWPUmT1EHYyk Content-Type: multipart/related; boundary=----------hsfupyWtnaTWPU83yrMnql ------------hsfupyWtnaTWPU83yrMnql Content-Type: text/html; charset=iso-8859-15 Content-ID: Content-Transfer-Encoding: Quoted-Printable On Fri, 28 Feb 2014 03:46:49 -0800, Mike Hearn <mike@plan99.net= > wrote:

3) Whilst these payment processor= s currently verify merchants so the security risk is low, in future a li= ghter-weight model or competing sites that allow open signups would give= a weak security situation: a hacker who compromised your computer could= sign up for some popular payment processor under a false identity (or n= o identity), and wait until you use your hacked computer to make a payme= nt to someone else using the same payment processor. They could then do = an identity swap of the real payment request for one of their own, and y= our Trezor would still look the same. Avoiding this is a major motivatio= n for the entire system!

Let me restate = that, it's a huge problem...

Alice's system is = compromised,
Mallory intercepts a payment request being sent t= o Alice from payment processor X on behaf of merchant X.
Mallo= ry regenerates a spoof payment request which pays to M, from the same pa= yment processor
Alice can't tell Mallory's spoofed PR apart fr= om Merchant X's and thinks she's paying Merchant X

<= div>It might be a bit challenging for M to generate the new PR on-the-fl= y without being noticed, but that's not a security guarantee.
=
Perhaps the UI just isn't expressive enough currently to = expose this situation in any way, let alone reliably alert the user to t= he issue, because there's no way for the payment processor to get authen= ticated fields other than memo into the UI.

Today the only solution is for the payment processor to strictly co= ntrol the 'memo' field so Mallory wouldn't be able to make his own PR th= at looked exactly like merchant Y's. But maybe it's too subtle to make p= ayment processors embed that kind of information.

So is the main goal is to provide a structured way to embed this info= rmation in the PR and expect that user interfaces will display them to e= nd users? If that's the case, I don't think we need an entirely secondar= y certificate, or cross signing from a secondary ECDSA key.
<= div>
A poor solution: If the UI included some sort of certificate viewer= , even just tied to the OS certificate viewer, and made the cert availab= le for inspection, at least the merchant would have a chance to put some= fields in there which a very advanced user might actually find. But thi= s was discussed a while ago and I think the primary problem is the diffi= culty in getting a CA to let you embed any additional fields in your cer= tificate in the first place, plus you don't want to generate a new cert = for each merchant.
A somewhat better option: Some additional fields defined in an exte= nsion which are reliably shown in the UI. We could try to define specifi= c fields, like 'DelegateCN' which would possibly override the primary CN= ... As an aside, I think you can never allow actually overriding the CN = displayed in the UI directly, the most you can do is add another field i= n the UI to show this string. First I need to know it's from Payment Pro= cessor X, and then maybe we can let the payment processor make some addi= tional claim, like yes you are paying irs.gov. You can't give the impres= sion that Payment Processor X is not actually man-in-the-middle.

Maybe the simplest would be a single field expected to= contain a delimited key/value string (of course JSON) which could be sh= own as additional lines of labeled text in the UI. I don't want to give = the "merchant" too much dynamic control over what the user's screen will= display, but making it somewhat dynamic might add some future proofing.=  

I think any additional extension f= ields should be hashed using the hash function specified in pki_type and= signed by X509Certificates.certifcate private key. No extended_certs re= quired -- I'm thinking something like;

message = PaymentRequest {
// new field
 optional bytes extended_prope= rties =3D 6;
 optional bytes extended_properties_sig =3D = 7; 
}


Thanks,
= Jeremy
------------hsfupyWtnaTWPU83yrMnql-- ------------hsfupyWtnaTWPUmT1EHYyk--