1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
|
Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194]
helo=mx.sourceforge.net)
by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <mh.in.england@gmail.com>) id 1YGW0V-0003A1-Tb
for bitcoin-development@lists.sourceforge.net;
Wed, 28 Jan 2015 17:02:23 +0000
Received-SPF: pass (sog-mx-4.v43.ch3.sourceforge.com: domain of gmail.com
designates 74.125.82.179 as permitted sender)
client-ip=74.125.82.179; envelope-from=mh.in.england@gmail.com;
helo=mail-we0-f179.google.com;
Received: from mail-we0-f179.google.com ([74.125.82.179])
by sog-mx-4.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
(Exim 4.76) id 1YGW0T-0001RW-Di
for bitcoin-development@lists.sourceforge.net;
Wed, 28 Jan 2015 17:02:23 +0000
Received: by mail-we0-f179.google.com with SMTP id q59so22025566wes.10
for <bitcoin-development@lists.sourceforge.net>;
Wed, 28 Jan 2015 09:02:16 -0800 (PST)
MIME-Version: 1.0
X-Received: by 10.180.207.10 with SMTP id ls10mr9076018wic.7.1422464535340;
Wed, 28 Jan 2015 09:02:15 -0800 (PST)
Sender: mh.in.england@gmail.com
Received: by 10.194.188.9 with HTTP; Wed, 28 Jan 2015 09:02:15 -0800 (PST)
In-Reply-To: <2225268.rOb4P6uJX2@crushinator>
References: <CALYO6Xt-jTYwpywUaH-s4YPYyGUp1_BLSEswscnwX+Vu166Lcw@mail.gmail.com>
<CANEZrP3PCHaTO3-HA3GHFxwuJJpW2dbvPuV4R1sFPcFW49uGgw@mail.gmail.com>
<54C90C2B.3090708@bitonic.nl> <2225268.rOb4P6uJX2@crushinator>
Date: Wed, 28 Jan 2015 18:02:15 +0100
X-Google-Sender-Auth: lUYirAznDtBClyAGyDPii_3L93Q
Message-ID: <CANEZrP2f=+J7OMW3WEf=BZq0MC-xAVBSkDHRTZspu0pgNrU5LA@mail.gmail.com>
From: Mike Hearn <mike@plan99.net>
To: Matt Whitlock <bip@mattwhitlock.name>
Content-Type: multipart/alternative; boundary=001a11c3f51a55ad44050db9554f
X-Spam-Score: -0.5 (/)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
sender-domain
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
(mh.in.england[at]gmail.com)
-0.0 SPF_PASS SPF: sender matches SPF record
1.0 HTML_MESSAGE BODY: HTML included in message
0.1 DKIM_SIGNED Message has a DKIM or DK signature,
not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Headers-End: 1YGW0T-0001RW-Di
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] BIP70: why Google Protocol Buffers for
encoding?
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Wed, 28 Jan 2015 17:02:24 -0000
--001a11c3f51a55ad44050db9554f
Content-Type: text/plain; charset=UTF-8
>
> I'm frankly _horrified_ to learn that BitcoinJ ships its own root CA
> certificates bundle. This means that, if a root CA gets breached and a
> certificate gets revoked, all BitcoinJ-using software will be vulnerable
> until BitcoinJ ships an update *and* the software in question pulls in the
> new BitcoinJ update and releases its own update. That might never happen.
If your wallet is unmaintained, you have other problems beyond (extremely
rare) root CA revocations.
As far as I know the only time a CA in wide usage has been revoked entirely
is DigiNotar.
One advantage of doing it this way is if, for example, a widely used piece
of community infrastructure (e.g. bitcointalk, reddit, whatever) decides to
become a CA, the Bitcoin community can decide to have different inclusion
rules vs the OS/browser root CA programs. For example we'd probably relax
the constraint to use an HSM and just ensure that the rendering of the
asserted identity isn't confusible with other kinds of more strongly
protected identities. For example no forum usernames like "foo.com" but
rendering it in the UI as "Reddit forum user foo.com" would be OK.
Also you don't get problems due to old operating systems not including new
certs.
Finally, Linux doesn't have any kind of standardised cert/keystore API.
There are a few places where popular distros put certs but AFAIK they
aren't standardised and there's no standard code to load them. So that's
another reason why there's a built in store.
But yes, this is a debatable topic on which reasonable people can disagree.
The API makes it easy to use the platform OS store for wallet devs that
want to do that, and I think using the platform store on Android is the
default. It's only on the desktop where we fall back to a different store.
--001a11c3f51a55ad44050db9554f
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div class=3D"gmail_extra"><div class=3D"gmail_quote"><blo=
ckquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #c=
cc solid;padding-left:1ex">I'm frankly _horrified_ to learn that Bitcoi=
nJ ships its own root CA certificates bundle. This means that, if a root CA=
gets breached and a certificate gets revoked, all BitcoinJ-using software =
will be vulnerable until BitcoinJ ships an update *and* the software in que=
stion pulls in the new BitcoinJ update and releases its own update. That mi=
ght never happen.</blockquote><div><br></div><div>If your wallet is unmaint=
ained, you have other problems beyond (extremely rare) root CA revocations.=
</div><div><br></div><div>As far as I know the only time a CA in wide usage=
has been revoked entirely is DigiNotar.</div><div><br></div><div>One advan=
tage of doing it this way is if, for example, a widely used piece of commun=
ity infrastructure (e.g. bitcointalk, reddit, whatever) decides to become a=
CA, the Bitcoin community can decide to have different inclusion rules vs =
the OS/browser root CA programs. For example we'd probably relax the co=
nstraint to use an HSM and just ensure that the rendering of the asserted i=
dentity isn't confusible with other kinds of more strongly protected id=
entities. For example no forum usernames like "<a href=3D"http://foo.c=
om">foo.com</a>" but rendering it in the UI as "Reddit forum user=
<a href=3D"http://foo.com">foo.com</a>" would be OK.</div><div><br></=
div><div>Also you don't get problems due to old operating systems not i=
ncluding new certs.</div><div><br></div><div>Finally, Linux doesn't hav=
e any kind of standardised cert/keystore API. There are a few places where =
popular distros put certs but AFAIK they aren't standardised and there&=
#39;s no standard code to load them. So that's another reason why there=
's a built in store.</div><div><br></div><div>But yes, this is a debata=
ble topic on which reasonable people can disagree. The API makes it easy to=
use the platform OS store for wallet devs that want to do that, and I thin=
k using the platform store on Android is the default. It's only on the =
desktop where we fall back to a different store.</div></div></div></div>
--001a11c3f51a55ad44050db9554f--
|