Published on: 2013-12-06T10:44:32+00:00
On November 6, 2013, a discussion was held on the storage of private keys in relation to cryptocurrency. The conversation mentioned the use of Trezor, a hardware wallet for storing Bitcoin private keys. Another topic discussed was the use of Secure QR Login (SQRL), a simplified authentication system that uses QR codes.The conversation also touched on the possibility of storing crypto in the browser using NSS, but it was noted that Bitcoin's curve may not be supported due to lack of NIST approval. However, if a compelling use case is presented, it could potentially be added.In an email exchange between Johnathan Corgan and bitcoingrant, the signing of an arbitrary string by the server was discussed. Bitcoingrant suggested XORing the string with a randomly generated nonce before signing it, and passing both the nonce and signature back to the server for verification. The conversation also mentioned the little-known HTTP code 402, "Payment Required," and provided contact information and a link to Corgan Labs, which offers SDR Training and Development Services.Slush suggested that in order to replace passwords with digital signatures, the message-to-be-signed should be structured and human-readable. Slush also raised concerns about where private keys are stored, but suggested that client-side certificates can be used to solve this problem. Two methods were explained for using client-side certificates, both of which have been used by Slush for over five years.A new Message Signing based authentication method was introduced in celebration of the 5-year anniversary of the Bitcoin whitepaper. The method involves the server providing a token for the client to sign, and the client passing back the signed message and Bitcoin address for validation. A proof of concept forum utilizing this method was provided, with plans to make the source code available on Github.The security of token signing was discussed, with suggestions made to modify or structure the token to avoid unintentional signatures. The Diffie-Hellman key exchange protocol was proposed as a standard way to avoid producing unintentional signatures.The distinction between what is required and what is strongly recommended in terms of reusing EC keys and addresses for transactions was discussed. It was argued that reusing keys should be seen as a best practice rather than a protocol requirement.On November 3, 2013, Allen Piscitello shared a use case where generating a new key for a Multisig Refund Transaction was necessary. It was noted that Bitcoin as a system has always required a unique EC key and address for each transaction.In a discussion on November 2, 2013, Allen Piscitello expressed concerns about signing a refund transaction before the original transaction is broadcast. Luke-Jr commented that there is no use case for signing with an address that has already been sent coins, but it was acknowledged that there is no way to stop someone from sending to an "identity" address.The concern of signing a refund transaction before the original transaction is broadcast was raised in multiple email threads. It was suggested to require sending the full transaction instead of just a hash to ensure security. The importance of use cases being grounded in actual needs rather than laziness was emphasized.A white paper on passwordless secure login based on bitcoin/bitmessage technology has been shared by alk.org. This technology aims to create a secure login without the need for passwords. The post was signed using PGP encryption.In an email thread from November 2, 2013, Mike Hearn discussed the use of client certificates for authentication. He acknowledged that while browser manufacturers have not optimized the user experience for this method, it is still possible. Hearn cited a Mozilla Labs project as an example. However, he noted that more popular options like OAuth or Persona operate on a trusted third-party model, creating a conflict of interest since browser manufacturers are often identity providers. Hearn expressed his preference for controlling his own identity with Public Key Infrastructure (PKI), but acknowledged that major players like Facebook and webmail providers dominate the market. The email thread also included a link to a white paper on secure code signing practices for Android apps.The authentication process described in the context involves a server providing a token to the client, which is then signed by the client and sent back along with a Bitcoin address. The server then validates the message and uses the provided alias (optional) and Bitcoin address for identification. A detailed article on this authentication method can be found on the website pilif.github.io, which explores why SSL client certificates are not widely used.On November 2, 2013, a celebration was held for the 5th anniversary of the Bitcoin whitepaper. As part of the celebration, a new authentication method called Message Signing was introduced. In this method, the server provides a token for the client to sign, which is then passed back to the server along with the client's bitcoin address. The server validates the message and uses the alias and bitcoin address for identification.
Updated on: 2023-08-01T06:22:02.845121+00:00