Author: Paul Puey 2015-02-06 00:49:12
Published on: 2015-02-06T00:49:12+00:00
The conversation between Eric Voskuil and Martin Habovstiak discusses the use of encryption with forward secrecy to resolve integrity issues with BIP-70 signed payment requests. However, the problem lies in verifying the ownership of the public key as a MITM can substitute it. The solution for this is bootstrapping a private session over the untrusted network using a trusted public key, but this process is subject to attack at the CA. WoT is not subject to a CA attack because it's decentralized, but it's also not sufficiently deployed for some scenarios. The trust can be considered bootstrapped by visual verification of the address prefix. It is suggested that if someone is concerned about someone jamming a Bluetooth signal in a coffeeshop, then the UI can encourage verification of the prefix much like how regular Bluetooth requires 'pairing' via entering a 4-6 digit code.
Updated on: 2023-06-09T16:34:55.216540+00:00