Author: P G 2021-03-04 15:56:10
Published on: 2021-03-04T15:56:10+00:00
In a recent Bitcoin-dev mailing list, Thomas Voegtlin expressed his dislike of the BIP70 standard. However, he did find one feature of it useful: the fact that payment requests were signed. He explained that when sending bitcoins to an exchange, he would like to receive a signed request as proof that the exchange asked him to send coins to a particular address. This is especially important in case the exchange has been hijacked by someone working there. While no exchange ever implemented this feature, Thomas believes that it could guide users' decisions to use one exchange over its competitors if it was implemented. Andrew Kozlik also shared his experimental implementation of a new payment request format in Trezor T, which he claims is similar to BIP-70 but with some key differences. Firstly, it does not rely on X.509 and instead uses a mandatory signature for protection against man-in-the-middle attacks. Secondly, it can be used to solve problems with coin exchange, ensuring that the sender has the correct BTC address and the receiving party has the correct LTC address. Finally, it uses an optional nonce for replay protection. Charles Hill shared a URL signing scheme for use with LNURL as a method for authorizing payments on behalf of offline devices or applications. The scheme generates an API key to be shared between a server and an offline device or application. A random nonce is generated, and a query string is built with the ID, nonce, tag, server parameters, and any custom parameters. The payload is sorted alphabetically, signed using HMAC-SHA256, and then appended with the signature. Hill suggests that the scheme could be modified to fit better with the use-case described by Thomas, such as removing the tag and LNURL-specific parameters and using pub/priv key signing instead.
Updated on: 2023-06-14T18:17:41.686928+00:00