Alan,<br><br><div class="gmail_quote">On Wed, Apr 4, 2012 at 2:01 AM, Alan Reiner <span dir="ltr"><<a href="mailto:etotheipi@gmail.com" target="_blank">etotheipi@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<u></u>
<div bgcolor="#ffffff" text="#000000">There is all this fanfare around P2SH and how multi-sig is the
solution to all these security problems, but how the hell do you use
it? I believe that BIP 10 (or successor) is <b>critical<i> </i></b>to
the success of multi-sig, because the greatest barrier to using
multi-sig will be the ability to actually execute them in less than
14 steps. And if every client implements it differently, there's
even less chance it will be used (assuming the userbase reaches any
level of client diversity). <br></div></blockquote><div><br></div><div>That is a laudable goal. </div><div><br></div><div>So your proposal is about signing "Preformatted messages from sites" to make financial transactions more secure, not arbitrary user-to-user messages such as email. That really restricts the scope, which is good.</div>
<div><br></div><div>In this case there is no use for S/MIME, which deals with encoding/signing multipart mail messages. And no need to deal with MIME headers, html, or embedded images, and such. And we can simply require one character encoding, no need to support hundreds.</div>
<div><br></div><div>The "request signing" bitcoin URL makes sense in my eyes. Less copy/pasting is good. Do mind that there is usually a URL size limit (depending on the browser) so this cannot be used for long messages/contracts. A possible solution would be to make an option to pass the address where the message can be retrieved (and maybe also where the signature must be sent, to save a copy-paste back?).</div>
<div><br></div><div>Looking at existing solutions, the only other "sign request" that I know of is the CSR (<a href="https://en.wikipedia.org/wiki/Certificate_signing_request">https://en.wikipedia.org/wiki/Certificate_signing_request</a>) but the functionality and goal is very different.</div>
<div><br></div><div>It'd be useful (and IMO most important) to write down some use-cases in which this makes P2SH easier and less involved. How many steps can be eliminated of the 14?</div><div><br></div><div>Wladimir</div>
<div>BTW: we also still need a BIP to define URL signing / authentication itself. </div><div><br></div></div>