<div dir="ltr"><div class="gmail_default" style="font-family:'courier new',monospace;color:rgb(0,51,0)">It took some time but we have finally implemented bluetooth integration offered by Andreas in our bitcoin payment terminals.<br>
</div>
<div class="gmail_extra"><div class="gmail_default" style="font-family:'courier new',monospace;color:rgb(0,51,0)"><br></div><div class="gmail_default" style="font-family:'courier new',monospace;color:rgb(0,51,0)">
However it's not ideal at the moment. Basically the main problem is that in the BIP72 there is no way to provide a fallback alternative URI for payment request fetch if client wallet supports BIP70 but doesn't not support fetching over bluetooth or bluetooth connection fails for any reason. </div>
<div class="gmail_default" style="font-family:'courier new',monospace;color:rgb(0,51,0)">There is a way to define alternative URIs inside payment request itself, but that doesn't really work as client first needs to get payment request message itself somehow and this is exactly the problem.</div>
<div class="gmail_default" style="font-family:'courier new',monospace;color:rgb(0,51,0)"><br></div><div class="gmail_default" style="font-family:'courier new',monospace;color:rgb(0,51,0)">As far as I see there is three ways to solve that:</div>
<div class="gmail_default" style="font-family:'courier new',monospace;color:rgb(0,51,0)">1. add new URI parameter for bluetooth address </div><div class="gmail_default" style="font-family:'courier new',monospace;color:rgb(0,51,0)">
(e.g. r=http://<web_address>&rbt=bt:<BT_MAC_addres>). </div><div class="gmail_default" style="font-family:'courier new',monospace;color:rgb(0,51,0)">2. allow multiple "r" parameters </div>
<div class="gmail_default" style="font-family:'courier new',monospace;color:rgb(0,51,0)"> (e.g. r=http://<web_address>&r=bt:<BT_MAC_addres>).</div><div class="gmail_default" style="font-family:'courier new',monospace;color:rgb(0,51,0)">
3. allow "r" to be an array </div><div class="gmail_default" style="font-family:'courier new',monospace;color:rgb(0,51,0)"> (e.g. r%5B0%5D=http://<web_address>&r%5B1%5D=bt:<BT_MAC_addres>).</div>
<div class="gmail_default" style="font-family:'courier new',monospace;color:rgb(0,51,0)"><br></div><div class="gmail_default" style="font-family:'courier new',monospace;color:rgb(0,51,0)">Option #1 isn't great at all, as it solves existing problem, but not provides any way to solve same problem appearing again for another possible protocol.</div>
<div class="gmail_default" style="font-family:'courier new',monospace;color:rgb(0,51,0)"><br></div><div class="gmail_default" style="font-family:'courier new',monospace;color:rgb(0,51,0)">Options #2 & #3 may be working and seem to be nearly equal, and both are not great in the way that URI parser behavior in these cases is not clearly defined. I've checked through relevant RFCs and found nothing specific about this. According to my limited web experience the array scheme is working better than multiple repeating parameters. </div>
<div class="gmail_default" style="font-family:'courier new',monospace;color:rgb(0,51,0)"><br></div><div class="gmail_default" style="font-family:'courier new',monospace;color:rgb(0,51,0)">So I'm looking for some advice on which route of three proposed may be better here, or if there are any other ways I'm missing. </div>
<div class="gmail_default" style="font-family:'courier new',monospace;color:rgb(0,51,0)"><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2014-03-27 13:31 GMT+00:00 vv01f <span dir="ltr"><<a href="mailto:vv01f@riseup.net" target="_blank">vv01f@riseup.net</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div dir="auto"><div>Companies can have a Cert with their name via CAcert. It requires some work though to get assured as an organisation.</div><div>Did you already think about what CA is to be trusted or do users need to do that. The least good decision in my POV would be to accept OS/browser built in CAs only.</div>
<div><br>Am 27.03.2014 um 11:08 schrieb Mike Hearn <<a href="mailto:mike@plan99.net" target="_blank">mike@plan99.net</a>>:<br><br></div><div><div><blockquote type="cite"><div><div dir="ltr"><div class="gmail_extra">
<div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
But these cases are the norm, rather than the exception.<br></blockquote><div><br></div><div>Well, you're lucky, you live in Berlin. Most of the payments I make with Bitcoin are online, to websites. So this will differ between people.</div>
<div></div></div></div><div class="gmail_extra"><br></div><div class="gmail_extra">I wonder how critical it is. Let's say you are paying for a meal. In your head the place you're at is just "the little Indian restaurant on the corner". In the companies register and therefore certificate it's something like "Singh Food GmbH". That's probably good enough to prevent shenanigans. Even if there's a virus on your phone, it can't really replace the cert with a random stolen one, otherwise your meal could show up like "IronCore Steel Inc" or something that's obviously bogus. It'd have to be an incredibly smart virus that knew how to substitute one name for a different one, from a large library of stolen identities, such that the swap seemed plausible. That sounds very hard, certainly too hard to bother with for stealing restaurant fees.</div>
<div class="gmail_extra"><br></div><div class="gmail_extra">And if a waiter at the restaurant is corrupt and they replace the cert with one that's for their own 1-man business "BP-Gupta" or something, OK, you might pay the wrong person by mistake. But eventually the corrupt waiter will be discovered and then someone will have proof of what they did. It's FAR more likely they'd just strip the signature entirely and try to convince you the restaurant doesn't use BIP70 at all.</div>
<div class="gmail_extra"><br></div><div class="gmail_extra">Still, if we want to fix this, one approach I was thinking about is to have a super-cheesy CA just for us that issues certs with addresses in them, for any name you ask for. That is, if you say you want a cert for "Shamrock Irish Pub, Wollishofen, Zurich, CH" then it either sends a postcard to that address with a code to check ownership of the address, or it checks ownership of the place on Google Maps (which does the same postcard trick but for free!).</div>
<div class="gmail_extra"><br></div><div class="gmail_extra">That doesn't work for vending machines, but perhaps we just don't care about those. If a MITM steals your lunch money, boo hoo.</div><div class="gmail_extra">
<br></div></div>
</div></blockquote></div></div><div><blockquote type="cite"><div><span>------------------------------------------------------------------------------</span><br></div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br>
<span>Bitcoin-development mailing list</span><br><span><a href="mailto:Bitcoin-development@lists.sourceforge.net" target="_blank">Bitcoin-development@lists.sourceforge.net</a></span><br><span><a href="https://lists.sourceforge.net/lists/listinfo/bitcoin-development" target="_blank">https://lists.sourceforge.net/lists/listinfo/bitcoin-development</a></span><br>
</div></blockquote></div></div><br>------------------------------------------------------------------------------<br>
<br>_______________________________________________<br>
Bitcoin-development mailing list<br>
<a href="mailto:Bitcoin-development@lists.sourceforge.net" target="_blank">Bitcoin-development@lists.sourceforge.net</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/bitcoin-development" target="_blank">https://lists.sourceforge.net/lists/listinfo/bitcoin-development</a><br>
<br></blockquote></div><br></div></div>