<div dir="auto"><div>Thank you. </div><div dir="auto"><br></div><div dir="auto">I can't really see from your proposal if you had thought of this: A soft fork can make old nodes accept invalid message signatures as valid. For example, a "signer" can use a witness version unknown to the verifier to fool the verifier. Witness version is detectable (just reject unknown witness versions) but there may be more subtle changes. Segwit was not "detectable" in that way, for example. </div><div dir="auto"><br></div><div dir="auto">This is the reason why I withdrew BIP120. If you have thought about the above, I'd be very interested. </div><div dir="auto"><br></div><div dir="auto">/Kalle </div><div dir="auto"><br><div data-smartmail="gmail_signature" dir="auto">Sent from my Sinclair ZX81</div><div class="gmail_extra" dir="auto"><br><div class="gmail_quote">Den 14 mars 2018 16:10 skrev "Karl Johan Alm via bitcoin-dev" <<a href="mailto:bitcoin-dev@lists.linuxfoundation.org">bitcoin-dev@lists.linuxfoundation.org</a>>:<br type="attribution"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello,<br>
<br>
I am considering writing a replacement for the message signing tools<br>
that are currently broken for all but the legacy 1xx addresses. The<br>
approach (suggested by Pieter Wuille) is to do a script based<br>
approach. This does not seem to require a lot of effort for<br>
implementing in Bitcoin Core*. Below is my proposal for this system:<br>
<br>
A new structure SignatureProof is added, which is a simple scriptSig &<br>
witnessProgram container that can be serialized. This is passed out<br>
from/into the signer/verifier.<br>
<br>
RPC commands:<br>
<br>
sign <address> <message> [<prehashed>=false]<br>
<br>
Generates a signature proof for <message> using the same method that<br>
would be used to spend coins sent to <address>.**<br>
<br>
verify <address> <message> <proof> [<prehashed>=false]<br>
<br>
Deserializes and executes the proof using a custom signature checker<br>
whose sighash is derived from <message>. Returns true if the check<br>
succeeds, and false otherwise. The scriptPubKey is derived directly<br>
from <address>.**<br>
<br>
Feedback welcome.<br>
<br>
-Kalle.<br>
<br>
(*) Looks like you can simply use VerifyScript with a new signature<br>
checker class. (h/t Nicolas Dorier)<br>
(**) If <prehashed> is true, <message> is the sighash, otherwise<br>
sighash=sha256d(message).<br>
______________________________<wbr>_________________<br>
bitcoin-dev mailing list<br>
<a href="mailto:bitcoin-dev@lists.linuxfoundation.org">bitcoin-dev@lists.<wbr>linuxfoundation.org</a><br>
<a href="https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" rel="noreferrer" target="_blank">https://lists.linuxfoundation.<wbr>org/mailman/listinfo/bitcoin-<wbr>dev</a><br>
</blockquote></div><br></div></div></div>