[Bitcoin-development] Draft BIP for seamless website authentication using Bitcoin address

Gavin Andresen gavinandresen at gmail.com
Fri Apr 4 13:32:40 UTC 2014

Using a bitcoin address repeatedly is something we're trying to move away

And using a bitcoin address as a persistent identity key feels like the
wrong direction to me.

Better to use something like client certificates, the FIDO alliance's
(new!) specs:

... or Steve Gibson's proposed SQRL system:

If one of those systems gets critical mass and actually starts being
successful, then I think it would make sense to specify a standard way of
using a HD wallet's deterministic seed to derive a key used for the FIDO or
SQRL systems.

On Fri, Apr 4, 2014 at 9:22 AM, Eric Larchevêque <elarch at gmail.com> wrote:

> What I'm trying to achieve, is to have a very simple way of authenticating
> yourself with one Bitcoin address from your wallet.
> For most of the people using Bitcoin, their wallet is on their phone.
> The UX is clear and simple :
> 1. click on "connect with Bitcoin" (the audience is normal people)
> 2. flash the QRcode with your wallet (blockchain.info, mycelium, ...)
> 3. accept the authentication request (same style than OpenID or Facebook
> connect)
> 4. user is autologged and identified by the chosen Bitcoin public address
> It makes sense only if major wallets are supporting the protocol. If you
> need to install a plugin or download a third party software, no one will do
> it.
> I see only benefits for the entire ecosystem, and if I'm working on such a
> proposition it is because I really need this feature.
> Of course, it can be done without a BIP, I just need to convince wallet
> developpers one by one to implement the feature.
> But I thought it was much better to start the "official" way, so all
> wallet could easily find and implement the same authentication mechanism.
> >  Bitcoin and website authentication are unrelated problems
> I respectfully disagree. Many services require your Bitcoin address, and
> to do that they artificially request an email/password to store it.
> This is not about authentication as an identity (as "I'm Eric
> Larcheveque"), but as in "I'm proving to you that I control this address".
> Without such a standard protocol, you could never envision a pure Bitcoin
> physical locker rental, or booking an hotel room via Bitcoin and opening
> the door through the paying address.
> Eric
> On Fri, Apr 4, 2014 at 3:08 PM, Mike Hearn <mike at plan99.net> wrote:
>> This comes up every few months. I think the problem you are trying to
>> solve is already solved by SSL client certificates, and if you want to help
>> make them more widespread the programs you need to upgrade are web browsers
>> and not Bitcoin wallets. There are certainly bits of infrastructure you
>> could reuse here and there, like perhaps a TREZOR with a custom firmware
>> extension for really advanced/keen users, but overall Bitcoin and website
>> authentication are unrelated problems.
>> On Fri, Apr 4, 2014 at 2:15 PM, Eric Larchevêque <elarch at gmail.com>wrote:
>>> Hello,
>>> I've written a draft BIP description of an authentication protocol based
>>> on Bitcoin public address.
>>> By authentication we mean to prove to a service/application that we
>>> control a specific Bitcoin address by signing a challenge, and that all
>>> related data and settings may securely be linked to our session.
>>> The aim is to greatly facilitate sign ups and logins to services and
>>> applications, improving the Bitcoin ecosystem as a whole.
>>> https://github.com/bitid/bitid/blob/master/BIP_draft.md
>>> Demo website :
>>> http://bitid-demo.herokuapp.com/
>>> Classical password authentication is an insecure process that could be
>>> solved with public key cryptography. The problem is that it theoretically
>>> offloads a lot of complexity and responsibility on the user. Managing
>>> private keys securely is complex. However this complexity is already being
>>> addressed in the Bitcoin ecosystem. So doing public key authentication is
>>> practically a free lunch to bitcoiners.
>>> I've formatted the protocol description as a BIP because this is the
>>> only way to have all major wallets implementing it, and because it
>>> completely fits in my opinion the BIP "process" category.
>>> Please read it and let me know your thoughts and comments so we can
>>> improve on this draft.
>>> Eric Larcheveque
>>> elarch at gmail.com
>>> ------------------------------------------------------------------------------
>>> _______________________________________________
>>> Bitcoin-development mailing list
>>> Bitcoin-development at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
> ------------------------------------------------------------------------------
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development

Gavin Andresen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20140404/a545ece6/attachment.html>

More information about the bitcoin-dev mailing list