GPG and OTR integration

biolizard89
Posts: 2001
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Re: GPG and OTR integration

Post by biolizard89 »

moa wrote:domob: biolizard:

are you aware of the upcoming "payment protocol" that is being implemented for the bitcoin 0.9 satoshi client?

http://www.pcworld.com/article/2046182/ ... merce.html

It has crossed my mind earlier that the SSL comms they are going to be using will be vulnerable to the well-known compromised CA infrastructure.

I think it would be awesome if namecoin authentication or TLS could be used to secure the bitcoin payment protocol.

... as Gavin has said
Specifically, the payment requests will use X.509 certificates, which underpin SSL (Secure Sockets Layer), which encrypts data traffic between two parties.

While there are many weaknesses in SSL, "it's better than nothing," said Gavin Andresen, chief scientist for The Bitcoin Foundation and lead developer for the Bitcoin-QT client. If a better public key encryption scheme comes along, it can be swapped out in the payment protocol, he said.

"With Bitcoin, we are trying to get things right from the beginning so the payment process is as simple as it possibly can be and still completely secure," Andresen said.

The communication between a customer and company will be performed over SSL and will not be part of the so-called "blockchain," the public ledger that shows bitcoin transactions, Andresen said. The payment protocol will not touch the core code that drives Bitcoin's network.
I'm aware of it, and I agree that Namecoin would be an excellent way to handle this. That said, I think the Bitcoin devs will probably want the Namecoin client to be rebased with the current Bitcoin release (including security fixes) prior to trusting large amounts of money to Namecoin. Once that (fairly large) task is done, I would definitely support proposing this to the Bitcoin devs. (People really should help out khal with that.)
moa wrote:Hmmm, that would be an interesting simplification ... then it probably makes sense to look at the possibilities for using the shared bitcoin/namecoin private keys functionality .... e.g. the bitcoin address of the merchant being derived from same priv key as the namecoin address holding the .bit domain and signing the payment request.
Having the same private key be required for the BTC payment address and the NMC domain holder would probably compromise privacy (as it would prove to the public that the same person owns the NMC domain and the BTC payment address). Using the domain holder's "allowed signer" address to sign a BTC address should be fine though.
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

virtual_master
Posts: 541
Joined: Mon May 20, 2013 12:03 pm
Contact:

Re: GPG and OTR integration

Post by virtual_master »

domob wrote:Not sure I understand your proposal correctly, so sorry if my reply misses your points. Do you mean that verification should find the namecoin identity name automatically based on associated XMPP accounts? This seems like an interesting idea, although I wouldn't want to "rely" on it. How do you prevent someone to create a fake name containing your XMPP address and the attacker's fingerprints? To be safe, I have to be sure you are indeed the owner of the namecoin identity I use for verification anyway - thus for now my plan is to simply allow to manually enter a namecoin identity name and have Pidgin verify the claimed fingerprint against the one stored with it.
You probably studied deeper this issue and your original idea is excellent.
I just gave some ideas. If you intend to realize it your solution would be also excellent and would help a lot.
May be I didn't understood all aspect but I cannot see why would be introducing the XMPP address less secure than introducing the Namecoin ID.
As you already stated you need to use a reliable source - the owner should be verified.
If he is not verified then both method are compromised in the same extent.
Let's say somebody is asserting on the IRC channel he is a Bitcoin developer and he is revealing his fake Namecoin ID.
Some could think because he has a Namecoin ID he is verified, but he needs just 0.02 namecoins to make an ID.
Then some will introduce in pidgin his Namecoin ID and will be found based on it his associated XMPP address.
He could ask for some donations or give some false news which would influence the Bitcoin courses.
http://namecoinia.org/
Calendars for free to print: 2014 Calendar in JPG | 2014 Calendar in PDF Protect the Environment with Namecoin: 2014 Calendar in JPG | 2014 Calendar in PDF
BTC: 15KXVQv7UGtUoTe5VNWXT1bMz46MXuePba | NMC: NABFA31b3x7CvhKMxcipUqA3TnKsNfCC7S

domob
Posts: 1129
Joined: Mon Jun 24, 2013 11:27 am
Contact:

Re: GPG and OTR integration

Post by domob »

For those interested, I've just successfully verified my first OTR fingerprint in Pidgin with namecoin! :) (The test-identities are id/otr and id/cryptonerd, which contain the fingerprint for my XMPP account.) The code is pushed to my repository mentioned above and now also in the first post for those who are feeling adventurous. Note though that so far there's no UI for the namecoind conntection settings, those are hardcoded and you will have to change them in the code if you want to test. It is my next goal to implement a proper UI for those.
BTC: 1domobKsPZ5cWk2kXssD8p8ES1qffGUCm | NMC: NCdomobcmcmVdxC5yxMitojQ4tvAtv99pY
BM-GtQnWM3vcdorfqpKXsmfHQ4rVYPG5pKS
Use your Namecoin identity as OpenID: https://nameid.org/

biolizard89
Posts: 2001
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Re: GPG and OTR integration

Post by biolizard89 »

domob wrote:For those interested, I've just successfully verified my first OTR fingerprint in Pidgin with namecoin! :) (The test-identities are id/otr and id/cryptonerd, which contain the fingerprint for my XMPP account.) The code is pushed to my repository mentioned above and now also in the first post for those who are feeling adventurous. Note though that so far there's no UI for the namecoind conntection settings, those are hardcoded and you will have to change them in the code if you want to test. It is my next goal to implement a proper UI for those.
Nice work!
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

virtual_master
Posts: 541
Joined: Mon May 20, 2013 12:03 pm
Contact:

Re: GPG and OTR integration

Post by virtual_master »

domob wrote:For those interested, I've just successfully verified my first OTR fingerprint in Pidgin with namecoin! :) (The test-identities are id/otr and id/cryptonerd, which contain the fingerprint for my XMPP account.) The code is pushed to my repository mentioned above and now also in the first post for those who are feeling adventurous. Note though that so far there's no UI for the namecoind conntection settings, those are hardcoded and you will have to change them in the code if you want to test. It is my next goal to implement a proper UI for those.
Sounds good.
Unfortunatelly it is not so easy to check it at the moment.
How it is intended to work the plugin ? With a namecoind server on the internet with an API which can be used to check IDs ? The other way could be very resource intensive with own namecoind in the plugin.
http://namecoinia.org/
Calendars for free to print: 2014 Calendar in JPG | 2014 Calendar in PDF Protect the Environment with Namecoin: 2014 Calendar in JPG | 2014 Calendar in PDF
BTC: 15KXVQv7UGtUoTe5VNWXT1bMz46MXuePba | NMC: NABFA31b3x7CvhKMxcipUqA3TnKsNfCC7S

domob
Posts: 1129
Joined: Mon Jun 24, 2013 11:27 am
Contact:

Re: GPG and OTR integration

Post by domob »

virtual_master wrote:
domob wrote:For those interested, I've just successfully verified my first OTR fingerprint in Pidgin with namecoin! :) (The test-identities are id/otr and id/cryptonerd, which contain the fingerprint for my XMPP account.) The code is pushed to my repository mentioned above and now also in the first post for those who are feeling adventurous. Note though that so far there's no UI for the namecoind conntection settings, those are hardcoded and you will have to change them in the code if you want to test. It is my next goal to implement a proper UI for those.
Sounds good.
Unfortunatelly it is not so easy to check it at the moment.
How it is intended to work the plugin ? With a namecoind server on the internet with an API which can be used to check IDs ? The other way could be very resource intensive with own namecoind in the plugin.
Yes of course, it is still in very early development and to test it, you have to compile the code yourself as well as change your connection settings manually. At the moment the code is a fork of the pidgin-otr plugin with Namecoin support added, although the long-term plan is to implement Namecoin as separate plugin that extends the stock pidgin-otr plugin with Namecoin support (according to some ideas I got from the OTR mailing list).

The plugin doesn't have namecoind built in, instead it relies on a namecoind RPC server being available to use. This could in theory be also a foreign host, but will usually mean that you run namecoind on your system. Currently this seems not like a "too heavy" task for me (I run it all the time my computer is on anyway and didn't notice performance hits from that at any time except when starting the daemon up). In theory I could extend the code to talk to nmcontrol, too, which can in turn run on only a static exported dataset AFAIK.
BTC: 1domobKsPZ5cWk2kXssD8p8ES1qffGUCm | NMC: NCdomobcmcmVdxC5yxMitojQ4tvAtv99pY
BM-GtQnWM3vcdorfqpKXsmfHQ4rVYPG5pKS
Use your Namecoin identity as OpenID: https://nameid.org/

virtual_master
Posts: 541
Joined: Mon May 20, 2013 12:03 pm
Contact:

Re: GPG and OTR integration

Post by virtual_master »

domob wrote: Yes of course, it is still in very early development and to test it, you have to compile the code yourself as well as change your connection settings manually. At the moment the code is a fork of the pidgin-otr plugin with Namecoin support added, although the long-term plan is to implement Namecoin as separate plugin that extends the stock pidgin-otr plugin with Namecoin support (according to some ideas I got from the OTR mailing list).

The plugin doesn't have namecoind built in, instead it relies on a namecoind RPC server being available to use. This could in theory be also a foreign host, but will usually mean that you run namecoind on your system. Currently this seems not like a "too heavy" task for me (I run it all the time my computer is on anyway and didn't notice performance hits from that at any time except when starting the daemon up). In theory I could extend the code to talk to nmcontrol, too, which can in turn run on only a static exported dataset AFAIK.
You seems to be very advanced namecoiner. May I ask you what namecoind commands did you used and with which namecoind version ? name_show ?
http://namecoinia.org/
Calendars for free to print: 2014 Calendar in JPG | 2014 Calendar in PDF Protect the Environment with Namecoin: 2014 Calendar in JPG | 2014 Calendar in PDF
BTC: 15KXVQv7UGtUoTe5VNWXT1bMz46MXuePba | NMC: NABFA31b3x7CvhKMxcipUqA3TnKsNfCC7S

domob
Posts: 1129
Joined: Mon Jun 24, 2013 11:27 am
Contact:

Re: GPG and OTR integration

Post by domob »

virtual_master wrote:
domob wrote: Yes of course, it is still in very early development and to test it, you have to compile the code yourself as well as change your connection settings manually. At the moment the code is a fork of the pidgin-otr plugin with Namecoin support added, although the long-term plan is to implement Namecoin as separate plugin that extends the stock pidgin-otr plugin with Namecoin support (according to some ideas I got from the OTR mailing list).

The plugin doesn't have namecoind built in, instead it relies on a namecoind RPC server being available to use. This could in theory be also a foreign host, but will usually mean that you run namecoind on your system. Currently this seems not like a "too heavy" task for me (I run it all the time my computer is on anyway and didn't notice performance hits from that at any time except when starting the daemon up). In theory I could extend the code to talk to nmcontrol, too, which can in turn run on only a static exported dataset AFAIK.
You seems to be very advanced namecoiner. May I ask you what namecoind commands did you used and with which namecoind version ? name_show ?
Honestly, I don't think to be that "advanced". I know how the RPC commands work (and use them for instance also to manage my bitcoin wallet) and how to program, but have for instance never touched the bitcoin/namecoin code base. But with respect to your question, yes, I only need "name_show" for this. (I also use "getinfo" to test that the connection settings are correct.) For NameID, I also need "signmessage" and "verifymessage" (or what it is called exactly). None of my projects deal with actually sending NMC around, so all those commands related to that are not used by them.
BTC: 1domobKsPZ5cWk2kXssD8p8ES1qffGUCm | NMC: NCdomobcmcmVdxC5yxMitojQ4tvAtv99pY
BM-GtQnWM3vcdorfqpKXsmfHQ4rVYPG5pKS
Use your Namecoin identity as OpenID: https://nameid.org/

domob
Posts: 1129
Joined: Mon Jun 24, 2013 11:27 am
Contact:

Re: GPG and OTR integration

Post by domob »

And another update, the code pushed to the repository now contains also a UI for the connection settings plus automatic discovery from namecoin.conf (basically just like the Bitmessage patch). I think it is quite usable now, and all the basic functionality is there. If someone is using Pidgin and wants to experiment a bit, it would be great if I could get some testers. ;) You have to compile the plugin yourself, though, I'm not sure how binaries of Pidgin plugins can be distributed in the best way. It would be especially interesting whether or not the namecoin.conf discovery works also on Windows.

Currently my code is a forked version of the official Pidgin OTR plugin, but the goal for the future is now to add a general architecture to Pidgin OTR that allows for third-party plugins to provide verification methods, and then use that to provice Namecoin as a separate plugin. This strategy is sanctioned off by the OTR developers and should allow to maintain the code in the best way.

BTW, so far I have written already three implementations of basic querying for name data: In Python (Bitmessage), Mozilla JavaScript (NameID addon) and now C with Glib. What do you think, would it make sense to copy out the code of all three and provide them in some kind of "namecoin communication library", with more languages added as needed in the future for more similar projects?
BTC: 1domobKsPZ5cWk2kXssD8p8ES1qffGUCm | NMC: NCdomobcmcmVdxC5yxMitojQ4tvAtv99pY
BM-GtQnWM3vcdorfqpKXsmfHQ4rVYPG5pKS
Use your Namecoin identity as OpenID: https://nameid.org/

biolizard89
Posts: 2001
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Re: GPG and OTR integration

Post by biolizard89 »

domob wrote:And another update, the code pushed to the repository now contains also a UI for the connection settings plus automatic discovery from namecoin.conf (basically just like the Bitmessage patch). I think it is quite usable now, and all the basic functionality is there. If someone is using Pidgin and wants to experiment a bit, it would be great if I could get some testers. ;) You have to compile the plugin yourself, though, I'm not sure how binaries of Pidgin plugins can be distributed in the best way. It would be especially interesting whether or not the namecoin.conf discovery works also on Windows.

Currently my code is a forked version of the official Pidgin OTR plugin, but the goal for the future is now to add a general architecture to Pidgin OTR that allows for third-party plugins to provide verification methods, and then use that to provice Namecoin as a separate plugin. This strategy is sanctioned off by the OTR developers and should allow to maintain the code in the best way.

BTW, so far I have written already three implementations of basic querying for name data: In Python (Bitmessage), Mozilla JavaScript (NameID addon) and now C with Glib. What do you think, would it make sense to copy out the code of all three and provide them in some kind of "namecoin communication library", with more languages added as needed in the future for more similar projects?
Unfortunately I don't use Pidgin (I use Jitsi for IM; how hard would it be to port the plugin to Jitsi)?

The Namecoin library would be awesome.
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

Post Reply