Feature: associate github user with bitcoin wallet

[dominictarr]

There needs to be a way to associate a github user with a bitcoin wallet, so that the developer knows who has funded what.

there is a simple and secure way to do this, because bitcoin qt wallet has a "sign message feature", so a users can sign a message that says "I am github.com/{username}" sign that message and post it in a comment. then, I can verify that was signed by the right wallet.

Someone who didn't know {usersname}'s password would not have been able to post to github as that user, and some one who didin't have control of that bitcoin wallet could not have created the signature.

This idea is described in more depth here: https://github.com/hij1nx/pkp/issues/9

[NHQ]

This binds contributors in two ways, both of which will need to be unbound in another iteration.

The first, to github, is not very onerous, considering GH's reach.

But binding to a specific bitcoin client seems too limiting, especially bitcoin-qt, b/c it downloads the entire blockchain. This may be a barrier, to anyone using another client, or to a new btc user who doesn't want the bandwidth/storage costs of bitcoin-qt. There are the obvious manual workarounds, but so why not use them until a better, more inclusive solution is made to the problem of identifying backers?

Ideas for a solution:

• use a third party btc service for managing btc exchanges (or currency exchange altogether)
• do like they third parties do, and create a new wallet for every transaction, so that only the person who made the contribution knows the public key of the wallet they paid to. Followed by manual verification between project manager and contributor.
• arrange contributions in advance of the transaction

I love btc as much as you, but access to cash money contributions would perhaps be a more strategic early goal: stripe, venmo, credit cards, amazon payments, etc...

[ghost]

There are some services you can use to manage a wallet as a web app. This is one of them: https://blockchain.info/wallet

I'm in favor of leaving payment processing out of the scope for now because it would create a lot of overhead and centralization up-front. Perhaps a good way to get around that is to publish very clear instructions about how to put money from a credit card into a bitcoin wallet and how to make a transaction.

[ralphtheninja]

I just would like to mention that you don't need any bitcoin client to start receiving bitcoins. All you need is a bitcoin address that you generate with e.g. vanitygen. This is also called cold storage.

[NHQ]

there is also this pure browser offline wallet thing https://www.bitaddress.org

[NHQ]

@substack I agree about payment processing, and I probably should not have opened that can of ideas yet. What do you think about the problem of verifying backers?

[ralphtheninja]

There's also a new thing called KryptoKit, which is a plugin for chrome http://www.kryptokit.com/

[jb55]

code for verifying a signed message from a bitcoin address is implemented in https://github.com/brainwallet/brainwallet.github.com, using code from the bitcoinjs/bitcoinjs-lib library

Normally this shouldn't be possible because a bitcoin address is simply a hash of the public key. Fortunately ECDSA has a unique feature where you can recover the public key from a signature. Pretty handy:

-----BEGIN BITCOIN SIGNED MESSAGE-----
http://github.com/jb55 (bill@casarin.me) owns the address 1jb55g498MEa274Z1YWUXQFxZE5NzvhV7

My transaction:

https://blockchain.info/tx/a70271dc6984b50aec36040a8745e3eaf59a7ca2533a54b94f158fbac5dcc75e
-----BEGIN SIGNATURE-----
1jb55g498MEa274Z1YWUXQFxZE5NzvhV7
G2TMV28WTsiDKl5eeTtWxj1QXdDMe4Ldf/w9jwEhANLU/Y6P21b/i/QSDFk1X9E7cYx2RQPrKAfeqlNvlAnhqPw=
-----END BITCOIN SIGNED MESSAGE-----

Verify

Different bitcoin clients sign messages in different ways, the js code I linked handles most of them I believe

[dominictarr]

@nhq yeah, I agree with @substack's point. right now, this is just about validating the idea of iterative funding for open source. the signing is a bitcoin feature, not a bitcoin-qt feature, but not all wallets have signing.

However, @jb55 sent me a signed message and showed me this: http://brainwallet.org/#sign which is all we want, and it is a pure js wallet generator.

I'm using coinpunk which can also do transactions etc, but not signing (yet). However, that should be really easy.

@NHQ you might be right that it would be better to open this to normal money, but I really want to test whether this is viable with bitcoins, first. Not just to test this idea, but also to test bitcoins.

[jb55]

@dominictarr Yeah that's the annoying thing, not all clients support signing or easy copy-and-paste access to your private key. Since I created 1jb55g498MEa274Z1YWUXQFxZE5NzvhV7 with vanitygen I had it readily available. Otherwise you would need to export the private keys from your wallet and use the brainwallet signer.

[dominictarr]

yes, I can see myself making a pull request to add this to @kyledrake's coinpunk, which is also pure js, so an easy move.

[SomeoneWeird]

Please please please don't encourage users to use an online wallet. If need be they can use a thin-client like Electrum and create a specific private key for this, and then export & import everywhere they want to be able to login from.

[dominictarr]

@SomeoneWeird you are right - although, coinpunk isn't a traditional online wallet, because the crypto on the client, not the server. so, it could easily be adapted to be a local client: https://github.com/kyledrake/coinpunk/issues/75

[SomeoneWeird]

Sure, but so is blockchain.info's, and people still get regularly hacked because people can download wallets and run offline GPU attacks. Online storage is really a pain with btc because it's pretty much a given that people have powerful graphics cards, which is why we try and constantly warn people about the risks. :)

[dominictarr]

@SomeoneWeird hmm, so people download other people's encrypted wallets and then bruteforce the password? right - because no one chooses a password that is really that strong...

[SomeoneWeird]

@dominictarr oh, I'm sure most do, it's that most != all. I just looked into coinpunk and you have to actually sign in to download your wallet, so most of this conversation is moot anyway. I'm going to post this around the community to hopefully get some more interest for you :)

[ralphtheninja]

I don't think online wallets is necessarily something bad. Lets face it, there will be a huge demand of online wallets and people need to learn how to use two factor authentication, not keep too much money on their wallets etc. It's just basic operational security that people are not used to deal with since they rely on their bank to do it for them.