On 14 March 2018 5:46:55 AM GMT-04:00, Kalle Rosenbaum via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote: >Thank you. > >I can't really see from your proposal if you had thought of this: A >soft >fork can make old nodes accept invalid message signatures as valid. For >example, a "signer" can use a witness version unknown to the verifier >to >fool the verifier. Witness version is detectable (just reject unknown >witness versions) but there may be more subtle changes. Segwit was not >"detectable" in that way, for example. > >This is the reason why I withdrew BIP120. If you have thought about the >above, I'd be very interested. > >/Kalle > >Sent from my Sinclair ZX81 > >Den 14 mars 2018 16:10 skrev "Karl Johan Alm via bitcoin-dev" < >bitcoin-dev@lists.linuxfoundation.org>: > >Hello, > >I am considering writing a replacement for the message signing tools >that are currently broken for all but the legacy 1xx addresses. The >approach (suggested by Pieter Wuille) is to do a script based >approach. This does not seem to require a lot of effort for >implementing in Bitcoin Core*. Below is my proposal for this system: > >A new structure SignatureProof is added, which is a simple scriptSig & >witnessProgram container that can be serialized. This is passed out >from/into the signer/verifier. > >RPC commands: > >sign <address> <message> [<prehashed>=false] > >Generates a signature proof for <message> using the same method that >would be used to spend coins sent to <address>.** > >verify <address> <message> <proof> [<prehashed>=false] > >Deserializes and executes the proof using a custom signature checker >whose sighash is derived from <message>. Returns true if the check >succeeds, and false otherwise. The scriptPubKey is derived directly >from <address>.** > >Feedback welcome. > >-Kalle. > >(*) Looks like you can simply use VerifyScript with a new signature >checker class. (h/t Nicolas Dorier) >(**) If <prehashed> is true, <message> is the sighash, otherwise >sighash=sha256d(message). >_______________________________________________ >bitcoin-dev mailing list >bitcoin-dev@lists.linuxfoundation.org >https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
Wouldn't it be sufficient for old nodes to check for standardness of the spending script and report non-standard scripts as either invalid outright, or at least highly questionable? That should prevent confusion as long as soft forks are only making nonstandard behaviours invalid. Cheers, aj -- Sent from my phone. _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
