Hi Peter, tl;dr The problem this solves is "How can a signer verify an address with HD changing the address every time?"
As an aside: (This is sort of explaining the current PR for the 0x01 global field (separate from mine)) The problem is more easily understood with change addresses: If someone can alter my PSBT before signing, they could replace my change address with their address, and my signer would not know unless the signer just guesses all the path sets it knows, then derives thousands of change addresses and searches (most likely a signer is offline, so gap limit doesn't work since we can't tell which change addresses have tx history. So the 0x01 global tag will tell the signer "here's how you get from your master private key to the xpub used in the change output's output BIP32_DERIVATION tag... you can then derive the same key and check it is yours before signing." Back to my proposal, this problem extends across wallets, since, for example, if I want to send from my cold wallet to my warm wallet, I don't want to give my cold signer my warm master key just so it can derive and check the key. That's what signatures are for. So this proposal says "A signer can be built to only sign if it sees a signature that itself has signed, then from that signed xpub(s) derives the BIP32_DERIVATION in the outputs, and if the output doesn't match it will reject and not sign" This creates a sort of "chain of trust" for the wallet. Currently the best way to prevent this (hacker swapping the send to address) without using signatures is to reuse the same address every time you want to send to the warm wallet, since after a few times, the signers (people) will be able to remember the address. This is a huge HD drawback for high security requirement environments. Having this data in the PSBT standard will allow Trezor etc. to create an enforceable whitelist feature. Let me know if you have feedback on the details. Thanks, Jon 2019年6月28日(金) 0:07 Peter D. Gray <pe...@coinkite.com>: > I haven't studied the new proposal in depth, but my first impression is: > > Wouldn't it just be easier and better to just sign the entire "outputs" > section of the PSBT? > > The signature would cover every byte, and therefore would cover any > future BIP additions to the outputs area, and also help non-multisig > cases today. > > --- > Peter D. Gray || Founder, Coinkite || Twitter: @dochex || GPG: > A3A31BAD 5A2A5B10 > > -- ----------------- Jonathan Underwood ビットバンク社 チーフビットコインオフィサー ----------------- 暗号化したメッセージをお送りの方は下記の公開鍵をご利用下さい。 指紋: 0xCE5EA9476DE7D3E45EBC3FDAD998682F3590FEA3
_______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev