16
3
bitcoin-qt's dialog box states, "Be careful not to sign anything vague, as phishing attacks may try to trick you into signing your identity over to them. Only sign fully-detailed statements you agree to."
What would this kind of attack look like? What are some examples of statements that would be safe to sign agreement to?
24
The signing mechanism is a way of proving that a particular message was signed by the holder of an address' private key. A merchant could ask that you sign a message stating where you want your order shipped to, using one of the addresses your payment originated from.
You should sign a statement saying "I, Jane Doe (jane.doe@email.com) sent 1.23 BTC to Acme Corp at 12:34pm, 1st Jan 2012 in payment for product XYZ for delivery to 456 High Street, Anytown, USA".
You shouldn't sign a vague statement saying "yes, I sent that money; send the product to the address I emailed you", because anyone seeing a copy of that signed message can then pass that on to the merchant with his own postal address and get the product you paid for, in the same way as you wouldn't put your signature to a piece of paper saying "I agree to the above" where the above was left blank. The postal address part won't be signed, but perhaps the merchant won't care.
0
You could really use any address for that matter, as long as whatever address you choose + the message itself + the verification signature are all the same.
So it doesn't prove that your the owner of the address, it just proves that message you sent is the one you expect the receiver to be able to verify. Seems a bit useless to be frank.
3So it doesn't prove that your the owner of the address What? It definitely does. If not, I challenge you to prove that you own 1snowqqp5vmzgu47i5awwz9fsghqg94fa. – Nick ODell – 2015-04-05T05:33:13.410
"You could really use any address for that matter" Nope, you can only use an address you have the private key for. i.e. an address you control/own. – occulus – 2016-05-12T13:25:28.947
1Additionally, it's a good idea to add: a) who you (the sender) are (name, customer id, email, ...), b) who it is intended for (business name, ...) c) time and date. – Pieter Wuille – 2012-04-01T12:28:09.883
11If you're really, really paranoid, you can include the transaction ID as well. – David Schwartz – 2012-04-01T18:57:00.957
while this question is here, let me piggyback and ask for comments on signing one-time nonce values (as is currently implemented for #bitcoin-otc signmessage authentication). Any thoughts on that? it has been proposed by luke that even nonce values shouldn't be signed, without accompanying readable text stating what it is for and a timestamp. Is that a reasonable precaution to take, or are attacks on that pretty far-out in paranoia-land? – nanotube – 2012-06-06T04:09:34.090
"Hi, I want to cancel <Joe's order> and get my refund sent to <nanotube's address>. Here is a token signed to prove I am Joe: <Joe's #bitcoin-otc auth>"
Even if we trust you specifically, it sets a bad precedent for people to sign/accept these. – Luke-Jr – 2012-06-11T02:42:41.493
luke: well, that can be done regardless of the content of the signed message. even if it is of the form "DATE, authenticating joe on #bitcoin-otc, NONCE", i can take it and say "hey here's a token signed to prove i'm joe". – nanotube – 2012-06-11T03:46:11.473