| 00:22:07 | thufir: | Eliel: i think there are essentially 2^256 different valid ones, not just one |
| 00:26:16 | sipa: | for ECDSA, just one |
| 00:27:27 | sipa: | but read BIP62, there are many ways through which a transaction can br malleated that does not rely on ECDSA malleability |
| 00:42:45 | hhogan420: | i conco |
| 00:43:27 | hhogan420: | concur*, if anything the bullet point summary was a really important takeaway for understanding malleability 'vectors' |
| 00:43:38 | hhogan420: | (from BIP62) |
| 02:39:30 | Sub|afk: | Sub|afk is now known as SubCreative |
| 03:10:15 | rusty: | Hmm, would it ease enforcement of low-s-value normalized txs if bitcoin core flipped non-conformant signatures? A bit weird, of course, to normalize other peoples transactions... |
| 03:11:04 | phantomcircuit: | rusty, there's nodes that add null padding |
| 03:11:04 | phantomcircuit: | so why not |
| 03:11:44 | rusty: | phantomcircuit: null padding? |
| 03:12:04 | sipa: | rusty: i don't think it would help |
| 03:12:24 | phantomcircuit: | openssl didn't correctly enforce the DER minimum encoding rules until very recently |
| 03:12:28 | sipa: | enforcement is about being sure that no malleated form enters the blockchain |
| 03:12:43 | sipa: | phantomcircuit: it also did not intend to |
| 03:12:50 | phantomcircuit: | so you were free to add null padding since it was BER |
| 03:13:05 | phantomcircuit: | sipa, the function names indicate someone at some point intended to |
| 03:13:14 | phantomcircuit: | d2i and such |
| 03:13:38 | sipa: | well they have a fully fledger ber decoder |
| 03:13:42 | rusty: | sipa: sure, so you start with making them non-standard (but do the normalized step first), then later at some point soft-fork to make them invalid. |
| 03:13:55 | phantomcircuit: | (btw they didn't fix the actual decoder, they merely do a decode/encode/compare) |
| 03:14:11 | phantomcircuit: | sipa, sure but that is a super set of a der decoder |
| 03:14:26 | sipa: | rusty: that would hurt wallets more than just making it opt-in |
| 03:15:07 | sipa: | phantomcircuit: if the intention was not supporting full ber, they could have used 10 times less code |
| 03:15:26 | phantomcircuit: | to be fair i wouldn't suggest they actually fix the DER functions since it's such a mess of macros |
| 03:15:48 | sipa: | i am pretty sure that the intention was supporting full ber on decoding |
| 03:16:06 | phantomcircuit: | sipa, i was under the impression that DER is simply the minimal encoding of BER |
| 03:16:16 | sipa: | indeed |
| 03:16:16 | phantomcircuit: | is that wrong? |
| 03:16:19 | rusty: | sipa: by making it opt-in, you're suggesting some kind of "normalized-only" sighash flag? |
| 03:16:31 | sipa: | rusty: i am suggesting bip 62 :) |
| 03:17:09 | sipa: | normalizing sighashes is not avoiding malleability... it is making malleability harmless |
| 03:17:44 | sipa: | bip 62 provides an opt-in way to have consensus rule enforce a single encoding of a transaction |
| 03:18:03 | sipa: | but bip62 does not protect against a sender re-signing |
| 03:19:57 | rusty: | sipa: Thanks, I missed that nuance when I read "but it cannot be enforced in the network currently because it would break existing wallets." from gmaxwell in earlier logs. |
| 03:20:25 | phantomcircuit: | sipa, so it looks like DER is strictly a subset of BER with a bunch of encoding constraints intended to maintain 1:1 value:encoding mapping |
| 03:21:09 | sipa: | yup |
| 03:21:16 | sipa: | D = distinguished |
| 03:21:48 | phantomcircuit: | so what |
| 03:22:06 | phantomcircuit: | someone implemented BER because they didn't understand the purpose of DER? |
| 03:22:10 | sipa: | no |
| 03:22:26 | phantomcircuit: | the decoding function names seem to indicate they intended them to use DER at some point |
| 03:22:28 | sipa: | i am pretty sure that the intention was supporting full ber |
| 03:22:50 | phantomcircuit: | that's mad |
| 03:23:02 | sipa: | even if the standard says using der |
| 03:23:24 | sipa: | one would want to support more than strictly necessary on input |
| 03:23:43 | sipa: | that was fashionable at some point |
| 03:23:58 | sipa: | be strict on output, not strict on input |
| 03:24:20 | rusty: | sipa: a-la Postel |
| 03:24:41 | phantomcircuit: | sipa, ichy |
| 03:24:54 | sipa: | * sipa scratches |
| 03:25:02 | phantomcircuit: | ichy not itchy... |
| 03:25:07 | sipa: | ah |
| 03:25:13 | phantomcircuit: | i can see that in non security things |
| 03:25:20 | sipa: | yup |
| 03:25:25 | sipa: | but even then |
| 03:25:40 | sipa: | it makes behaviour unpredictable |
| 03:26:59 | phantomcircuit: | sipa, sure but for example a date field on some website accepting 2015-03-13 and 03/13/15 |
| 03:27:07 | phantomcircuit: | seems reasonable (note not 03/03/15 ...) |
| 03:27:40 | phantomcircuit: | ok so maybe bad example... |
| 03:28:46 | sipa: | even for unix tools etc |
| 03:29:11 | sipa: | it results in differences between different platforms/implementation |
| 03:29:48 | sipa: | at least for DER it was well defined what the "correct" subset was supposed to be |
| 03:30:12 | sipa: | but how many people here have actually read the DER standard? :) |
| 03:31:19 | rusty: | sipa: using DER/BER was weird in the first place though. Two 32-byte integers would have been simpler and more optimal. |
| 03:31:30 | thufir: | why not just serialize the numbers as straight forward as possible? why use their purposely convoluted standards? |
| 03:31:35 | thufir: | heh, exactly! |
| 03:32:09 | sipa: | thufir: ask satoshi |
| 03:32:25 | sipa: | i don't think anyone disagrees with this |
| 03:32:40 | sipa: | but change is ridiculously hard |
| 03:32:41 | thufir: | ok, i'll get around to it ;) |
| 03:32:54 | thufir: | yea, true. so that is the answer then, hehe |
| 03:33:49 | phantomcircuit: | rusty, there is virtually zero documentation on what the openssl signature structure is |
| 03:34:14 | sipa: | the code is self-documenting! |
| 03:34:17 | phantomcircuit: | (like 90% of openssl) |
| 03:34:22 | thufir: | my purposed DER replacement: http://pastebin.com/VvzyRTPB |
| 03:34:52 | phantomcircuit: | sipa, yeah like how the d2i functions are defined by macros at compile time and are roughly impossible to find |
| 03:34:58 | sipa: | thufir: we're not using rsa |
| 03:35:16 | thufir: | yes of course, adapt it. mostly a joke on how silly it is to use der/whatever. |
| 03:35:38 | sipa: | oh, sure, fully agree there |
| 03:38:47 | thufir: | you know, i looked at implementing either TLS or SSH-TRANSPORT in my project. I went with SSH because it took me a couple weeks to do it from scratch from RFCs. Looking at TLS, it would take me a year, and most of that would be implementing the crazy encoding of the certificates. that is practically a turing complete language onto itself. complication is bad, i think put there on purpose. more surface area for bugs. |
| 03:40:54 | thufir: | ie, the biggest surface area of attack in my opinion on TLS is the encoding of the certs. encoding. so change is hard, but, keep that in mind is all. |
| 03:43:06 | thufir: | not saying at all satoshi did. he was pragmatic and chose what tools were available to get 'er done. |
| 03:51:20 | phantomcircuit: | thufir, SSH-TRANSPORT being the ssh protocol itself or some sort of transit over ssh using the openbsd ssh-client ? |
| 03:51:32 | phantomcircuit: | i wouldn't suggest reimplementing ssh either... |
| 03:52:23 | thufir: | in the rfcs its broken up into SSH-AUTH, SSH-TRANSPORT, and SSH-CONNECT, essentially the SSH auth, encryption, integrety, and multiplexing |
| 03:53:01 | thufir: | basically the best damn p2p protocol now thanks to python asyncio and my python asyncio ssh implementation. |
| 03:53:48 | thufir: | i needed a high performance encrypted p2p library. i didn't want to 'invent it myself' and fail at security, so i followed the rfcs. its cool because i can ssh into my program with openssh :) |
| 03:54:59 | thufir: | i would have used paraminko, but as I said, i needed a high perf one, so async io. twisted is twisted, so yea :) |
| 03:55:36 | thufir: | i'll release it lgpl in a few weeks along with my gpl program |
| 20:59:30 | tepper.freenode.net: | topic is: This channel is not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja |
| 20:59:30 | tepper.freenode.net: | Users on #bitcoin-wizards: andy-logbot lclc wallet42 dEBRUYNE jtimon justanotheruser jhogan42 Burrito c-cex-yuriy nsh belcher crowleyman shesek Quanttek NewLiberty mengine nuke_ hhogan420 HostFat spinza nivah fanquake1 pollux-bts koshii xapp GAit waxwing Relos arubi_ rustyn bsm117532 Mably Kwelstr MoALTz Cornholio b_lumenkraft hktud0 priidu forrestv Krellan cfields_ wump mappum richardu1 btc___ jbenet NeatBasisW dasource btcdrak Crowley2k TheSeven unlord_ airbreather |
| 20:59:30 | tepper.freenode.net: | Users on #bitcoin-wizards: SubCreative Starduster Dr-G2 CodeShark d1ggy satwo PRab dardasaba bosma yorick x98gvyn jgarzik aakselrod Pan0ram1x c0rw1n ebfull amiller mkarrer_ Tiraspol DougieBot5000 cluckj Iriez tjader antgreen` vdo cornusammonis luigi1111w melvster binaryatrocity_ sadoshi bliljerk101 grandmaster omni_ jonasschnelli PaulCapestany Emcy merlincorey gielbier maaku [ace] eric a5m0 nephyrin null_radix crescendo Sqt Madars mikolalysenko LeMiner cdecker sturles |
| 20:59:30 | tepper.freenode.net: | Users on #bitcoin-wizards: prodatalab adams_ GreenIsMyPepper harrow vonzipper berndj Zouppen Xzibit17 manan19 comboy sneak realcr gmaxwell jaromil catlasshrugged_ Apocalyptic harrigan Cory cryptowest_ runeks__ kanzure kefkius throughnothing STRML michagogo null sl01 lnovy [d__d] catcow Muis coryfields_ kinlo gwillen nickler Alanius sdaftuar epscy Taek Oizopower leakypat CryptOprah davout brand0 @ChanServ azariah MRL-Relay BrainOverfl0w so phedny warptangent pigeons |
| 20:59:30 | tepper.freenode.net: | Users on #bitcoin-wizards: espes__ afdudley stonecoldpat Fistful_of_Coins roasbeef_ heath bedeho BananaLotus guruvan morcos dansmith_btc cursive Meeh fluffypony optimator livegnik s1w AdrianG dignork gavinandresen yoleaux nanotube isis luigi1111 lechuga_ EasyAt phantomcircuit Logicwax kyuupichan poggy iddo Anduck Adlai ajweiss wizkid057 fenn hguux___ mariorz TD-Linux warren BlueMatt midnightmagic huseby otoburb platinuum kumavis artifexd yrashk luny Luke-Jr HM dc17523be3 |
| 20:59:30 | tepper.freenode.net: | Users on #bitcoin-wizards: lmacken Hunger- SwedFTP weex go1111111 dgenr8 starsoccer wiz d9b4bef9 tromp_ gnusha mr_burdell tromp gribble jessepollak ryan-c larraboj jcorgan petertodd Keefe K1773R indolering veox Eliel Graet |
| 22:21:59 | spinza_: | spinza_ is now known as spinza |