Lashing the bitcoin ecosystem to the sinking ship that is the existing PKI will sink it

[sneak]

The PKI sucks. The value of bitcoin (and, more importantly, the bitcoin ecosystem) is the decentralized nature.

I understand the desire to have signed payment requests, but then you run aground of the whole key verification problem, which the PKI, if it were to work, solves nicely.

Unfortunately, it does not. Limiting to the EV CA roots doesn't solve this problem. You also open up a whole 'nother can of worms with OCSP as you noted in the gist.

Please, please, don't tie any part of bitcoin or the bitcoin ecosystem to the sinking ship that is the existing PKI.

If you must, generate the protocol and the user keys and prepare for the day when DNSSEC is more widely deployed so that users may publish their own certs in authenticated dns using something like DANE.

[gavinandresen]

If you must, generate the protocol and the user keys and prepare for the day when DNSSEC is more widely deployed so that users may publish their own certs in authenticated dns using something like DANE.

Hmm? We've done exactly that; the payment protocol is designed so we can jettison the X.509/CA system for DNSSEC/DANE as soon as it is practical.

Gavin Andresen

[sneak]

That's excellent.

The smaller problem still remains that you are taking something widely regarded as being strong and decentralized, and implementing a de-facto standard (or "officially blessed" or whatever) payment protocol that relies on the corporate, centralized, broken, dodgy, historically expensive, and government-subverted PKI.

I'm sure we all hope that changes in the future, but that's what you're proposing today.... and it feels like a step backward.