BLIP 0014: add sender authentication #14
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,92 @@ | ||
| ``` | ||
| bLIP: 14 | ||
| Title: Sender authentication | ||
| Status: Draft | ||
| Author: Joost Jager <joost.jager@gmail.com> | ||
| Created: 2022-02-04 | ||
| License: CC0 | ||
| ``` | ||
|
|
||
| ## Abstract | ||
|
|
||
| By default, the lightning protocol protects the sender identity by means of | ||
| ephemeral keys and onion routing. There are however use cases that ask for | ||
| inclusion of the sender identity with a payment. | ||
|
|
||
| This bLIP serves to document a way to authenticate the sender of a payment via a | ||
| custom TLV record. | ||
|
|
||
| ## Copyright | ||
|
|
||
| This bLIP is licensed under the CC0 license. | ||
|
|
||
| ## Specification | ||
|
|
||
| Sender: | ||
|
|
||
| * MUST include a TLV record keyed by type `83231` with the following value: | ||
|
|
||
| * [`33*byte`:`sender_pubkey`] | ||
| * [`8*byte`:`timestamp`] | ||
| * [`var length`:`signature`] | ||
|
|
||
| `sender_pubkey` is the public key of the sender. Note that `sender_pubkey` doesn't | ||
| need to be the sender's node public key. It can also be a more general | ||
| identity. | ||
|
|
||
| `timestamp` is the payment initiation time in nano seconds since unix epoch | ||
| (big endian encoded). | ||
|
|
||
| `signature` is a DER-encoded ECDSA signature calculated using `sender_pubkey` | ||
| over a message that is a concatenation of the following fields: | ||
|
|
||
| * `timestamp` (8 bytes) | ||
| * `recipient_pubkey` (33 bytes) | ||
| * `payment_hash` (32 bytes) | ||
| * `payment_secret` (32 bytes) | ||
| * `amount_msat` (8 bytes, big endian) | ||
|
|
||
| For multi-part payments, `amount_msat` is the total amount of the set. The | ||
| value of the TLV record MUST be identical for all parts. | ||
|
|
||
| Receiver: | ||
|
|
||
| * MUST verify that `signature` is valid and produced using `sender_pubkey`. | ||
|
|
||
| * SHOULD verify that `timestamp` is not unreasonably long ago. Suggested cut-off is | ||
| one hour. | ||
|
|
||
| * If verification fails, SHOULD error with | ||
| `PERM|15 incorrect_or_unknown_payment_details`. | ||
|
|
||
| ## Motivation | ||
|
|
||
| Example use cases: | ||
|
|
||
| * A donation payment where the donor wants to make themselves known. | ||
|
There was a problem hiding this comment. Is a signature the best way to do this? Vs, eg, just shoving a name in the TLV? I guess its a question of what you're trying to make known - trying to prove that a given public key sent the funds seems like a somewhat strange use-case, but, sure. There was a problem hiding this comment. Yes agreed. I am brainstorming a bit here to see what use cases make sense. There was a problem hiding this comment. FYI I currently have a proprietary TLV that is just sending a simple non-authenticated name to the receiver, which I intend to make a BLIP of. https://github.com/hsjoberg/blixt-wallet/blob/c79cc4b9e3532400cfd648047f132eb35f10fdf4/src/utils/constants.ts#L5 It could make sense to expand this BLIP to cover various use-cases (akin to how LNURL's LUD-18 payerid works) |
||
|
|
||
| * Regulated custodial wallets that can offer higher receive limits for payments | ||
|
There was a problem hiding this comment. I mean I guess we'd all be incredibly depressed to see anyone actually deploy this proposal for something like this. Shouldn't we instead push people to use invoices for this? There was a problem hiding this comment. Regulated custodial wallets may not be allowed to accept unlimited deposits from unknown sources. An invoice doesn't help with additional information on the origin of the payment? There was a problem hiding this comment. This doesn't prove origin, either, this is a signature from a public key. That could totally come from a third party node as much as they could come from the sender. There was a problem hiding this comment. Also true. It doesn't prove the origin, but if you know that the owner of a particular key uses it exclusively to sign their own outgoing payments it does help with this use case? There was a problem hiding this comment. Let's say you use a custodial wallet that allows a max of 500 euro/day in lightning deposits and you want to receive your 1000 euro monthly-paid salary via lightning. Adding your employer's public key to the custodial wallet's allow list raises the limit and allows you to receive that payment. There was a problem hiding this comment. Although the question here is again how this can be done spontaneously and whether https://github.com/fiatjaf/lnurl-rfc/blob/luds/18.md would be a better choice. There was a problem hiding this comment.
Right, but you'd also need your employer to configure their node to send this kind of signature to the counterparty when sending a keysend payment, which hopefully will never be an automatic thing. If you want to steelman this use-case I think it'd be the kind of travel-rule nonsense folks deal with today (though that's currently only withdraws, not deposits), where a regulated institution needs legal assurance the recipient of a payment is not a regulated financial institution (or if it is, which one). In that context, you could argue that regulated institutions could use this to prove to recipients that they are the ones who sent it, though that sadly doesn't fulfill the travel rule obligations, but it could help. |
||
| originating from specific sources. | ||
|
|
||
| * Lightning deposits to an exchange where the exchange automatically credits the | ||
|
There was a problem hiding this comment. Wouldn't this be simpler by just exposing an invoice? There was a problem hiding this comment. This would also work with keysend/AMP. There was a problem hiding this comment. Yes, that doesn't mean we should encourage people to use keysend+sender auth over an invoice, especially for exchange deposits, where proof-of-payment is really important :). There was a problem hiding this comment. Good point. I appreciate that you take the effort to kill my use cases :) |
||
| correct account based on the sender identity. | ||
|
|
||
| There are many ways to authenticate the sender of a payment in Lightning. This | ||
| documentation is an attempt to prevent the emergence of too many variants that | ||
| all do more or less the same thing. | ||
|
|
||
| ## Rationale | ||
|
|
||
| * The TLV record key is an odd number, meaning that the record is ignored by | ||
| receivers that do not support sender authentication. No feature bit is needed. | ||
|
|
||
| * It is possible to recover the public key from an ECDSA signature, so strictly | ||
| speaking `sender_pubkey` is redundant. Note that with Schnorr signatures, recovery is no | ||
| longer possible. | ||
|
|
||
| * It is undesired that a signature can be reused in any way. Therefore all of | ||
| the identifying payment properties are covered by the signature. | ||
|
|
||
| ## Test vectors | ||
|
|
||
| TBD | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe go for Schnorr right from the start so that we can use musig?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The downside is that it is not so easy to do simple signing with the ECDSA node key anymore.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess it depends a lot on the specific use-cases here. Its still somewhat unclear to me what the intended use-case is here.