> That's expected behaviour - except it's mainly be manipulated by *users*, not > viruses (which can just as easily manipulate whatever custom cert store we > use).
The point of using signed invoices as virus protection isn't to change what the user sees on the infected host. The point is the invoice can be relayed to a second device that isn't also compromised which then independently renders a payment confirmation screen (like your mobile phone), and it has an identifier in it that's useful to people, like bitmit.net instead of an address. If it was just showing you a Bitcoin address, that doesn't mean anything to you so a virus on your PC could wait until you want to make a large payment somewhere and swap out the address in use. You'd never know it was the wrong address and you'd happily confirm on your second device. For this to work, the seller has to be able to predict what certs you have in all your devices. If it's up to the OS vendors then it's hard to know and in practice all that'll happen is somebody will compile a list of CAs that are "known good" (ie, present in all deployed mobile and desktop OS') and that'll be the minimal cert list. No different to if it was hard-coded in the spec. > If I don't trust Joe's certs, I don't want Bitcoin overriding that no > matter who Joe is or what connections he has. Nothing says your wallet software can't provide cert management UI like browsers do. In practice I have a feeling that cert management UI is one of the least used parts of a browser. I've used browsers for years and the only time I've ever had to go into those screens was to manage installation/removal of self signed certs used by various organizations. I never manually revoked a root authority. When it was necessary due to breaches (Comodo/DigiNotar) the browser makers revoked them for me. ------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov _______________________________________________ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
