Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Replace BIP 21 with a new BIP containing information about more modern usage of it #1555

Open
wants to merge 13 commits into
base: master
Choose a base branch
from

Conversation

TheBlueMatt
Copy link
Contributor

As Bitcoin has grown, the introduction of new address formats describing new forms of payment instructions has become increasingly fraught with compatibility issues. Not only does there exist traditional on-chain addresses, but some recipients wish to receive Lightning (when the sender supports it) or newer formats such as Silent Payments.

This has led to increasing use of the BIP 21 query parameters to encode further optional payment instructions.

Looking forward, as new payment instructions get adopted, it makes much more sense to include them in query parameters rather than replace the existing address field, ensuring compatibility with senders and recipients who may or may not be upgraded to support all the latest payment instructions.

This updates BIP 21 to suggest that future address formats do this.

Further, it updates BIP 21 to allow an empty bitcoin address in cases where new payment instructions have moved to becoming mandatory. This isn't a backwards-incompatible change any more than switching to a new address format is, so doesn't impact existing BIP 21 implementations in a new way, however provides a nice conclusion to the query-parameter-based upgrade path - once a form of payment instructions has broad adoption, senders can simply drop the existing address field, keeping their existing query parameter encoding, rather than replace the existing address field. It also addresses the question of what to do if a wallet no longer wishes to receive some legacy on-chain address, but has multiple payment instruction formats that they wish to include - deciding which one to place in the address field would be a difficult task.

@josibake
Copy link
Member

josibake commented Mar 4, 2024

(Background discussion for context: https://delvingbitcoin.org/t/revisiting-bip21/630)

Thanks for starting this! Conceptually, I agree with the updates but I think we can get a bigger win by advising the use of HRPs directly instead of key-value pairs. The benefits of this approach are:

  • Better taproot support: using HRPs directly would allow us to construct backwards compatible taproot URIs of the form bitcoin:bc1q...?bc1p...=o / bitcoin:bc1q...?bc1p...
  • Support for future payment instructions: any new payment protocol that encodes their payment instructions using bech32m can be included directly, e.g. bitcoin:bc1q...?newprotocol1<bech32m encoded data>=o
  • Existing unified QR codes can be made smaller: following an upgrade period to allow clients to update, we would be able to create URIs bitcoin:bc1q...?lnbc1...=o (instead of ?lightning=lnbc1...) and fully static URIs bitcoin:sp1q...?lno1...=o

For senders, this simplifies implementing support for new address types in that clients can implement support for a generic BIP21 URI using HRPs as keys. As the client supports new bech32m encoded addresses, they are supported automatically without any additional changes.

Clients would still need to support new payment instructions that instead decided to use a query parameter, but I would expect most (if not all) clients to prefer bech32m encodings now that they get BIP21 support for free.

I wrote a rough draft here, feel free use / modify as needed if you find it useful: josibake@07339bd

@TheBlueMatt
Copy link
Contributor Author

Better taproot support: using HRPs directly would allow us to construct backwards compatible taproot URIs of the form bitcoin:bc1q...?bc1p...=o / bitcoin:bc1q...?bc1p...

I think this ship has sailed, but K/V-vs-no-K has no impact on this. We could do bitcoin:bc1q...?taproot=bc1p. or whatever just fine. Ultimately its probably too late to update how any taproot anything appears in QR codes/URIs.

Support for future payment instructions

This is similarly untrue, the only difference is it reduces the characters used for future instructions, but whether it supports future instructions or not, both do.

Existing unified QR codes can be made smaller: following an upgrade period to allow clients to update, we would be able to create URIs bitcoin:bc1q...?lnbc1...=o (instead of ?lightning=lnbc1...) and fully static URIs bitcoin:sp1q...?lno1...=o

Indeed, we can save a few characters here or there. I think the ship has similarly sailed for BOLT 11, but of course we can do something different for BOLT 12.

Ultimately I think the only difference between the two proposals are:

  • Skipping the key has slightly less bytes in the QR code, which helps very slightly on the margin.
  • Skipping the key means parsing is a bit trickier if/when we have some new payment instructions that don't use bech32m - do clients need to check the bech32m checksum for unknown payment instruction types? What do they do if its wrong? What happens when someone (without thinking) defines some payment instructions that match a bech32m HRP spuriously (but I guess probably the checksum would be wrong?). These should all be written out and considered if we want to go this path.

I think the right approach here is the simpler one, but there's not a really strong reason to prefer either over the other, honestly.

@josibake
Copy link
Member

josibake commented Mar 7, 2024

This is similarly untrue, the only difference is it reduces the characters used for future instructions, but whether it supports future instructions or not, both do.

No, they are not the same. This is especially relevant if wallets are using a BIP21 library: my wallet supports new address type abc1xxxx, which (according to your proposal) also gets a abc key defined (i.e. abc=abc1xxx. My wallet can parse the address but since my BIP21 library I am using hasn't added support for the new key, I am unable to parse these URIs. With my proposal of allowing bech32m encoded addresses to be used without a key, everything Just Works.

Skipping the key means parsing is a bit trickier if/when we have some new payment instructions that don't use bech32m - do clients need to check the bech32m checksum for unknown payment instruction types? What do they do if its wrong? What happens when someone (without thinking) defines some payment instructions that match a bech32m HRP spuriously (but I guess probably the checksum would be wrong?). These should all be written out and considered if we want to go this path.

I'm not really sure what you're getting at here? My proposal is that any new payment addresses must use bech32m if they want to be used without a key, otherwise they must define a key. Everything you just mentioned was predicated on the assumption "what if they don't use bech32m and don't define a key," which means they wouldn't be following the spec.

@TheBlueMatt
Copy link
Contributor Author

No, they are not the same. This is especially relevant if wallets are using a BIP21 library: my wallet supports new address type abc1xxxx, which (according to your proposal) also gets a abc key defined (i.e. abc=abc1xxx. My wallet can parse the address but since my BIP21 library I am using hasn't added support for the new key, I am unable to parse these URIs. With my proposal of allowing bech32m encoded addresses to be used without a key, everything Just Works.

That applies both to a K/V parameter and a non-K/V parameter equally - there's really no difference here. A BIP21 parsing library should pass all parameters that it doesn't know.

I'm not really sure what you're getting at here? My proposal is that any new payment addresses must use bech32m if they want to be used without a key, otherwise they must define a key. Everything you just mentioned was predicated on the assumption "what if they don't use bech32m and don't define a key," which means they wouldn't be following the spec.

Ah, okay, I misunderstood the proposal. I'm not really super excited to bake "future addresses will use bech32m" into the spec in that way, because at some point we're gonna want "bech32n" or some other encoding (which would make sense for stuff that's only in QR codes as you could get the QR a bit denser) and then we'll be back having this same discussion, except now we have to shove everything in K/V pairs because we restricted non-K/V pairs to bech32m-only.

@josibake
Copy link
Member

josibake commented Mar 7, 2024

I'm not really super excited to bake "future addresses will use bech32m" into the spec in that way, because at some point we're gonna want "bech32n"

While certainly not perfect, I think this is better than the alternative of whitelisting a set of addresses that are allowed in a root in this BIP and requiring new formats to specify extension keys. My proposal gives us a way to specify a taproot address in a backwards compatible way, it allows for clients to save space by not needing to redundantly specify hrp=hrp..., leaves open the possibility for implementations to move to use the BOLT11 HRP directly to save space, and provides some future proofing for new address formats insomuch as bech32m continues to be the standard.

@TheBlueMatt
Copy link
Contributor Author

While certainly not perfect, I think this is better than the alternative of whitelisting a set of addresses that are allowed in a root in this BIP and requiring new formats to specify extension keys. My proposal gives us a way to specify a taproot address in a backwards compatible way, it allows for clients to save space by not needing to redundantly specify hrp=hrp..., leaves open the possibility for implementations to move to use the BOLT11 HRP directly to save space, and provides some future proofing for new address formats insomuch as bech32m continues to be the standard.

To be clear, I think we should "whitelist the set of addresses that are allowed in the root" either way. IMO it was a (now-clear) mistake to have taproot at the root rather than in a parameter. Whether we go with K/V or not-K/V we still want to have all future address types in parameters rather than the URI root (and eventually basically phase out the URI root entirely, or at least make it taproot-only).

@josibake
Copy link
Member

josibake commented Mar 8, 2024

To be clear, I think we should "whitelist the set of addresses that are allowed in the root" either way.

Effectively, this is what you get with my proposal:

The bitcoinaddress body MUST be either a legacy base58 address (P2PKH, P2SH), or a bech32(m) encoded address. Future address formats that do not use bech32m encoding MUST instead be placed in query keys. Query keys SHOULD be defined by the respective BIP for the new address format.

The only distinction is newer bech32m address types can also be placed in the root. If you're planning to allow bitcoin:?hrp=hrpxxx...&anotherhrp=anotherhrpxxx&amount=<>, that's exactly the same as bitcoin:hrpxxx...?anotherhrpxxx&amount=<>, just more compact.

@TheBlueMatt
Copy link
Contributor Author

Effectively, this is what you get with my proposal:

This is unrelated to the K/V/no-K/V discussion. We can get it either way.

The only distinction is newer bech32m address types can also be placed in the root.

I don't think we should allow this. It would be nice to only have one place to look for a given address type.

@murchandamus
Copy link
Contributor

I noticed that there is another pending PR that seeks to amend BIP21 #1394. At first glance, it seems like the change suggested there could be incorporated here.

@@ -39,7 +39,7 @@ Elements of the query component may contain characters outside the valid range.

(See also [[#Simpler syntax|a simpler representation of syntax]])

bitcoinurn = "bitcoin:" bitcoinaddress [ "?" bitcoinparams ]
bitcoinurn = "bitcoin:" [ bitcoinaddress ] [ "?" bitcoinparams ]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have not been following, but did you consider rejecting empty string after colon, and removing unnecessary interrogation character?

Suggested change
bitcoinurn = "bitcoin:" [ bitcoinaddress ] [ "?" bitcoinparams ]
bitcoinurn = "bitcoin:" ( bitcoinaddress [ "?" bitcoinparams ] | bitcoinparams )

@murchandamus murchandamus added Proposed BIP modification PR Author action required Needs updates, has unaddressed review comments, or is otherwise waiting for PR author labels May 22, 2024
Copy link
Contributor

@murchandamus murchandamus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I’m a bit on the fence regarding this PR. There clearly exists a divergence of the practical use from the specification, and it makes sense to address this and make them line up better. On the other hand, it generally seems counterproductive to ship a new version of a spec under the same label.

I would at least request that the changes are discussed on the mailing list and a Change Log section be added to document when and how the spec was amended. Perhaps it would be better to place these changes into an Appendix that comments on the practical use today and proposes these amendments.

Overall I would prefer a new BIP over changes to a final BIP.

bip-0021.mediawiki Outdated Show resolved Hide resolved
*lno: Lightning BOLT12 offers
*sp: Silent Payment addresses

New payment instructions using bech32 encodings SHOULD reuse their address format's Human Readable Part as the parameter key.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
New payment instructions using bech32 encodings SHOULD reuse their address format's Human Readable Part as the parameter key.
New payment instructions using bech32m as address encoding SHOULD reuse their address format's Human Readable Part as the parameter key.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They aren't always addresses.

bip-0021.mediawiki Outdated Show resolved Hide resolved
bip-0021.mediawiki Outdated Show resolved Hide resolved
bip-0021.mediawiki Outdated Show resolved Hide resolved
@TheBlueMatt
Copy link
Contributor Author

I’m a bit on the fence regarding this PR. There clearly exists a divergence of the practical use from the specification, and it makes sense to address this and make them line up better. On the other hand, it generally seems counterproductive to ship a new version of a spec under the same label.

Yea, I see that its a bit weird to update something "final", but I think there's also tremendous value in being able to update something so that people aren't led to something that is stale, which would almost certainly happen given the number of existing links and references to "BIP 21". I would also be fine copying + pasting BIP 21 to a new BIP number if we update the headers with a "Superseded: See BIP XXXX" header, however, if we really don't want to update it.

I'll wait to address feedback until we have clarity on the forward direction.

@murchandamus
Copy link
Contributor

I'll wait to address feedback until we have clarity on the forward direction.

It might be useful to posit this amendment idea to the mailing list in order to get more input on the forward direction.

@TheBlueMatt
Copy link
Contributor Author

It might be useful to posit this amendment idea to the mailing list in order to get more input on the forward direction.

Done

@harding
Copy link
Contributor

harding commented Jun 5, 2024

I think there's a lot of advantage to updating even final BIPs with information about how those specifications are being widely used in practice, i.e. bitcoinaddress = *base58 / *bech32 / *bech32m.

I don't like adding proposed new features to a final BIP, i.e. defining new keys that haven't be used in practice (like sp). One reason I don't like adding new features to a final BIP is well illustrated in the discussion between @TheBlueMatt and @josibake: they each have slightly different visions for the future of bitcoin: URIs but Matt will be in a privileged position to push for his vision if the existing and widely linked-to standard of BIP21 is updated to reflect his preferences.

I'd prefer to see this PR revised to only document how BIP21 is used in practice today, with any new proposals placed in a new BIP (which can, of course, be a 99% copy of the existing text).

@TheBlueMatt
Copy link
Contributor Author

TheBlueMatt commented Jun 5, 2024

I don't like adding proposed new features to a final BIP, i.e. defining new keys that haven't be used in practice (like sp).

The point of the proposed change isn't to define 'sp' specifically but to define the rules for new formats going forward.

One reason I don't like adding new features to a final BIP is well illustrated in the discussion between @TheBlueMatt and @josibake: they each have slightly different visions for the future of bitcoin: URIs but Matt will be in a privileged position to push for his vision if the existing and widely linked-to standard of BIP21 is updated to reflect his preferences.

I don't think this is a fair characterization. There was a lot of back-and-forth and my understanding is we got to a common ground (or at least equivalent suggestions where it didn't matter all that much where to go). If @josibake still has a different view I'm more than happy to amend the proposal here to make sure we're on the same page.

Rather, the back-and-forth there is a great example of why defining some new BIP just to suggest where to put new payment instructions in BIP 21s is going to lead to further fragmentation - lots of people have strong opinions about lots of equivalent naming schemes.

I'd prefer to see this PR revised to only document how BIP21 is used in practice today, with any new proposals placed in a new BIP (which can, of course, be a 99% copy of the existing text).

This would be pretty confusing, IMO, since we'd then specify "lighting" as a URI parameter here (since it's already in broad use) and then say "oh, but that's kinda a weird name, in the future please do something different and use the HRP instead" in a different doc. IMO that's likely to lead to a continued proliferation of unrelated keys which is less useful going forward.

@TheBlueMatt
Copy link
Contributor Author

Thinking on this more, I think a policy of "we can update a final BIP to describe what is actually happening in practice but not to give forward guidance on how to do things people are going to do" is inconsistent. This results in a neverending stream of changes to add query parameters that are being used in practice, but we can't add guidance for what query parameters to use to avoid that.

@harding
Copy link
Contributor

harding commented Jun 5, 2024

@TheBlueMatt

the back-and-forth there is a great example of why defining some new BIP just to suggest where to put new payment instructions in BIP 21s is going to lead to further fragmentation - lots of people have strong opinions about lots of equivalent naming schemes.

If there's a reasonable difference of opinion, each person should have equal access to the process for advocating for their position. Each person creating a new BIP is equal access IMO. One person being able to update a final BIP that is already widely deployed and referenced, while other parties can only create a new BIP and try to build support for it, is inequitable IMO.

@TheBlueMatt
Copy link
Contributor Author

Right, I believe my above claim is that there isn't any (more) difference of opinion :). Still, more generally I'm not at all convinced that "access to a document" is somehow privileged, or at least its very explicitly not supposed to be - BIPs are author documents - they aren't somehow blessed and implementers can do whatever they want, as evidenced by the fact that no one complies with BIP 21 given BIP 21 currently doesn't allow bech32[m] payments :)

As I mentioned above I'm okay with just saying "no changes at all", but I think your position that we can make some changes (to describe reality) but not others (to provide forward-looking guidance) results in a pretty bad outcome.

@harding
Copy link
Contributor

harding commented Jun 5, 2024

@TheBlueMatt

my above claim is that there isn't any (more) difference of opinion :)

I don't see the resolution to the discussion about bare keys vs key/values above, so it seems open to me, but perhaps you and @josibake hashed it out somewhere else (or I'm just misreading). If it was resolved somewhere else public, I'd appreciate a link, as I was favoring several of Josie's proposals and I'd like to see what persuaded him to accept the full k/v approach.

BIPs are author documents - they aren't somehow blessed and implementers can do whatever they want

BIPs in the draft and proposed stage are author documents for sure, but it doesn't seem clear to me that they should remain author documents once they enter the final state. If people implement a supposedly final specification and then the specification changes, that may unnecessarily lead to miscommunication.

@ajtowns dealt with this problem in BINANAs by giving them revision numbers, so e.g. if I want to reference that a particular implementation of OP_CAT is based on the original proposal, I can say BIN24-1.0 and be protected against changes that become BIN24-1.1, etc. We don't conveniently have that facility with BIPs (I'd have to refer to a commitish) and I think we deal with that by having a final state after which significant changes are not expected.

I'm okay with just saying "no changes at all", but I think your position that we can make some changes (to describe reality) but not others (to provide forward-looking guidance) results in a pretty bad outcome.

I'm also ok with "no changes at all". That said, I think describing reality, especially if it's made clear that it differs from the original specification, is very advantageous to later implementers and those attempting to understand how their modern software works. Not providing post-final forward-looking guidance in the updated BIP doesn't mean that we can't provide that guidance elsewhere, such as a new BIP or a link to a wiki page (in BIP125, I included a link to a wiki page to help foster collaboration among implementers and provide a source of living documentation).

I do want to mention that none of the above is a hill I care to die on; it's just my opinion about editing final BIPs. If nobody else thinks this is a problem, I'm ok with this PR being merged as-is.

@TheBlueMatt
Copy link
Contributor Author

That said, I think describing reality, especially if it's made clear that it differs from the original specification, is very advantageous to later implementers and those attempting to understand how their modern software works.

The point of a BIP is to have the information people need to implement it in one convenient place. That includes guidance for how to do the things people want to do. Updating to say "btw, people put BOLT11s in the lightning key" without saying "and also we should put BOLT12s in the lno key" is possibly the worst outcome, IMO. I see the rationale for getting there, but the outcome is just confusing for everyone (how does one write a general BIP 21 parser? You might have K-V entries, you might have just values, they may be under colliding keys, etc.

Not providing post-final forward-looking guidance in the updated BIP doesn't mean that we can't provide that guidance elsewhere, such as a new BIP or a link to a wiki page.

As long as the BIP gets marked "superseded" with a big link to some new BIP I'm happy with that. Just providing a link in a footnote also does not accomplish this, though, because people will just miss it.

@harding
Copy link
Contributor

harding commented Jun 6, 2024

@TheBlueMatt

The point of a BIP is to have the information people need to implement it in one convenient place.

That's certainly ideal. However, I think in the case of final BIPs, that ideal conflicts with the ideal of not giving anyone unnecessarily privileged access to the specification process. If there is more than one reasonable way to do something, I don't think the author of a long-adopted spec should be able to use that spec to favor their preferred choices.

Which ideal is more important, better documentation or less privilege? I don't know, which is why I'm ok with this PR being merged even if I'd prefer to see it reduced to only describing how current widely adopted behavior differs from the original spec.

@TheBlueMatt
Copy link
Contributor Author

the ideal of not giving anyone unnecessarily privileged access to the specification process

I'll be honest, I'd never considered that an ideal of the BIP process, including the reason for final BIPs. Of course no one should have some kind of priviledged access to changing Bitcoin, but the BIP process hasn't historically been the gate for that.

Admittedly I'm not quite sure what ideal/goal we seek to meet with having a "final" state - I'd always considered it to exist because we don't have a concept of an "accepted" BIP (because the BIP process isn't for "accepting" ideas), but we still need some way to mark something as different from "draft"/proposed. In that context, the "final" concept only really makes any sense for consensus change BIPs. You could argue that a BIP in sufficient adoption is "final" in that future changes don't make sense as they invalidate existing implementations which makes no sense, but that doesn't really answer what to do about forward guidance as is proposed here (presumably it's fine?)

@Kixunil
Copy link

Kixunil commented Aug 1, 2024

Just one note regarding updating a final BIP: there's a huge difference between documenting which parameters people use (the spec specifically allows using custom parameters) and documenting that everyone actually ignores the specification in regard to bech32. It also looks to me that the requirement to use base58 was a mistake. I think it'd make sense to amend that part and that part only. Use a new BIP for everything else.

@AndySchroder
Copy link

In addition to a BOLT12 offer, I'd also like to see an option for a BOLT12 invoice_request. Possibly using the key lnir would work? This addresses the following use case from the BOLT12 spec:

https://github.com/rustyrussell/lightning-rfc/blob/db73bbb64d2dfc07fbc9c1dc09259d827f703868/12-offer-encoding.md?plain=1#L54

The merchant-pays-user flow (e.g. ATM or refund):
1. The merchant publishes an *invoice_request* which contains offer fields
   which refer to its attempt to send money, including an amount.
2. The user sends an *invoice* over the lightning network for the amount in the
   *invoice_request*, using a (possibly temporary) *invoice_node_id*.
3. The merchant confirms the *invoice_node_id* to ensure it's about to pay the correct
   person, and makes a payment to the invoice.

with more explanation later on....

https://github.com/rustyrussell/lightning-rfc/blob/db73bbb64d2dfc07fbc9c1dc09259d827f703868/12-offer-encoding.md?plain=1#L367

The second case is publishing an `invoice_request` without an offer,
such as via QR code.  It contains neither `offer_issuer_id` nor `offer_paths`, setting the
`invreq_payer_id` (and possibly `invreq_paths`) instead, as it in the one paying: the
other offer fields are filled by the creator of the `invoice_request`,
forming a kind of offer-to-send-money.

@TheBlueMatt
Copy link
Contributor Author

BOLT 12 invoice_requests are not intended to be published. What you're looking for are BOLT 12 refunds. You are right that this could include refunds explicitly, however there's no reason to - it specifies that new types should simply use the bech32 HRP as the key.

@AndySchroder
Copy link

Not sure how you can say invoice_requests are not intended to be published. That is literally stated in the spec that I quoted above.

Are you saying that the key lnr is already supported automatically by your new BIP because of its generality?

@TheBlueMatt
Copy link
Contributor Author

Not sure how you can say invoice_requests are not intended to be published. That is literally stated in the spec that I quoted above.

I believe its just a stale line that has slipped in. There is now a dedicated "refund" type which addresses that use-case. Thanks for reporting lightning/bolts#798 (comment)

Are you saying that the key lnr is already supported automatically by your new BIP because of its generality?

Yep!

@AndySchroder
Copy link

Not sure how you can say invoice_requests are not intended to be published. That is literally stated in the spec that I quoted above.

I believe its just a stale line that has slipped in. There is now a dedicated "refund" type which addresses that use-case. Thanks for reporting lightning/bolts#798 (comment)

Looking at @rustyrussell's reply, it seems as there is no explicit refund workflow, it is instead just a modified use case of the offer workflow that can use used for refunds if you want to. So, in that use case, yes, I do think that invoice_requests are intended to be published. Do you agree?

Are you saying that the key lnr is already supported automatically by your new BIP because of its generality?

Yep!

Great, what is cool about this once this is supported by wallets, you can basically make QR code and a paper note with this standard and pass that around to people similar to a paper check, redeemable instantly from your lightning node! This is a great way to make backup in case your phone gets smashed before going on a trip. You can make notes in many denominations and destroy them whenever you want.

@AndySchroder
Copy link

AndySchroder commented Sep 28, 2024

BIP-0353 uses this BIP (even though it says it uses BIP-0021). This BIP (and BIP-21) result in long URI. This presents a problem for QR code encoding and just simple writing of them in messages, etc. Wondering if we can have another URI form that will resolve a BIP-0353 address? For example, encoding something such as bip353:matt@mattcorallo.com is much shorter than bitcoin:bc1qztwy6xen3zdtt7z0vrgapmjtfz8acjkfp5fp7l?lno=lno1qsg95t28fvk7aefdum96rgwq3psqzyxvqfcsq3pv8dulvphcpuezmxx5n8h0evrqtx00ch2wevqzp8pvk4qeqqhw37mc9659ses3xkamaksfd9dspq6gkgmvzcl7eppzd3er2w80rgpq9ys6szwh4e33p82jmu42e9zgay44rhg6whr4gq9l6xe6jd7penguqqeua845ptusy3xs5wxwrytm9ck6dh8l739jmw2rfsu8nudvtef90hfn4aj55aw0ezxxf2excmead9vaqvjtuq6s9a580e85rz8mdvp26kuc5vr2llmuexrgxhxx66l400275a3535qpqvemxtpdvuvrwh83qkjl53eagqckyypeq87wey4833z750a5kr5ppfzemeuhtemw6jpty2gznf76zakkj0c. BIP-353 suggests using ₿matt@mattcorallo.com, but will that work for triggering apps with QR codes, clickable links, NFC intent on phones? Could we change it to ₿:matt@mattcorallo.com (but is that a valid link prefix type, and even if it is, is it easy for people to type?)? Alternatively, could we use BTC:matt@mattcorallo.com as a link prefix for BIP-0353?

Possibly this discussion is about BIP-0353 and not a replacement to BIP-0021, but I'm not sure of the latest discussion area for BIP-353 since it is already issued and it doesn't really pertain to URI prefixes that trigger applications from the operating system, only how wallet applications should behave inside themselves.

@stevenroose
Copy link
Contributor

stevenroose commented Sep 30, 2024

Haven't read the entire discussion here, but skimmed the proposed changes.

FWIW, we're thinking of using BIP-21 for Ark addressing so that we can support bolt12 fallback easily. Also it gives flexibility to Ark implementations to support different arguments in a flexible key-value fashion.

The most important change (probably even only) to BIP21 that we need is to make the address part optional. I see that is already being proposed here. The URIs would then look something like this:

bitcoin:?ark_aspid=deadbeef&ark_pk=02deadbeef&ark_roundconfs=6&lno=lnbc1sdfa

Note that a wallet that doesn't support Ark can just read the bolt12 argument and deliver over lightning, while an Ark wallet can attempt to deliver straight over Ark.

Also, could this simply be an amendment to BIP21? Instead of getting a new number assigned?

@TheBlueMatt
Copy link
Contributor Author

TheBlueMatt commented Sep 30, 2024

BIP-0353 uses this BIP (even though it says it uses BIP-0021). This BIP (and BIP-21) result in long URI. This presents a problem for QR code encoding and just simple writing of them in messages, etc. Wondering if we can have another URI form that will resolve a BIP-0353 address?

In generally you should strongly prefer not to do this. BIP 353 even says so explicitly, saying

Bitcoin wallets MUST NOT prefer to use DNS-based resolving when methods with explicit public keys or addresses are available. In other words, if a standard Bitcoin address or direct BIP 21 URI is available or would suffice, Bitcoin wallets MUST prefer to use that instead.

This is because if at all possible we should strongly prefer to avoid trusting the entire DNS+domain infrastructure - if there's a communication channel between the sender and recipient, that should be used to exchange cryptographic keys directly, rather than introducing an entire centralized stack as a trusted third party. Addressing QR code size is something individual protocols should do on their own (eg BOLT 12 in the lightning world has very small "offers" by just communicating what's required to fetch further payment instructions.

The most important change (probably even only) to BIP21 that we need is to make the address part optional. I see that is already being proposed here. The URIs would then look something like this:

Nice!

bitcoin:?ark_aspid=deadbeef&ark_pk=02deadbeef&ark_roundconfs=6&lno=lnbc1sdfa

It would be kinda nice to stick with the recommendations here of using bech32 HRPs as the keys in the query parameters. I assume you'll want some kind of bech32 string to communicate ark recipient info anyway (yay checksums), so might as well use it as-is here?

Also, could this simply be an amendment to BIP21? Instead of getting a new number assigned?

Heh, lots of back-and-forth on that...BIP 21 is pretty ancient, so might as well just say we're replacing it and mark it DEPRECATED in bold at the top 🤷‍♂️

@AndySchroder
Copy link

This is because if at all possible we should strongly prefer to avoid trusting the entire DNS+domain infrastructure - if there's a communication channel between the sender and recipient, that should be used to exchange cryptographic keys directly, rather than introducing an entire centralized stack as a trusted third party. Addressing QR code size is something individual protocols should do on their own (eg BOLT 12 in the lightning world has very small "offers" by just communicating what's required to fetch further payment instructions.

I get what you are saying, but it seems like BOLT12 offers aren't really that small. Here is a comparison of QR codes for both examples above (which I took the offer example from your proposed spec).

bitcoin:bc1qztwy6xen3zdtt7z0vrgapmjtfz8acjkfp5fp7l?lno=lno1qsg95t28fvk7aefdum96rgwq3psqzyxvqfcsq3pv8dulvphcpuezmxx5n8h0evrqtx00ch2wevqzp8pvk4qeqqhw37mc9659ses3xkamaksfd9dspq6gkgmvzcl7eppzd3er2w80rgpq9ys6szwh4e33p82jmu42e9zgay44rhg6whr4gq9l6xe6jd7penguqqeua845ptusy3xs5wxwrytm9ck6dh8l739jmw2rfsu8nudvtef90hfn4aj55aw0ezxxf2excmead9vaqvjtuq6s9a580e85rz8mdvp26kuc5vr2llmuexrgxhxx66l400275a3535qpqvemxtpdvuvrwh83qkjl53eagqckyypeq87wey4833z750a5kr5ppfzemeuhtemw6jpty2gznf76zakkj0c
image

BTC:matt@mattcorallo.com
image

I think there is a substantial difference, we may want to have the option to do such a thing, but not necessarily encourage it for the reasons you've suggested. I think LNURL brings the size down pretty small, and we are going to be competing with that.

@TheBlueMatt
Copy link
Contributor Author

Yea, sadly BOLT12 seeks to have privacy through blinded paths, but receivers who struggle to fit things in QR codes can opt to reduce size by trading off privacy. Also note that if you're putting a bech32 string in a QR code you really need to uppercase the entire thing, which makes things much less dense.

For people who want tons of options for payments in QR codes, we really should be thinking about something other than BIP 353 - we could publish full payment info in nostr or some other trivial bulletin board (in some kind of encrypted + blinded form where each fresh QR code leads to new payment details to avoid correlation), etc.

@AndySchroder
Copy link

For people who want tons of options for payments in QR codes, we really should be thinking about something other than BIP 353 - we could publish full payment info in nostr or some other trivial bulletin board (in some kind of encrypted + blinded form where each fresh QR code leads to new payment details to avoid correlation), etc.

This seems to me a bit like it is getting back to a heavy software stack, but maybe it is unavoidable.

I like to sticking to DNS as the datastore because it is fairly low on the software stack. Wondering if we can in any way to make a more compact URI that includes user@domain plus some hints to find their nameserver and a pubkey used to sign the DNS records? However, maybe at that point the length is approaching that of an offer with a blinded path...

@TheBlueMatt
Copy link
Contributor Author

Wondering if we can in any way to make a more compact URI that includes user@domain plus some hints to find their nameserver and a pubkey used to sign the DNS records? However, maybe at that point the length is approaching that of an offer with a blinded path...

Signing the DNS content via a direct key is great, but you start hitting censorship risk. Just telling people a nameserver IP doesn't really solve it, either, because in most cases people are trusting a third party to host that who can then censor them. You really just don't want to use DNS for this.

@TheBlueMatt
Copy link
Contributor Author

Responded to some of the feedback, but still need to answer more. Since I'm writing a new BIP I'm gonna take this opportunity to define a new callback scheme which allows for wallets to return proof of payment to the initiating application. This is critical for lightning payments initiated by one app if the app itself isn't the recipient of the payment.

@TheBlueMatt
Copy link
Contributor Author

Okay, I believe I've addressed all the comments here.

@jonatack jonatack removed the PR Author action required Needs updates, has unaddressed review comments, or is otherwise waiting for PR author label Oct 17, 2024
bip-XXXX.mediawiki Outdated Show resolved Hide resolved

The URI MAY include a "pop" (or "req-pop") parameter who's value can be used to build a URI which the wallet application can, after payment completes, "open" to provide proof the payment was completed or other information about the payment.

The value of a "pop" (or "req-pop") parameter shall be a percent-encoded (per RFC 3986 section 2.1) URI prefix. The wallet application, if it supports providing payment information SHOULD percent-decode the provided URI once then append the Payment Information to the resulting URI and open it with the default system handler for the given URI.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why did you choose to directly append instead of providing the pop as a query param? It feels easier to parse to me if the wallet adds the pop as one or multiple query params added to the provided URI, for example:

  • for on-chain payments: txid=<tx_id>&tx=<hex_encoded_tx>
  • for bolt 11 payments: preimage=<hex_encoded_payment_preimage>
  • for bolt 12 payments: preimage=<hex_encoded_payment_preimage>&invoice=lni...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why did you choose to directly append instead of providing the pop as a query param?

I originally had it this way, but decide its more generic to have the initiating wallet specify the URI how they want, as they can always specify a URI that ends in ?pop= and go from there.

multiple query params

Mmm, good point, I was thinking looking at something else that, duh, we need a way to expose which payment parameter was used...How about just doing payment arg=pop (with a special onchain arg if the address was in the uri body). So like it'd be onchain=hexencodedtx or lightning=preimage or lno=preimage_and_invoice (or whatever format we use for standardized bolt 12 pops)? That way its still clear what the PoP came from, it reuses the keys from the original bitcoin URI so its well known where they're gonna be (and we don't have to worry about defining them going forward and making sure things dont conflict) and the initiator can even pass &pop= at the end cause pop=lightning=preimage is a perfectly valid parameter!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea, that sounds good to me!

bip-XXXX.mediawiki Show resolved Hide resolved
Copy link
Contributor

@t-bast t-bast left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK d7c021a

@dpad85 @robbiehanson what do you think of this? It would be useful to have a prototype implementation of this in Phoenix.


The value of a "pop" (or "req-pop") parameter shall be a percent-encoded (per RFC 3986 section 2.1) URI prefix. The wallet application, if it supports providing payment information SHOULD percent-decode the provided URI once, append the query parameter key from which the payment instructions used were read, append a single =, and finally append the Payment Information to the resulting URI and open it with the default system handler for the URI. For payment instructions read from the body of the URI, "onchain" SHALL be used in place of the key.

A wallet MUST validate that the provided URI's scheme is not (case-insensitive) "http", "https", "file", "javascript", "mailto" or any other scheme which will open in a web browser prior to opening it.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I want to get feedback on this line. My thinking here is that there may be some link to a bitcoin: URI in, eg, a social media site or some other context where the user might click it, pay, but then doesn't want the callback to open a random website that then will reveal the sender's IP. However, it does limit the utility somewhat. Specifically web apps will be unable to get callbacks directly without registering a URI handler.

I'm curious if/on what platforms registering a URI handler for a web app is annoying to deal with, and if the tradeoff here makes sense. I strongly dont want to introduce an IP leak because of this, but also there may be some platforms where we really have to.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If IP address leak is the only concern, "http" and "https" could be allowed with .onion and .i2p hostnames as exception.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.