If the user has an app to scan this, such an app would disregard the URL portion anyway, so I don't think including it is a big deal. Providing the private key alone would be perfect in a world where everyone already had a suitable app on their phone ready to read this, an app which of course would exist for every phone on the market, including those whose app store owner forbids bitcoin apps on non-jailbroken phones.
I started with the assumption (I might be wrong...) that a store will run a custom POS. I checked out a few projects and services and this seems to be the trend. The problem I was trying to solve was "how to emulate cash transaction using BTC in such a way that it's as fast or even faster".
You're imagining a scenario where a seller is using a dumb QR code reader on a mobile phone by the rotten fruits company
. I am not sure that your scenario can happen in a real store, at least not until Bitcoin will become so popular that everyone, irregardless of their knowledge, will want to accept BTC payments *NOW!*.Quote
The actual world is not perfect, and such a user would be only "using" the service long enough to initiate a transaction and collect their bitcoins, giving no personal information in the process. There is a big difference between being a "user" of a service versus a casual unregistered visitor - someone scanning a code would be no more a forced user of said service than me becoming a forced "user" of pastebin when I view something published there.
The user will be using the service long enough to be scammed by the website and/or the buyer. Imagine this scenario:
I am the evil attacker and I know that you don't run a custom POS, you're using online services from the QR codes. I quickly go home, create a custom QR code which points to my server. It looks just like you would expect, just that instead of sweeping the funds to your address, it displays a ok message. I walk out of the store with merchendise, you find out hours later that you don't have the money.
For even extra evilness, my server could actually commit the sweep, just use a different destination address (also mine). Even if you do get your hands on me, I will show you the tx and blame it on you for not pasting the correct address (I also had plenty of time to change my server so that now it's running as expected - I will even invite you to audit it
). I'm innocent until proven guilty, which you can't do. You'll take the loss and (probably) give up Bitcoin forever. Only such a successful attack is needed to have a lot of people lose trust in the system.So no, the seller should not trust any service pushed by the user, only data that he can verify on the spot. If this means running a Bitcoin POS app on a real computer instead of using the phone, I think he should (well, if he cares about the money, of course...).
On the other hand, I did some tests with the Goggles app on my Android phone. It's capable of correctly detecting a URL even if the QR code is actually:
Code:
DATA,PRIKEY=12345,URL=https://google.com/12345/,bla,bla,bla
So I think we can support your scenario without too much trouble, if the QR scanner runs a decent app. Alternatively, it's copy-paste time for the seller
. I'll post later some ideas about QR code formats and I'll also include your URL idea. But I do hope you'll change your mind