Would it not be simpler to throw the cards on the floor, take a picture and then get the SHA256 of the raw photo bytes ?

I'm also looking at producing a Bitcoin android app (not a wallet) and want to be able to reassure users that the code I have on github compiles to the same APK as downloaded from the play store.

If anyone knows the answer to this I'd appreciate it.

Thanks.

Yes you do need them in the correct order as I've just found out.

OP_DROP might not work as the BIP16 spec specifies.

"Validation fails if there are any operations other than "push data" operations in the scriptSig."

Why not use one of the public keys as a master public key an derive other keys based on an index ?

Which features and which browser ?

Yes. The daemon would need to be able to provide balances for addresses and unspent outs for when the user wants to create a payment.

Perhaps a modified version of BitcoinJ.

Yes you can. The main thing you need to be aware of is that when creating a payment you need to retrieve unspent outs and different services i.e. blockr.io vs blockchain.info have different formats for this.

I'm more than happy to look at pull requests for this or for BIP39. Makes sense to develop this all in one place.

Hi,

Sorry didn't see this until now. I do have some plans for carbon wallet going forward and I'm also interested in any comments of course.

CarbonWallet uses electrum style passphrases and it would not be easy to move over to BIP39 as we already have people using the existing ones. BIP39 is still in draft, although I can see they are already out in the wild.

Carbon wallet is open source.

https://github.com/carbonwallet/carbonwallet.github.io

You should mention you are using http://carbonwallet.com so you can't really have a copyright.

Great work. Any plans to integrate this into bitcoinjs ?

Or is it possible to get a look at the JS non-minimised ?

Thanks.

If I build the following web wallet, it will be the most secure web wallet currently on the market. Agree or disagree ?

1. The client will be a 1 page backbone.js app deployed directly from the repository on github. The page would be signed with my PGP public key.

Why?

a. Because it would then be possible to write a chrome or firefox plugin to verify the wallet downloaded to your machine corresponds to the code on the repository. Blockchain.info has a form of this already but without the PGP signing.

b. If any third party such as github/cloudflare tampered with the wallet the user would be able to see and flags would be raised.

2. All javascript in plain text and easy to read. (unobfuscated).

Why ? Because the wallet is then open for peer review. Like all solutions that use cryptography peer review is the way to go.

3. No naked private keys stored on the server. No naked keys ever passed to the server.
Why ?

a. Search for “Bitcoin wallet hacked” on google then come back here.
b. Because there is no technical reason why we should ever do this again. And that includes exchanges too.

4. Users shouldn't pick their own passwords.

Why ?

a. Because a lot of users, pick either very week password or re-use passwords on other sites.
b. Because we can then pick passwords with sufficient entropy to properly encrypt private keys.

5. Users should not be able to send coins to the wallet until 2FA is enabled. All operations requiring spends should also be protected with 2FA.

Why ? To defend against malware such as key loggers.

6. A way for users to recover their wallet if the operator goes away.

Recovery procedure should be quick and simple. i.e. electrum passphrase.

Is the multiaddr function available with CORS headers ?

I think we've missed the point here. By showing me that you have access to every users funds, you show me that at any point you can disappear with those funds.

I would prefer to see a report that the users have access to 100% of their funds and the exchange cannot access any of those funds. This is not hard to do now we have M of N signatures, why are exchanges wrapping software around naked private keys and declaring themselves secure.

Hi,

I'm the owner of carbon wallet http://carbonwallet.com/.

Take down you site immediately or I will be sending a Cease and Desist to your domain host.

If you are going to use carbon wallet as a basis for your crappy little wallet offering, at least have the decency to make up your own marketing.

You can also use your electrum passphrase at carbon wallet. http://carbonwallet.com/

I think it's already a de-facto standard. We're using it on http://carbonwallet.com/

See https://github.com/carbonwallet/carbonwallet.github.io/blob/master/extjs/mnemonic.js

How would that work. To me the blockchain checker looks like it would do the job.

You can already download carbonwallet as a chrome extension. So this monitor app would be for people who use the wallet online.

Actually perhaps instead of a github page. This could be developed as a jsfiddle.