You may use third party services (“printers”) to produce encrypted Bitcoin keys, based on an “intermediate code” that you (“owner”) create independently, and which starts with the letters “passphrase”, such as “passphraseouGLY8yjTZQ5Q2bTo8rtKfdbHz4tme7QuPheRgES8KnT6pX5yxFauYhv3SVPDD”.
The encrypted private key produced by the printer typically begins with the letters “6P”, such as “6PnQ4ihgH1pxeUWa1SDPZ4xToaTdLtjebd8Qw6KJf8xDCW67ssaAqWuJkw”.
This standard defines a “confirmation code”, which is another value the owner may receive from the printer, and begins with the letters “cfrm”, such as “cfrm38VUEdzHWKfUjdNjV22wyFNGgtRHYhXdBFT7fWw7cCJbCobryAYUThq4BbTPP15g4SeBsug”.
Payments can be made to the corresponding Bitcoin payment address, in this case “1AoLqsujagqD7NmbQKYBEuhRMnCfwJzGoy”. The owner, using the passphrase originally used to create the intermediate code is the only party who can spend money sent to this address, and is therefore protected from printer malfeasance and ineptitude.
However, I strongly recommend against reliance on the confirmation code. Validating this code with your original passphrase tells you nothing about your ability to spend money sent to its corresponding bitcoin payment address. In fact this code is not useful in any scenario where the printer cannot be trusted by the owner. This lack of trust is of course the reason for both the intermediate code and the confirmation code in the first place.
The only thing that the owner learns from validating the confirmation code is that only the owner could spend money sent to the corresponding address. But this assumes the owner has the corresponding private key. The encrypted private key provided by the printer may be entirely bogus. The only way to know whether you have the necessary private key is to validate the encrypted private key.
You are fine as long as you validate the encrypted private key, but don’t use the confirmation code for anything, even after you have validated the encrypted private key. This validation must include deriving the payment address from the encrypted private key. It is our recommendation that the confirmation code section be struck entirely from BIP38.