Re: Blockchain Private Key and Web Same-origin policy from Mountie Lee on 2016-05-08 (public-blockchain@w3.org from May 2016)

From: Mountie Lee <mountie@paygate.net>
Date: Sun, 8 May 2016 17:16:41 +0900
To: 김원범 <shepelt@blocko.io>
Cc: public-blockchain-workshop@w3.org, public-blockchain@w3.org
Message-ID: <CAE-+aYLhPO48sv4Tkz2vk3w=3yeEsZ2HXoDDEK6USLqzVFZy_w@mail.gmail.com>

in bip-0070

wallet app make transaction to Bitcoin P2P Network.
if we think wallet app (maybe full client or lightweight  client) is
implemented into User Agent (browser)
SOP will cause problem communicating with Bitcoin P2P network.

regards
mountie

On Sun, May 8, 2016 at 5:00 PM, 김원범 <shepelt@blocko.io> wrote:

> I don't think SOP is going to affect web experience leveraging PKI
> technologies such as blockchain - just as FIDO experience can co-exist with
> security provided with SOP.
> Instead of storing private keys locally to each origin, a more general way
> to manage private keys on user devices will be required.
> "Wallet apps" functioning like FIDO authenticators on user-owned mobile
> devices and ways to sign transactions out-of-band will be required to deal
> with SOP.
>
> Traditionally, this has been always the familiar user experience in the
> bitcoin world.
> Web sites and services can generate invoices and require users to make
> transactions, but user private keys are always stored in user-controlled
> "wallet."
>
> However, such an experience has been limited to payment processes only.
> Since more general blockchain-enhanced web experiences require generating
> and signing not only payments, but arbitrary data as well, a more general
> work flow will be required.
>
> Bitcoin provides a protocol for enabling out-of-band payment processing.
> This could be extended to support more general applications.
>
> https://github.com/bitcoin/bips/blob/master/bip-0070.mediawiki
>
> 2016년 5월 8일 (일) 오후 4:47, Mountie Lee <mountie@paygate.net>님이 작성:
>
>> hi.
>>
>> let me raise issue for SOP and blockchain private key.
>>
>> when we expand usage of blockchain private to Web,
>> Web SOP will cause some difficult issues.
>>
>> private key can be generated/stored in secure element of client side.
>> user will have ownership of private key and related assets.
>> when the usage of key is restricted to specific origin,
>> that is different from normal user expectations.
>>
>> many user will think, "my money can be used on any site when I want"
>> but with SOP, "your money can be used on this site only"
>>
>> SOP is important security policy of Web.
>> because the previous thinking are "some resources are from some origins"
>> but now we have more requirements letting user have full control of
>> assets which user has ownership.
>>
>> I need opinion for it.
>>
>> --
>> Mountie Lee
>>
>> PayGate
>> CTO, CISSP
>> Tel : +82 2 2140 2700
>> E-Mail : mountie@paygate.net
>>
>>


-- 
Mountie Lee

PayGate
CTO, CISSP
Tel : +82 2 2140 2700
E-Mail : mountie@paygate.net

Received on Sunday, 8 May 2016 09:25:14 UTC