Blockchain Private Key and Web Same-origin policy from Mountie Lee on 2016-05-08 (public-blockchain-workshop@w3.org from April to June 2016)

From: Mountie Lee <mountie@paygate.net>
Date: Sun, 8 May 2016 16:39:15 +0900
To: public-blockchain-workshop@w3.org
Cc: public-blockchain@w3.org
Message-ID: <CAE-+aYLN91aE+6hKpXY7pxMXKyKJJ=CEhOjLSP51qQ99TmUf_A@mail.gmail.com>

hi.

let me raise issue for SOP and blockchain private key.

when we expand usage of blockchain private to Web,
Web SOP will cause some difficult issues.

private key can be generated/stored in secure element of client side.
user will have ownership of private key and related assets.
when the usage of key is restricted to specific origin,
that is different from normal user expectations.

many user will think, "my money can be used on any site when I want"
but with SOP, "your money can be used on this site only"

SOP is important security policy of Web.
because the previous thinking are "some resources are from some origins"
but now we have more requirements letting user have full control of assets
which user has ownership.

I need opinion for it.

-- 
Mountie Lee

PayGate
CTO, CISSP
Tel : +82 2 2140 2700
E-Mail : mountie@paygate.net

Received on Sunday, 8 May 2016 09:26:51 UTC