Re: Blockchain Private Key and Web Same-origin policy

Which means that wallet apps should not be created as domain-specific web
apps.
Instead, they should be seperate mobile or desktop apps, preferably native
apps.

Web services incorporating with blockchain that require user signed
transaction should employ out-of-band communication with wallet apps
instead.

I think FIDO's approach utilizing app intents on android and custom url on
iOS is pretty much canonical for solving these kinds of problems.
I think KakaoPay works in a similar manner as well.
2016년 5월 8일 (일) 오후 5:17, Mountie Lee <mountie@paygate.net>님이 작성:

> in bip-0070
>
> wallet app make transaction to Bitcoin P2P Network.
> if we think wallet app (maybe full client or lightweight  client) is
> implemented into User Agent (browser)
> SOP will cause problem communicating with Bitcoin P2P network.
>
> regards
> mountie
>
> On Sun, May 8, 2016 at 5:00 PM, 김원범 <shepelt@blocko.io> wrote:
>
>> I don't think SOP is going to affect web experience leveraging PKI
>> technologies such as blockchain - just as FIDO experience can co-exist with
>> security provided with SOP.
>> Instead of storing private keys locally to each origin, a more general
>> way to manage private keys on user devices will be required.
>> "Wallet apps" functioning like FIDO authenticators on user-owned mobile
>> devices and ways to sign transactions out-of-band will be required to deal
>> with SOP.
>>
>> Traditionally, this has been always the familiar user experience in the
>> bitcoin world.
>> Web sites and services can generate invoices and require users to make
>> transactions, but user private keys are always stored in user-controlled
>> "wallet."
>>
>> However, such an experience has been limited to payment processes only.
>> Since more general blockchain-enhanced web experiences require generating
>> and signing not only payments, but arbitrary data as well, a more general
>> work flow will be required.
>>
>> Bitcoin provides a protocol for enabling out-of-band payment processing.
>> This could be extended to support more general applications.
>>
>> https://github.com/bitcoin/bips/blob/master/bip-0070.mediawiki
>>
>> 2016년 5월 8일 (일) 오후 4:47, Mountie Lee <mountie@paygate.net>님이 작성:
>>
>>> hi.
>>>
>>> let me raise issue for SOP and blockchain private key.
>>>
>>> when we expand usage of blockchain private to Web,
>>> Web SOP will cause some difficult issues.
>>>
>>> private key can be generated/stored in secure element of client side.
>>> user will have ownership of private key and related assets.
>>> when the usage of key is restricted to specific origin,
>>> that is different from normal user expectations.
>>>
>>> many user will think, "my money can be used on any site when I want"
>>> but with SOP, "your money can be used on this site only"
>>>
>>> SOP is important security policy of Web.
>>> because the previous thinking are "some resources are from some origins"
>>> but now we have more requirements letting user have full control of
>>> assets which user has ownership.
>>>
>>> I need opinion for it.
>>>
>>> --
>>> Mountie Lee
>>>
>>> PayGate
>>> CTO, CISSP
>>> Tel : +82 2 2140 2700
>>> E-Mail : mountie@paygate.net
>>>
>>>
>
>
> --
> Mountie Lee
>
> PayGate
> CTO, CISSP
> Tel : +82 2 2140 2700
> E-Mail : mountie@paygate.net
>
>

Received on Sunday, 8 May 2016 08:25:39 UTC