RE: Blockchain Private Key and Web Same-origin policy from Daniel Buchner on 2016-05-08 (public-blockchain@w3.org from May 2016)

From: Daniel Buchner <dabuchne@microsoft.com>
Date: Sun, 8 May 2016 13:28:31 +0000
To: Mountie Lee <mountie@paygate.net>, "public-blockchain-workshop@w3.org" <public-blockchain-workshop@w3.org>
CC: "public-blockchain@w3.org" <public-blockchain@w3.org>
Message-ID: <BN3PR03MB224191CBBBAC961FCDE405F6D37F0@BN3PR03MB2241.namprd03.prod.outlook.com>

Your keys will not be generated for a single origin, nor will master private keys be stored client-side on a device like a laptop or smartphone. Keys will be tied to a global blockchain identity (a public chain transaction that maps to provably linked identity data), which the UA will understand and use in transactions as an identity agent of the user, via its own unique key. The identity system’s challenge and response loop can be used to interact with sites, devices, etc., to perform all manner of actions, such as: user data storage, messaging, blockchain transactions, etc.

The browser should be extended to do four things:


·         Form an agent relationship with a user’s blockchain identity

·         CRUD a user’s blockchain identity data as an allowed agent

·         Sign data on behalf of identity owners it is in agency with

·         Form basic blockchain transactions across chains

With these four capabilities, almost anything you can imagine in the realm of decentralized identity and app development becomes possible.

- Daniel

From: Mountie Lee [mailto:mountie@paygate.net]
Sent: Sunday, May 8, 2016 12:39 AM
To: public-blockchain-workshop@w3.org
Cc: public-blockchain@w3.org
Subject: Blockchain Private Key and Web Same-origin policy

hi.

let me raise issue for SOP and blockchain private key.

when we expand usage of blockchain private to Web,
Web SOP will cause some difficult issues.

private key can be generated/stored in secure element of client side.
user will have ownership of private key and related assets.
when the usage of key is restricted to specific origin,
that is different from normal user expectations.

many user will think, "my money can be used on any site when I want"
but with SOP, "your money can be used on this site only"

SOP is important security policy of Web.
because the previous thinking are "some resources are from some origins"
but now we have more requirements letting user have full control of assets which user has ownership.

I need opinion for it.

--
Mountie Lee

PayGate
CTO, CISSP
Tel : +82 2 2140 2700
E-Mail : mountie@paygate.net<mailto:mountie@paygate.net>

Received on Sunday, 8 May 2016 14:07:39 UTC