Re: Blockchain Private Key and Web Same-origin policy from 김원범 on 2016-05-08 (public-blockchain@w3.org from May 2016)

From: 김원범 <shepelt@blocko.io>
Date: Sun, 08 May 2016 08:00:12 +0000
To: Mountie Lee <mountie@paygate.net>, public-blockchain-workshop@w3.org
Cc: public-blockchain@w3.org
Message-ID: <CA+fJqsSuEByHkLo3wrZv3tH7vfEFq==TirNj1uMdJY5mpNhcMw@mail.gmail.com>

I don't think SOP is going to affect web experience leveraging PKI
technologies such as blockchain - just as FIDO experience can co-exist with
security provided with SOP.
Instead of storing private keys locally to each origin, a more general way
to manage private keys on user devices will be required.
"Wallet apps" functioning like FIDO authenticators on user-owned mobile
devices and ways to sign transactions out-of-band will be required to deal
with SOP.

Traditionally, this has been always the familiar user experience in the
bitcoin world.
Web sites and services can generate invoices and require users to make
transactions, but user private keys are always stored in user-controlled
"wallet."

However, such an experience has been limited to payment processes only.
Since more general blockchain-enhanced web experiences require generating
and signing not only payments, but arbitrary data as well, a more general
work flow will be required.

Bitcoin provides a protocol for enabling out-of-band payment processing.
This could be extended to support more general applications.

https://github.com/bitcoin/bips/blob/master/bip-0070.mediawiki

2016년 5월 8일 (일) 오후 4:47, Mountie Lee <mountie@paygate.net>님이 작성:

> hi.
>
> let me raise issue for SOP and blockchain private key.
>
> when we expand usage of blockchain private to Web,
> Web SOP will cause some difficult issues.
>
> private key can be generated/stored in secure element of client side.
> user will have ownership of private key and related assets.
> when the usage of key is restricted to specific origin,
> that is different from normal user expectations.
>
> many user will think, "my money can be used on any site when I want"
> but with SOP, "your money can be used on this site only"
>
> SOP is important security policy of Web.
> because the previous thinking are "some resources are from some origins"
> but now we have more requirements letting user have full control of assets
> which user has ownership.
>
> I need opinion for it.
>
> --
> Mountie Lee
>
> PayGate
> CTO, CISSP
> Tel : +82 2 2140 2700
> E-Mail : mountie@paygate.net
>
>

Received on Sunday, 8 May 2016 16:14:27 UTC