- From: Neha Narula <narula@csail.mit.edu>
- Date: Sun, 8 May 2016 10:39:48 -0400
- To: Daniel Buchner <dabuchne@microsoft.com>
- Cc: Mountie Lee <mountie@paygate.net>, "public-blockchain-workshop@w3.org" <public-blockchain-workshop@w3.org>, "public-blockchain@w3.org" <public-blockchain@w3.org>
On Sun, May 8, 2016 at 9:28 AM, Daniel Buchner <dabuchne@microsoft.com> wrote: > Your keys will not be generated for a single origin, nor will master private > keys be stored client-side on a device like a laptop or smartphone. Keys > will be tied to a global blockchain identity (a public chain transaction > that maps to provably linked identity data), How do you propose that this "global blockchain identity" works? For example: - Who signed the transaction creating this "global blockchain identity"? - What happens if the entity that signed that is compromised? - If no one entity signed it, what keeps anyone from creating a "global blockchain identity" for me against my wishes? - How does my device prove it has been authorized to transact on behalf of this identity? - If that device-proof is compromised, how do I revoke those keys? I would appreciate pointers to information describing the design of such a thing. Barring that, I think user wallets are a much simpler, more reasonable thing to consider. > which the UA will understand > and use in transactions as an identity agent of the user, via its own unique > key. The identity system’s challenge and response loop can be used to > interact with sites, devices, etc., to perform all manner of actions, such > as: user data storage, messaging, blockchain transactions, etc. > > > > The browser should be extended to do four things: > > > > · Form an agent relationship with a user’s blockchain identity > > · CRUD a user’s blockchain identity data as an allowed agent > > · Sign data on behalf of identity owners it is in agency with > > · Form basic blockchain transactions across chains > > > > With these four capabilities, almost anything you can imagine in the realm > of decentralized identity and app development becomes possible. > > > > - Daniel > > > > From: Mountie Lee [mailto:mountie@paygate.net] > Sent: Sunday, May 8, 2016 12:39 AM > To: public-blockchain-workshop@w3.org > Cc: public-blockchain@w3.org > Subject: Blockchain Private Key and Web Same-origin policy > > > > hi. > > > > let me raise issue for SOP and blockchain private key. > > > > when we expand usage of blockchain private to Web, > > Web SOP will cause some difficult issues. > > > > private key can be generated/stored in secure element of client side. > > user will have ownership of private key and related assets. > > when the usage of key is restricted to specific origin, > > that is different from normal user expectations. > > > > many user will think, "my money can be used on any site when I want" > > but with SOP, "your money can be used on this site only" > > > > SOP is important security policy of Web. > > because the previous thinking are "some resources are from some origins" > > but now we have more requirements letting user have full control of assets > which user has ownership. > > > > I need opinion for it. > > > > -- > > Mountie Lee > > PayGate > > CTO, CISSP > Tel : +82 2 2140 2700 > E-Mail : mountie@paygate.net -- http://nehanaru.la | @neha
Received on Monday, 9 May 2016 07:47:30 UTC