Re: Blockchain Private Key and Web Same-origin policy

On Sun, May 8, 2016 at 9:28 AM, Daniel Buchner <dabuchne@microsoft.com> wrote:
> Your keys will not be generated for a single origin, nor will master private
> keys be stored client-side on a device like a laptop or smartphone. Keys
> will be tied to a global blockchain identity (a public chain transaction
> that maps to provably linked identity data),

How do you propose that this "global blockchain identity" works?  For example:

- Who signed the transaction creating this "global blockchain identity"?
- What happens if the entity that signed that is compromised?
- If no one entity signed it, what keeps anyone from creating a
"global blockchain identity" for me against my wishes?
- How does my device prove it has been authorized to transact on
behalf of this identity?
- If that device-proof is compromised, how do I revoke those keys?

I would appreciate pointers to information describing the design of
such a thing.  Barring that, I think user wallets are a much simpler,
more reasonable thing to consider.

> which the UA will understand
> and use in transactions as an identity agent of the user, via its own unique
> key. The identity system’s challenge and response loop can be used to
> interact with sites, devices, etc., to perform all manner of actions, such
> as: user data storage, messaging, blockchain transactions, etc.
>
>
>
> The browser should be extended to do four things:
>
>
>
> ·         Form an agent relationship with a user’s blockchain identity
>
> ·         CRUD a user’s blockchain identity data as an allowed agent
>
> ·         Sign data on behalf of identity owners it is in agency with
>
> ·         Form basic blockchain transactions across chains
>
>
>
> With these four capabilities, almost anything you can imagine in the realm
> of decentralized identity and app development becomes possible.
>
>
>
> - Daniel
>
>
>
> From: Mountie Lee [mailto:mountie@paygate.net]
> Sent: Sunday, May 8, 2016 12:39 AM
> To: public-blockchain-workshop@w3.org
> Cc: public-blockchain@w3.org
> Subject: Blockchain Private Key and Web Same-origin policy
>
>
>
> hi.
>
>
>
> let me raise issue for SOP and blockchain private key.
>
>
>
> when we expand usage of blockchain private to Web,
>
> Web SOP will cause some difficult issues.
>
>
>
> private key can be generated/stored in secure element of client side.
>
> user will have ownership of private key and related assets.
>
> when the usage of key is restricted to specific origin,
>
> that is different from normal user expectations.
>
>
>
> many user will think, "my money can be used on any site when I want"
>
> but with SOP, "your money can be used on this site only"
>
>
>
> SOP is important security policy of Web.
>
> because the previous thinking are "some resources are from some origins"
>
> but now we have more requirements letting user have full control of assets
> which user has ownership.
>
>
>
> I need opinion for it.
>
>
>
> --
>
> Mountie Lee
>
> PayGate
>
> CTO, CISSP
> Tel : +82 2 2140 2700
> E-Mail : mountie@paygate.net



-- 
http://nehanaru.la | @neha

Received on Monday, 9 May 2016 07:47:30 UTC