-
Notifications
You must be signed in to change notification settings - Fork 770
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve security of CREATE transactions #347
Comments
I just discussed this with @r-marques. Makes sense! |
Issue #327 has some similar ideas to improve security of CREATE transactions. |
This is blocked as long as ThresholdSha256 Fulfillments cannot be signed partially. |
Not exactly. The fulfillment + message can go around off-chain. No need to store it on-chain: you just want to gather signatures. In many cases the contract negotiation is done on a layer above |
Based on a discussion I had with @ttmc, I think the motivation for this was:
I don't think what's proposed is the right approach (though let me know if I've misunderstood anything).
I believe this has already been accomplished by the Transaction model (you need to at least know the private key before you can create something for its public key)?
Not a big fan of this approach; I think this just skirts around the topic but still leaves the system vulnerable. The root problem here is to enable end users to trust the transactions they're getting as inputs. Rather than using a majority-signing approach to tackle this problem, I'd rather keep it simple and let trust be established through publicly advertised trust networks off-chain (i.e. users advertising their public keys to other users, like how gpg works). Using a majority-signing approach doesn't solve the counterfeiting, or "stealing," since anyone, at any time, can duplicate an asset that's in the DB and register it as their own. There's two parts to this trust issue:
|
I am a bit confused by the above statement. The voting mechanism is such that all nodes of the federation will vote on the validity of a proposed block, which entails that every transaction in that block will go though a validation step. |
This is probably related to #327 and we should move the discussion there |
I agree with @diminator. Especially when IPDB wants to bill on a transaction-base, the proposal in outlined in the original post should be considered. I'd recommend to reopen this ticket. |
PR #794 included a change that makes it so that CREATE transactions must be signed by all "owners_before". Yes, anyone can mint assets, but they can only use their own private key(s) when signing to generate the fulfillments in the CREATE transaction. For example, suppose TicketBaron.com has a set of public/private keypairs. They share their public keys with the public. Only TicketBaron.com can create ticket assets signed with their private key(s). Sure, others can create counterfeit TicketBaron.com tickets, but it's easy to check the authenticity of tickets (CREATE transactions): are they signed by TicketBaron.com's private key(s)? If yes, then they are authentic. In other words, it's left up to clients to detect counterfeit assets. That needs to be documented. |
Currently,
CREATE
transactions can issue assets for every public key and they are only validated by a single node.What would be better:
n / 2 + 1
nodesThe proposed workflow could be as follows:
CREATE
transaction.CREATE
transaction has an implicit condition, as there is no input to the transaction:n / 2 + 1
out ofn
threshold condition for the nodes2 - 2
threshold condition together with the signature of the clientCREATE
transaction fulfills the implicit condition above and the nodes validate whether the public key matches the one of the client.The text was updated successfully, but these errors were encountered: