New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
simplify submission of attestations. no need for signed claimOfAttendance #215
Comments
Hmm, on the spot, I can't find a hard reason against that suggestion. |
I think we should move the vote into a separate field, as is can be the case that 10 people are present but you are not able to scan one or two persons QR code for technical reasons. |
Here's a possible attack if claimOfAttendance isn't signed by the claimant: meetup assigned size: 10 participants Because of Lines 295 to 296 in 7e80f00
an adversary could submit an attestation for any of the legit participants with a fabricated ClaimOfAttendance with a wrong vote So, at least for the current implementation, I veto this change |
What do you mean exactly by this? The concept of ClaimOfAttendance would not exist anymore in this new design. The idea is that every participant calls an extrinsic with a signed origin and submits a vote and a list of addresses he wants to attest as present in the meetup. So an adversary could never forge a vote of another participant. |
True. If this is really sound it would greatly simplify UX as there would be no need to scan qr codes anymore as we only need to know who out of the possible set is present. We could broadcast bluetooth beacons similar to the covid app or even just represent pubkeys with a couple of symbols (or a 4byte hash) But the fact that participants do not need the private key for the account they are attending with concerns me. That appears too easy to be secure. We should think about attack vectors if anyone can claim for everyone else. Basically this undermines ceremony randomization as people can swap locations to their liking |
I understand the concern about the private key. But I have the feeling that all attacks concerning location swapping etc. would already possible now, just a little more complicated to implement technically. I think the question really is, if those really are attacks, ie. who would benefit from them. Let's consider this: What is still not possible is that I can go to any meetup and claim to be myself and get attested. So if I swap locations, I will need to trust the other person to show up in my location and claim to be me. So I think in the end people have a clear incentive to go to their location just to make sure that they really get their attestations without having to trust another person. Are there any other scenarios that could go wrong? |
The current claimOfAttendance design for sure is a legacy from a previous design where each participant submitted their own claims that were signed by the others. |
looking at: pallets/primitives/src/ceremonies.rs Lines 78 to 87 in fdbce01
attacks on your design proposal will always try to change at least one of these fields
So, yes @pifragile, as far as I can tell, your suggestion is sound 🚀 and is a massive simplification I'll rename this issue to an actionable task. In order to be reverse compatible, I'd leave the current dispatchabe as-is: Lines 173 to 176 in 4922d08
but add a new one:
I still believe it makes sense to vote on the number of participants, because collecting AccountId's is a process that can possibly go wrong due to human or technical errors |
Yes, @pifragile and I also discussed this yesterday, and we could not come up with a potential attack either. I suggest we do this asap, it will make the meetups so much more easy! |
yes. It will not be trivial to provide reverse compatibility with mixed versions of the app in the same meetup, so we need to think this through. We don't have a deprecation warning in the app itself so far. maybe we should introduce that first? But from a pallet/runtime point of view, we can move ahead and include this in our upcoming runtime upgrade! |
In my opinion, the design around signed claims of attendances is not very intuitive.
I don't see what benefit we get from the fact that the claims have a signature. Does it add any security?
Also the claims hold a lot of redundant information that needs to be processed on chain.
I would propose a new design, where meetup participants just send the following info after a meetup:
Then, we would read the vote on the number of participants from the length of the list of public keys rather than from the claims.
This would simplify things and make it more intuitive. I cannot see any security issues with this new design. Am I missing something?
What are your thoughts on this @brenzi @clangenb?
The text was updated successfully, but these errors were encountered: