You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If we allow qualification of the producer public_key as suggested in #7 , we would make it practical to also include an optional signature field to the file to attest authenticity.
The json representation should be stringified in a canonical / deterministic manner, then signed with the private key associated to the account with active permission.
This would make the standard more solid and protect against spoofing, impersonation, phishing attacks, etc... as people will start relying on them more and more.
The text was updated successfully, but these errors were encountered:
we considering adding a optional signature field (this would require some specification on how to sign it), @lukestokes@systemzax do you guys believe this is still an issue? although updating the bp.json on-chain is possible, there are some use cases where is not as practical as the web version
my main worry is about possible vulnerabilities on servers hosting the website (which are usually less secure than other infra), adding the signature would definitely prevent against takeovers
Related to #7
If we allow qualification of the producer public_key as suggested in #7 , we would make it practical to also include an optional signature field to the file to attest authenticity.
The json representation should be stringified in a canonical / deterministic manner, then signed with the private key associated to the account with active permission.
This would make the standard more solid and protect against spoofing, impersonation, phishing attacks, etc... as people will start relying on them more and more.
The text was updated successfully, but these errors were encountered: