-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KIP 0028: Pact Verifier Plugins #57
base: master
Are you sure you want to change the base?
Conversation
Excellent initial exposition, @edmundnoble, you've made the intent of the proposal very clear. |
Suggestion : The REPL simulation function Question 1: Is a managed cap automatically installed by a verfier (like it is with a signature) ? Question 2: Does the magic triggered by GAS_PAYER cap works with verifier ? I mean, can we trigger a gas station from a verifier ? Question 3: Do you plan to create a new type a guard that automatically enforce a verifier ? (similar to a keyset guard) Question 4: Do you plan to add some doc for the verifiers (at least one short paragraph ) ? btw: it may answer to my question 1. |
@CryptoPascal31 thanks for the questions!
Good idea, I'll add that. Edit: done.
Yes.
Not initially. This is mentioned in the KIP: "A verifier may charge gas after gas is bought and before any transaction code is run. Because of this, currently, a verifier cannot grant the
No plans to do this at the moment. I would recommend using a capability guard for this.
What exactly are you asking about documenting? The Pact code, chainweb code, this KIP, or something else? Or is there a particular workflow you're asking about documenting? |
20223bc
to
95d24b0
Compare
Thank you for your answers @edmundnoble
In fact, I was especially thinking about this: I was wondering whether the "Allow" verifier could be an elegant solution for the suggestion I raised. Currently, a GAS_PAYER triggered gas station is not related to the signature, as it may not be related not to a verifier attestation. I know, I'm not clear..
I mean in the official Pact doc: There is a lot about caps, signatures, managed caps... I think the concept of verifiers should be explained here. IMHO: new users are not supposed to know that the documentation is spread between the official doc and the KIPs.. I mean, users are not supposed to search into the KIP repository to understand the concept of a verifier. |
Thanks Pascal, I've submitted a document update request (kadena-community/kadena.js#1661), we'll have an update in the official docs page soonish, ideally by the release. Word from the Pact team is that we're trying to phase out the readthedocs website in favor of https://docs.kadena.io. Re: |
signers. The first signature corresponds to the first signer, second signature | ||
to the second signer, and so on. | ||
|
||
We propose the following schema for including extra verification types in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we add here something along the lines of:
The
verifiers
field is in the command object in the same level as thepayload
,signers
,nonce
, fields.
- `name`: | ||
- an identifier for the verification type. | ||
- a string. | ||
- `proof`: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the proof a string or JSON? Since the example is a string, but here it says JSON
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think, that the proof string just be just binary. In the JSON body of the tx it would be encoded as base64url (without padding).
Proof strings messages from the outside world that don't have a meaning in Pact. We should constrain the content as little as possible. So plain bytes seem the right choice.
It is the job of the verifier to understand those plain bytes and relate them to the Pact semantics of the content of the clist
.
|
||
We propose defining a *verifier plugin* as a new form of authority in the Pact container layer that can grant capabilities. More specifically, we propose defining it as a named function which, given a proof value and a set of capabilities, either consents to grant that set of capabilities exactly or produces an error. | ||
|
||
A transaction will be allowed include a list of verifiers, similarly to a list of signers, which for each used verifier will include the name of that verifier, the proof being passed to that verifier, and the capabilities it's being asked to grant. **Note that this means that the creator of a transaction must already know exactly what capabilities a proof grants, to include it into the capability list of a verifier.** This is essential for showing that the things a transaction is allowed to do are included verbatim in the transaction in a human-readable format. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some (nit) wording and spacing suggestions.
A transaction will be allowed include a list of verifiers, similarly to a list of signers, which for each used verifier will include the name of that verifier, the proof being passed to that verifier, and the capabilities it's being asked to grant. **Note that this means that the creator of a transaction must already know exactly what capabilities a proof grants, to include it into the capability list of a verifier.** This is essential for showing that the things a transaction is allowed to do are included verbatim in the transaction in a human-readable format. | |
A transaction will be allowed to include a list of verifiers, similarly to how it includes a list of signers. Each verifier will include the name of that verifier, the proof being passed to that verifier, and the capabilities it's being asked to grant. | |
**Note that this means that the creator of a transaction must already know exactly what capabilities a proof grants, to include it into the capability list of a verifier.** | |
This is essential for showing that the things a transaction is allowed to do are included verbatim in the transaction in a human-readable format. |
|
||
A transaction will be allowed include a list of verifiers, similarly to a list of signers, which for each used verifier will include the name of that verifier, the proof being passed to that verifier, and the capabilities it's being asked to grant. **Note that this means that the creator of a transaction must already know exactly what capabilities a proof grants, to include it into the capability list of a verifier.** This is essential for showing that the things a transaction is allowed to do are included verbatim in the transaction in a human-readable format. | ||
|
||
In Pact versions above 4, a capability can require that it was signed for by a given keyset via `enforce-keyset`; analogously, a capability can require that it was granted by a particular verifier via the proposed built-in function `enforce-verifier`, for example `(enforce-verifier 'ZK)`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
More nit suggestions:
- Some more wording suggestions
- And if it would be possible to add an example of what
ZK
in(enforce-verifier 'ZK)
is referring to.
In Pact versions above 4, a capability can require that it was signed for by a given keyset via `enforce-keyset`; analogously, a capability can require that it was granted by a particular verifier via the proposed built-in function `enforce-verifier`, for example `(enforce-verifier 'ZK)`. | |
In versions above Pact 4, a capability can require that it was signed for by a given keyset via `enforce-keyset`; analogously, a capability can require that it was granted by a particular verifier via the proposed built-in function `enforce-verifier`. For example `(enforce-verifier 'ZK)`, where `'ZK` is `<todo>`. |
|
||
## Changes to the Pact transaction schema | ||
|
||
For reference, this is the schema of the `signers` field: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Whats the connection between signers
and verifiers
field? Is it included here to show that both have similar type structures?
df8be21
to
69f7f55
Compare
69f7f55
to
71f16ab
Compare
- a string. | ||
- `proof`: | ||
- input to the verifier. | ||
- an arbitrary JSON-encoded Pact value. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- an arbitrary JSON-encoded Pact value. | |
- JSON string with the base64Url (without padding) encoded proof binary data. |
Verifier plugins may require any kind of encoding as input -- so the only reasonable assumption we can make is that it is a byte array. base64 seems the most direct encoding of arbitrary data in JSON.
(The current proposal would mean in most cases to first encode the proof object into a pact string, e.g. using base64, and than escaping that Pact string and wrap it into JSON, just for the verifier to undo all of these steps again to retrieve the original content.)
This is a proposal to add Verifier Plugins to Pact as a way to add new cryptography to Pact and integrate it with the capability paradigm. Implementation is at kadena-io/chainweb-node#1777 and kadena-io/pact#1324.