bsips/bsip-0040.md

88 lines
4.2 KiB
Markdown
Raw Normal View History

2018-07-25 11:19:23 +00:00
BSIP: 0040
Title: Custom active permissions
Authors:
2018-07-25 12:11:50 +00:00
Alex Megalokonomos <https://github.com/clockworkgr>
2018-07-25 11:19:23 +00:00
Fabian Schuh <https://github.com/xeroc>
Stefan Schießl <https://github.com/sschiessl-bcp>
Status: Draft
Type: Protocol
Created: 2018-07-25
Discussion: https://github.com/bitshares/bitshares-core/issues/1061
Worker: <Id of worker proposal>
# Abstract
Strengthening user security is one of the main factors to elevate BitShares. Inlight of recent
hacking and phishing attempts this becomes even more important. The need for a more sophisticated
account security preceeded the idea for a finer-grained control of account permissions.
We propose to add an additional authority to the account, called Custom Active (Permission). The
permission contains a list of operationid-to-authority mappings that each grant access to the respective
operation as if it were the active permission of the account. Additionally, the arguments of said operation
can be restricted.
2018-07-25 11:35:17 +00:00
# Motivation
2018-07-25 11:19:23 +00:00
Any successfull hacking or phishing attempt on any of the web wallets that are powered by the
BitShares Blockchain is bad publicity. The user needs to be educated in account security, and this BSIP
aims to ensure all technical possibilities are met while being flexible to allow many use-cases.
Examples:
- Witness Key: Only allows update signing key and publish price feed
- Trading Key: Only allows limit orders (arguments restricted to desired markets), update margin position and transfers (arguments restricted to certain accounts)
- Proposal Update Key: Approve proposals (2FA comes to mind)
2018-07-25 11:34:40 +00:00
- Faucet Key: Allow only to create accounts
2018-07-25 11:19:23 +00:00
The above list of named keys is nothing that is known to the backend as the backend should have an abstract implementation.
The UI should provide a button "Create Trading Key" that properly configures the respective custom active permission entry.
2018-07-25 11:35:17 +00:00
# Rational
2018-07-25 11:19:23 +00:00
2018-07-25 11:34:40 +00:00
The description here is more on a superficial level and no recommendation how it can best be implemented.
2018-07-25 12:12:42 +00:00
Custom active permission is a list of custom active authorities. A `custom active authority` contains an `operation_id`, an `authority` (just like with active permission) and a list of `assert`s than can be used to restricted arguments. When a transaction is signed with such an authority the backend checks if the contained operation has a corresponding custom active authority entry and if so acts as if the active authority of the corresponding account is given. It also checks if the arguments are in the allowed range.
2018-07-25 12:11:03 +00:00
A Custom Active Permission looks like follows (in JSON for clarification, backend serializes and stores in a different way):
```
custom_active_permission = list of custom_active_authority items
custom_active_authority = {
operationid,
auhtority,
assert
}
```
2018-07-25 11:19:23 +00:00
2018-07-25 11:34:40 +00:00
Example:
Assume account A and B and some unrelated key K. Furthermore A has a custom active authority in the following way:
```
custom active authority = {
operationid: 0 (transfer),
2018-07-25 11:50:14 +00:00
authority: {
threshold: 1
key_auth: [K, 1]
account_auth: []
},
assert: {
2018-07-25 11:34:40 +00:00
to: B
}
}
```
That has the consquence now that a a transfer transaction sending funds away from A can be signed with key K as long as the receiver is B.
2018-07-25 11:19:23 +00:00
2018-07-25 11:35:17 +00:00
# Specifications
2018-07-25 12:11:03 +00:00
Requirements to modify the backend includes
* Extend the account object to store custom active permission
* Extend `account_update` or create a new operation to allow changing the custom active permission
* Operation-specific authorities (if present) must be evaluated in incoming transactions
* Additional committee parameters may be needed to limit the extend of usage of this feature
2018-07-25 11:50:14 +00:00
2018-07-25 11:19:23 +00:00
# Discussion
2018-07-25 11:34:40 +00:00
To be found in the [issue](https://github.com/bitshares/bitshares-core/issues/1061).
2018-07-25 11:19:23 +00:00
# Summary for Shareholders
2018-07-25 11:34:40 +00:00
Bad publicity in terms of security can have very negative effect on the BTS value. This BSIP allows that traders can e.g. use a trading key, witnesses can use their witness key and a faucet can use a faucet key. If then for some reason the key or witness/faucet server becomes compromised, such a key can do little harm to the account holders, minimizing the risk.
2018-07-25 11:19:23 +00:00
# Copyright
This document is placed in the public domain.