BSIP 40: Custom active authorities #1285
Comments
sschiessl-bcp
changed the title
abitmore
added
hardfork
feature
3b Feature
ryanRfox
added
1a Epic
|
This Issue will serve as the Task List to track BSIP40 future development tasks (Issue). Discussion will take place within relevant tasks. Assigned @sschiessl-bcp as the BSIP author to track the hours (40) for the draft. |
abitmore
modified the milestones:
Future Consensus-Upgrade Release,
201905 - Consensus-Upgrade Release
oxarbitrage
modified the milestones:
201905 - Consensus-Upgrade Release,
201911 - Consensus-Upgrade Release
|
During the core team conference call yesterday, I was asked to evaluate the BSIP-40 implementation and determine its completeness and viability for adding to the 201904 release. I promised to look into it and return a response within a week. In the spirit of short-circuit evaluation, I am returning my response now. BSIP-40 is cool, without a doubt, and it would be a nice feature for server admins and power users; however, the motivation for BSIP-40 is opened as due to recent hacking and phishing attempts... and need for better user education on account security. These motivations are important, and solutions to these issues should be implemented. It seems to me, however, that BSIP-40 is a non-sequitur to these motivations. BSIP-40 offers more fine-grained security options to sophisticated users who already possess a firm understanding of BitShares, including topics like key-based authentication and operations. It offers more security options, but in return it makes the topic of BitShares account security more complex, not less. This is contrary to the stated goal of better user education. It may be argued that this is merely a UI problem -- that the UI can wrap the complexities of keys and operation types, to offer powerful security packages in a format palatable to end-users. In my opinion, however, this serves only to distance the user even further from the complexities, encouraging the user to understand less about their account's security and rely more on ever-more-sophisticated tools the experts made. This is, again, inimical to the stated goals. Now, I do acknowledge that I was asked to evaluate the implementation of BSIP-40, not whether its motivation is well-stated. Upon an initial review of the implementation, however, I have determined that the coded implementation has substantial room for improvement, but due to its size, each of these improvements will involve massive amounts of rework throughout the implementation. Furthermore, due to the security-critical nature of this feature, it is my opinion that it would be unwise to accept such a large patch from a single source, no matter how well-reviewed. The implementation of such a feature should be created by multiple developers, who are well-familiarized with BitShares core code, engaged throughout the process, to foster dynamic conversation on the best implementation strategies for maintainability, concision, developer understanding, and speed of the code. The code written for BSIP-40 is full of highly complex, boilerplate-heavy template metaprogramming code, and a single typo or copy-paste oversight could easily translate to compromised accounts and tokens, while such mistakes can be easily missed by reviewers. For the above reasons, I have concluded that the BSIP-40 implementation is not ready for fast-track inclusion into the current 201904 release. It may be possible to prepare it for the 201910 release, but I would be most comfortable with an implementation which is the result of collaboration between core developers, rather than outside contractors. |
|
Historically, the idea of having some external (non core devs) resource work on BSIP40 implementation was simply due to lack of development resources and some desperate need for the functionality. Hence, an agreement was made back in the days to continue with abit's initial stubs and implement all the rest through Blockchain Projects B.V. with guidance from the core team. Surely, we all agree that the final say comes from the core development team who has ultimate veto power over what code fits their QA needs and what needs to be improved. With that said, I do understand and agree with not considering the code ready for fast-track inclusion into the upcoming hard-fork - I was never convinced we could make it - and that more review work is required due to the substantial security implications it has. I would propose the following:
As you can see, I do want this feature to be included eventually as it significantly reduces implications of hacks, in particular in light of (BBF's) escrow systems that can greatly benefit from BSIP40. |
|
Done with #1860 |
abitmore
modified the milestones:
4.0.0 - Protocol Upgrade Release,
5.0.0 - Protocol Upgrade Release
abitmore
modified the milestones:
5.0.0 - Protocol Upgrade Release,
4.0.0 - Protocol Upgrade Release
Strengthening user security is one of the main factors to elevate BitShares. In light of recent hacking and phishing attempts this becomes even more important. The need for a more sophisticated account security preceeded the idea for a finer-grained control of account permissions. We propose to add an additional authority to the account, called Custom Active (Permission). The permission contains a list of operationid-to-authority mappings that each grant access to the respective operation as if it were the active permission of the account. Additionally, the arguments of said operation can be restricted.
User Story
As a
userI wanta more sophisticated controlandmanagementcapabilities for my permissions so thatthe impact of a compromised key is reducedandon-chain tasks can be delegated.This covers issues reported here as well
The BSIP
The BSIP drafting is completed and it is available here
https://github.com/bitshares/bsips/blob/master/bsip-0040.md
CORE TEAM TASK LIST
The text was updated successfully, but these errors were encountered: