I read through the standard and it's a great effort.
My main concern is the wallet creation section. Let's say I create a 2 of 2 wallet for a user. The user encrypts one key at the browser. The other key is created on his smartphone, this is the model of carbon wallet. https://carbonwallet.com
The user controls both keys. The site operator can steal one key via a JavaScript injection, but he can't get the smartphone key (Not without great effort at least.). Basically you eliminate the ability for the operator to steal funds.
However, under the CCSS specification for a level 3 wallet the wallet should be 2 of 3 and the operator keeps one key as well as the user controlling 2?
Redundant keys are assigned to each wallet for recovery purposes. This ensures that the funds are still available in the event one of the primary keys becomes inaccessible for any reason. One common method of achieving this goal is to create a wallet that requires any 2 of 3 possible signatures in order to spend funds (i.e. there is 1 redundant key)
Now the operator can again steal funds.
So the way I see it is that this specification gives a higher rating to wallet operators that have access to the users funds. i.e. Coinbase and BitGo.
BiGo, although it doesn't have direct access to 2 keys, they could steal keys if they wanted to by hacking their front end code. I'm not suggesting they would do this btw.
I read through the standard and it's a great effort.
My main concern is the wallet creation section. Let's say I create a 2 of 2 wallet for a user. The user encrypts one key at the browser. The other key is created on his smartphone, this is the model of carbon wallet. https://carbonwallet.com
The user controls both keys. The site operator can steal one key via a JavaScript injection, but he can't get the smartphone key (Not without great effort at least.). Basically you eliminate the ability for the operator to steal funds.
However, under the CCSS specification for a level 3 wallet the wallet should be 2 of 3 and the operator keeps one key as well as the user controlling 2?
Now the operator can again steal funds.
So the way I see it is that this specification gives a higher rating to wallet operators that have access to the users funds. i.e. Coinbase and BitGo.
BiGo, although it doesn't have direct access to 2 keys, they could steal keys if they wanted to by hacking their front end code. I'm not suggesting they would do this btw.