search

TryQuiet / zbay

GNU General Public License v3.0
18 stars 3 forks source link

All user registration messages posted to blockchain should be signed by our node #813

Open holmesworcester opened 3 years ago

holmesworcester commented 3 years ago

This is one step in moving username registrations away from Zcash. (Part of https://github.com/ZbayApp/zbay/issues/787.)

In this step we add signatures to our username registration messages.

Acceptance criteria: all username registration messages are signed by our node before being posted to the blockchain.

kowalski commented 3 years ago

I think the first step is to make friends with PKI.js library.

when you say "registration messages is signed by our node" I think what we really want is instead of registration messages, we want to have certificates with CN=address.onion and other fields representing users identify (at least nickname).

Simplest way to integrate this is to have http api that zbay node sends http post request to with CSR (certificate signing request) and receives back the certificate. This node also puts this certificate into orbitdb. This would for now have to work along the registration lambda that posts to zcash.

holmesworcester commented 3 years ago

I'm looking for a way where we can actually test and release this as we go. What if we turn this around and build the verification logic first?

For example:

  1. Zbay can use PKI.js to verify one non-blockchain account (where we do signing by hand, and everything the user knows about that account is hard coded into Zbay)
  2. We put this one account in an OrbitDB that clients fetch, instead of hard-coding it. All new people should be able to recognize this account (or any others we put in that are signed by us) as soon as they sync. Any client that sees a duplicate username registration throws a warning.
  3. We build the API to submit a CSR, get back a certificate, and put it in OrbitDB. Our dev zbays can use it, and the names we register will be visible in production Zbay.
  4. We change the registration flow so that all new accounts use this API, and hardcode all old accounts, and remove Zcash account registration.
holmesworcester commented 3 years ago

One additional thought: right now I think we're hard-coding the holmes identity, so we could switch to using this method for that, for example.