WebOfTrustInfo / btcr-hackathon-2019

BTCR Hackathon 2019
https://weboftrustinfo.github.io/btcr-hackathon-2019/
MIT License
2 stars 0 forks source link

Decision: use short form of btcr did if output index is 0 #5

Open kimdhamilton opened 5 years ago

kimdhamilton commented 5 years ago

This affects code samples, libraries and method spec

When txout is 0, the short form of the btcr did (with testnet, this yields the x prefix) should be used.

BIP136 supports both forms for index 0, but we are making the decision that BTCR supports only the short form when index==0.

Reason: shorter, and it's a potential security risk to allow 2 formats

peacekeeper commented 5 years ago

Sounds good.. So for example if I try to resolve did:btcr:8kyt-fzzq-qqqq-ase0-d8, then the resolver should throw an error, whereas did:btcr:xkyt-fzzq-q4wq-f2d would work, right?

danpape commented 5 years ago

I just wrote somewhere else, I think maybe in dcdpr's repo, that programs should probably accept the long form as input, like your resolver, but anything that generates the TXrefs should only generate the short form.

On Wed, Aug 7, 2019, 11:12 AM Markus Sabadello notifications@github.com wrote:

Sounds good.. So for example if I try to resolve did:btcr:8kyt-fzzq-qqqq-ase0-d8, then the resolver should throw an error, whereas did:btcr:xkyt-fzzq-q4wq-f2d would work, right?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/WebOfTrustInfo/btcr-hackathon-2019/issues/5?email_source=notifications&email_token=AAJ46WQYFPSLVVAOXCZPKYTQDMF7DA5CNFSM4IJ2MPIKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD3ZIKHY#issuecomment-519210271, or mute the thread https://github.com/notifications/unsubscribe-auth/AAJ46WQ25AUSYPOSLTMQUXDQDMF7DANCNFSM4IJ2MPIA .

peacekeeper commented 5 years ago

programs should probably accept the long form as input

My sense is that @kimdhamilton is right that it's a potential security risk to allow 2 formats. I can also imagine semantic problems if you have 2 (different, but linked) identifiers for the same resource.

A generic txref library could continue to accept both, but on the DID resolver layer I think it's better to only allow one form.

kimdhamilton commented 5 years ago

+1 that only 1 should be accepted at the DID resolver layer. When we discussed yesterday, we mentioned 2 reasons:

  1. clarity for resolution implementers
  2. potential security issue

I thought we agreed on this yesterday, but let me know if you want to discuss further @danpape

danpape commented 5 years ago

No - that is fine. I was trying to invoke Postel's law when saying we should accept both, but perhaps I was unclear about what everyone else decided yesterday. I am fine with the did/btcr layer being strict about it.

On Wed, Aug 7, 2019 at 1:04 PM Kim (Hamilton) Duffy < notifications@github.com> wrote:

+1 that only 1 should be accepted at the DID resolver layer. When we discussed yesterday, we mentioned 2 reasons:

  1. clarity for resolution implementers
  2. potential security issue

I thought we agreed on this yesterday, but let me know if you want to discuss further @danpape https://github.com/danpape

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/WebOfTrustInfo/btcr-hackathon-2019/issues/5?email_source=notifications&email_token=AAJ46WSJTC2TLXRCME6ULZDQDMTGNA5CNFSM4IJ2MPIKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD3ZRXGI#issuecomment-519248793, or mute the thread https://github.com/notifications/unsubscribe-auth/AAJ46WXMP4NFVQLJXCMG4N3QDMTGNANCNFSM4IJ2MPIA .

ChristopherA commented 5 years ago

A test for this should be:

For testnet transaction: f8cdaff3ebd9e862ed5885f8975489090595abe1470397f79780ead1c7528107

INVALID (as output index is 0): did:btcr:8yv2-xzpq-qqqq-9yce-nk

SHOULD BE: did:btcr:xyv2-xzpq-q9wa-p7t

-- Christopher Allen