search

ethereum / go-ethereum

Go implementation of the Ethereum protocol
https://geth.ethereum.org
GNU Lesser General Public License v3.0
47.49k stars 20.1k forks source link

Allow lock and unlocking the account through the RPC #2068

Closed mitar closed 8 years ago

mitar commented 8 years ago

Otherwise it is really hard to do rally anything remotely (what R in RPC stands for). Unless geth is unlocked for the whole session. Which again means you cannot run geth really remotely.

sammy007 commented 8 years ago

I like it.

karalabe commented 8 years ago

--rpcapi "db,eth,net,web3,personal"

Please be aware of the consequences of opening up account methods to networked computers.

mitar commented 8 years ago

Personal API is not documented here? How stable it is?

Also, it is lacking account locking, there is just unlocking.

karalabe commented 8 years ago

The personal module is part of the go-ethereum management API. It's not supposed to be used by average DApps, hence why it's not part of the standard spec.

obscuren commented 8 years ago

Not gonna happen.

EDIT: too insecure. And we're thinking about removing the key management from geth completely and move it to the client (e.g. mist).

obscuren commented 8 years ago

Another thing is that a DApp isn't supposed to care about locking or unlocking, it should "just happen". It's very domain specific knowledge and that knowledge does not belong with the DApp.

mitar commented 8 years ago

Another thing is that a DApp isn't supposed to care about locking or unlocking, it should "just happen".

Yes, by providing the API it can "just happen".

EDIT: too insecure. And we're thinking about removing the key management from geth completely and move it to the client (e.g. mist).

In fact, I was looking into this because I wanted to make it more secure. So I was pretty surprised that you have to run your geth in unlocked mode for the wallet to work. I think this is pretty insecure. So what exactly are the plans for making this more secure? How would mist help here?

I am asking because I am working on a project making web apps more secure, where they can have secrets only trusted codebase can have access to. I wanted to look into how we could apply this to Ethereum wallets, as an example, but I see that there is no good story here at all, which we could then improve upon.

obscuren commented 8 years ago

Yes, by providing the API it can "just happen".

No :-)

Remove accounts entirely from the node. Have the node serve public data only. Let whoever need accounting, implement accounting (e.g. mist).