search

ssbc / ssb-peer-invites

A new ssb invite system to create invites without having a pub
MIT License
26 stars 2 forks source link

Redundant field ID on accept #12

Closed cryptix closed 5 years ago

cryptix commented 5 years ago

https://github.com/ssbc/ssb-peer-invites#peer-inviteaccept

The id: ...on the accept message is the author of the feed.

dominictarr commented 5 years ago

no that is intended - the invite (seed) key must sign the new longterm id, so that part can't be replayed on another feed.

check that the content is signed by the seed (which must include new, long term, id) https://github.com/ssbc/ssb-peer-invites/blob/master/valid.js#L140-L141

and the outer signature is also checked, with the long term id. https://github.com/ssbc/ssb-peer-invites/blob/master/valid.js#L112-L113 (this is just an ordinary message signature, thus this proves that the holder of the invite seed really does also control the long term key)

dominictarr commented 5 years ago

if the seed didn't sign the long term feed, anyone could just repost the inner confirm part, and it would appear that they accepted the invite.

cryptix commented 5 years ago

Okay. I think I get it now, thanks!

I think the how it works section on the readme could have a sentence or two that the seed creates the guest identity. Then it might be a bit clearer what these other signatures are.