You are viewing a single comment's thread from:

RE: VOTING NOW CLOSED - Foundation Structure Proposal Election - UPDATE: NO REGISTRATION REQUIRED

in #dpoll6 years ago (edited)

Think @dpoll.xyz (and a lot of other DApps that only use SteemConnect for user authentication, basically) could use a TTP-free proof of identity implementation. There are I think multiple options that are very much viable. A few:

  1. Micro-transactions as outlined here. Every DApp could integrate this option already.
  2. A simple local (windows/linux/android/etc) custom_json signing+posting client. Basically you could vote with a locally signed custom_json. A DApp owner could write his own client. Great for people who use only one or two DApps. The Memo key would probably be great for this.
  3. SteemConnect could introduce a DApp-agnostic zero-authority identity proving client. Like #2, but could work seemlesly for all DApps already using SteemConnect. Memo key again should be cool for this.
  4. The steemit site could implement the signing part of #3 instead of a local client. DApp or SteemConnect could offer JWS token to the person wanting to proof her identity. She could then go to the steemit JWS signer, sign the JWS token with her posting key, and get a new signed JWS token to submit to the DApp or to SteemConnect.

I feel @steemaliance should really take it upon herself to avoid becoming a self amplifying loop of security-illiteracy, and excluding stake holders, especially larger stake holders, who won't trust their active key to SteemConnect in order to be able to vote, I feel, initiates just that.

I know #4 is far from perfect, but it shouldn't be too much trouble for @emrebeyler to integrate it into the existing @dpoll.xyz system in order to cater to security conscience stake holders who prefer not to hand their active key over to steemconnect in order to vote on these important matters.

Any thought on this @emrebeyler? Especially because these votes are stake based, I feel this is the perfect use case for a steemconnect-free way to authenticate to the voting engine.

Sort:  

I will NOT BE VOTING on dpoll because I have NO IDEA HOW SECURE it it is. Why do we need to compromise security in order to vote? Make dpoll work with keychain or find a new voting method.

I will discuss a way to gather non dpoll votes with the working group. I imagine we can also find a way to allow other inputs.

That would be great. Thanks!

Hey, I just realized, you already trust your posting authority to many other dapps. You aren't compromising anything that you haven't implicitly given up already (trust-wise).

Note also that dpoll doesn't even ask you to grant posting authority. (this is wrong, stricken out. steemconnect asks for it, and you still have to trust steemconnect. dpoll's app itself doesn't have access)

Steemconnect is the trusted mediator here, and as long as you trust steemconnect, there's 0 reason to distrust dpoll. Just want to throw that out there.

And you can immediately revoke what little authorization you granted as noted in the parent comment.

How difficult would it be to spoof steemconnect? I see a pop-up that looks like steemconnect and I insert my key. Next thing I know, it does nothing and it's too late to revoke it. I HATE using my actual steem keys all the time.

Yeah, I understand the point. But actually even this is fairly difficult because the popup will show the URL with the cert, and you can be sure that if you trust steemconnect, it is fine.

But anyway, we are discussing it.

IF everyone is careful and not in a rush.
It is too easy to get careless and lose everything. I prefer to be paranoid about such things.

If you have steem keychain or any other way of assigning posting auth temporarily, I have something for you if you haven't voted already. See here

Looks interesting, but what do we do with it? Not all of us are coders.

Once your keys are entered to Steem Connect, you do not need to re-enter them.
Connecting somewhere else, the site should be verified by Steem Connect.
Any site asking for your keys to be re-entered should never need your aster Key. The majority should not need your active key.

@happyme, it looks like keychain will be implemented in a few days. Just wait until then and you can cast your vote.

69F94278-D0FA-467A-A9EB-90201C9FE5B6.jpeg

This is GREAT news. Thanks a lot!

Thank @emrebeyler, the creator of dpoll. He’s amazing about implementing new features and helping to make dpoll what the community sees as beneficial. He deserves a big thanks on all he’s done in this process alone. Glad it could get worked out 🙂

Yes, thanks to @emrebeyler. I had no idea who was behind dpoll. It seems all the programmers know each other. Does anyone know who is behind DrugWars?

I wouldn’t say all the programmers know each other, it’s just maybe they are more likely to dig into projects. I’m only aware of who is behind which projects due to their posting on it. I was just having a conversation with someone who thought it would be great to have a LinkedIn style page for developers, witnesses etc so it was easier to find information. Maybe something to look forward to.

As far as drugwars, it’s by futureshock aka hightouch’s project. There is a whole team, but I believe he is the founder.

I was just having a conversation with someone who thought it would be great to have a LinkedIn style page for developers, witnesses etc so it was easier to find information.

Searching has always been a big problem on this platform, so indexes and the like would surely be a blessing.

Thanks for the information on DrugWars too. I actually found out by looking up the introduction post for it. I wrote on the post as a reply, so I hope @hightouch sees it and responds.

Implementing a steemconnect free way of authentication on dPoll is expensive at this time. Hopefully, we will have the optional keychain integration in the future.

Let me know if it would be usefull (and if I can help) making the micro transaction option work with dpoll.

@asgarth, @jarvie, can this happen on steempeak?

I agree that 'the community' is a herd of cats, at this point, and trying to herd them while claiming legitimacy may be premature.

Well first of all I believe strongly that polling should be a non-platform specific act on the blockchain. And there are ways to do that so every front end could do it. I think that's the first step.

I thought it was a keychain that I could use outside chrome/brave.