-
Notifications
You must be signed in to change notification settings - Fork 226
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TEP: Data signatures #104
base: master
Are you sure you want to change the base?
TEP: Data signatures #104
Conversation
Received a number of suggestions from @EmelyanenkoK:
|
Another suggestion by @ex3ndr is to compose this extension with TEP/PR93. I'm a bit hesitant to do that because TEP/PR93 by itself is not a safe usable scheme and if we use it as-is, then timestamp and schema prefix would have to eat the space out of the payload cell, making composition with its TL-B scheme harder. |
…s+domain could be used together
I have updated the spec based on feedback from @EmelyanenkoK & @mr-tron.
|
Based on feedback by @tolya-yanot replaced chunked encoding with SHA256. This comes at no tradeoff for domain names: they are transmitted or known explicitly anyway. As for the plaintext string: it is unlikely that smart contracts would verify complex text strings, and yet it is possible to hash them or introduce a dedicated TL-B scheme for that purpose in the future. For short "command" strings the contracts could verify sha256 images directly against the built-in constants. |
One more update: @mr-tron pointed out two things:
|
A couple of minor tweaks:
|
LGTM |
LGTM, thanks all for the hard work to finalize this as part of TC2 |
Do we need to explicitly bind these signatures to the network ID (-239 for mainnet, -3 for testnet) to avoid ambiguity between networks? Also: in TON Connect there is custom "address proof" scheme that we may want to replace with this scheme for consistency. |
Your wallet is already have subwallet id inside address which should be first 4 bytes of zero state hash. |
I am reserving the prefix of |
Do you mean using the same 4 bytes of the zero state hash as an identifier? Note that the current proposal does not bind signatures to any wallet address (which is bound to the network id as you described). |
I don't understand the use-case. The snake format effectively compresses any string to a hash (for the tail). Anyway, I'd suggest to name this something like "hashsig hash:Slice = PayloadCell" to make the difference clear. But then it's only useful if you don't plan to display the contents of the text to user, which would be weird and insecure. Note that the timestamp exists outside the payloads. If you want to make an eternal signature you may use all-zero timestamp and if it's important, the clockless HSM may check that the time is all-zero so that you know it's not going to have an expiration time. However, even such HSM may format the time and display it for sanity check to the user. |
Re: binding to the network. These signatures are going to be used also offchain, so we can delegate to the dapps to embed additional binding in their custom payloads and not include the network ID in this standard. E.g. if a signed message operates a smart contract on a certain network, then it may be enough to bind through a contract address (that should be different on a testnet). |
I think should add standard prefix to any signed payload which contains ton connect magic prefix (like version maybe), ton connect domain and signing timestamp for avoid reusing signature in other projects. |
This proposal is an evolution of @ex3ndr's safe-signing proposal.
Highlights:
Rendered specification: