This is to further discuss this proposal: https://steemit.com/crypto/@mister.ticot/a-standardized-way-of-handling-stellar-transactions

A standardized way of handling stellar transactions

bkolobara

MisterTicot I just don't understand why you link to a post on steemit that links back to galactictalk ?. We don't need to spread the conversation between 2 places.

MisterTicot

Well as the text is quite big I thought it would be more appropriate to share it on some blogging platform and to use the space here to debate the issue.

dzham

MisterTicot

How about more complex transactions, multi-sig/multi-party?

MisterTicot

Hm. You got me on that one. I need further thinking about it.

MisterTicot

Ok, so I went a bit through the doc and did appreciate the deepness of stellar system ?

I really enjoy the large set of usage case that can be derived out of a little set of transaction, this is really well crafted ?

Now to be honest I feel a bit overwhelmed by this and I didn't get the whole picture in my head, yet.

However maybe I can tell you how my ideas goes so far and then we can see together if something looks wrong?

Just to be sure we are on the same line I'd like to restate the design basis.

So the basics is that it would be desirable to split the functions handled by what we called a wallet until now.

If you take hardware wallet, they basically handle two main distinct task, right? That is, on one side management of the signing keypair handled by the hardware itself. And on the other side user frontend handled by various interfaces.

So we kind of call the whole stuff wallet and I believe that here is the first issue to solve, as we have cleary two things here. Let's call the first authenticator as in 2FA solutions, the second being the actual wallet, because it's where you can see how much you have and ask for transaction that you have then to sign somehow.

So the proposal was about a standard independent authenticator. As such it would have a finite set of functions:
- Create, name, protect, access and destroy your seeds
- Identify yourself
- Sign a transaction

By no means it would show your account holdings or anything like that, because that would be the task of 3rd party services, right?

So practically it looks like we want to receive a description of the transaction to be signed, build it locally, sign it then either send it to the Stellar network to be validated, either send the signature back to the service that issued the transaction description for further management.

So, your question was about complex transaction and multi-signature and it looks like two different issues to me.

In Stellar vocabulary, what I called transaction is actually named operation (payment, setOptions, allowTrust on so on). What is formally called a transaction is a construction made of one or several operations.

Here the issue is to find how to translate such construction into a URI semantic. We already solved the one-operation case. Multiple operation could be written like this:

web+stellar:transaction?ops=2&op1=payment&destination1=vendor*example.org&amount1=100&op2=payment&destination2=3rd-party*example.org&amount2=15

This is a two-operation transaction. It consists of a payment of 100 XLM to vendor*example.org, and another payment of 15 XLM to 3rd-party*example.org.

Complex transaction URI would likely be encoded via 3rd party services relying on API library and described in human language in the authenticator interface before signing. We could imagine web service that allow everyone to program such transaction and issue the corresponding URI, or eventually a shorten URI that lead to the transaction description for the sake of simplicity.

Now the real issue is about multisig. As far as I can get it, the valid transaction to be send to Stellar network is made of two parts:
- The unsigned transaction object
- The set of signature (one or more) making it valid

So all the signatures have to be gathered somehow prior to assemble the final transaction object to be send to the network.

Now if I refer to the initial design idea, this is not to be done at authenticator level but at 3rd party service level. A link could be send to every signers so they locally build the transaction to be signed and send back the signature to this third party, who would eventually assemble the final transaction object and send it to the network.

Here I expect the function building transaction objects to always return the same answer when provided with the same input.

So let's say you have a shared account that require several people to sign transaction. Your wallet service would allow you to program a transaction and would either give you a link to send to co-contractors or either send them directly the signature request.

So here we got additional complexity in our URI scheme because we need to tell the authenticator where the signature have to be sent:

web+stellar:transaction?....&handled-by=service.org&id=xyz123

Alternative ways of sharing transaction description are possible, like text files with dedicated extension. While the URI option is essential, the description doesn't have to be shared this way in every case.

I feel a bit disappointed about how multisig is handled in Stellar because whatever way you put it it seems that you need a third party handling signature collection. This could be an issue in itself. Let's say you make an account as a voting system, where you need 51% if cosigner's to set a data entry that represents the approval of collective decision. Nothing prevent the node handling signature collection to omit some signature and take unlegitimate power over the voting process. Or simply never send the transaction. Wouldn't it be more reliable to have the option of each peer sending its signature directly to Stellar nodes where signature collection could be safely handled by the network?
Well that's a side question that came during my searches. Also maybe I didn't got it right and this is actually possible?

I'm aware we've got something more complex than it was initially, and I have to admit now this is a bit messy in my head.

If we dig more in actual implementation issues, there's also the source, sequence number and time bounds fields to deal with.

Still, I suppose it's possible to deal with it by keeping simple and understandable design concepts and clear goals ?

Please bring your ideas in ?

MisterTicot

By digging into the subject, I found about universal links, also called app links. Here's on article that talk about it:
https://blog.branch.io/ios-9.2-deep-linking-guide-transitioning-to-universal-links/

What they say is that default URL schemes like

stellar://...

Actually have the following drawbacks:
- They lead to errors if you don't have the proper program to handle them
- Any application can "decide" unilaterally to handle them.

While the later can be great if we decided to let the protocol open for any wallet to handle, this design would ultimately leads to further attacks as already shown.

Universal links, also called app links, are like any link:

https://sign.stellar.org/payment?etc...

The application supposed to handle the link would do; if you don't have it the link would open in your browser were you could download it or conduct the transaction by another mean. Moreover, the application to be used to open such links would be defined on the same website, protecting about malicious app hijacking.

Yet, I have no idea how this could be handled on PCs. Is there some way to use Firefox/chrome extension to open those URLs and offer to securely sign transactions? Some other way? Any idea?

Dzham: I found nothing about the syntax web+stellar: I would appreciate some pointings about it ?

dzham

MisterTicot Dzham: I found nothing about the syntax web+stellar: I would appreciate some pointings about it ?

https://developer.mozilla.org/en-US/docs/Web/API/Navigator/registerProtocolHandler#Permitted_schemes

MisterTicot

Hi,

Just to let you know.

I'm still expecting some peer reviews on this proposal.

I started to work on a proof-of-concept as nobody took on this. That's my first JavaScript programming experience, though.

I'm considering the idea of proposing the project for Stellar 2018 March funding, so the dev work could be paid. I'll probably need an experienced webapp programmer at my side, preferably with prior experience in packing iOS applications and access to Apple's phones hardware.

If we go this way, I'd take responsibility of designing and serving the service until Stellar foundation eventually take on it. It'll be free and free software as anything aiming to become standard should be.

sacarlson

you might be interested in looking at https://galactictalk.org/d/12-formats-for-qr-codes-uris-nfcs/29. As I see it we have 3 options. 1: provide your private key to a trusted app or web app to perform operations, 2: have a untrusted app or web app create a transaction that it sends to a trusted service wallet app to sign linked with URL or QR-code. 3: have untrusted app or web app sign with hardware wallet like Nano S. ledger. 4: (opional) you can have the trusted service wallet at least have the option to also sign with a Nano S. ledger or other wallet. I'm not going to go into other more complex options of multi-sig that we can also do at least in store transactions and escrow operations that I don't think we need to include here.

MisterTicot

sacarlson

Hi sacarlsob ?
Thank you for the link.

I think that using nano S with untrusted service might not be a good idea. Ok, nano S secure your private key - but how do you know that you're actually signing the transaction you intended to make? What prevent untrusted service to send the money on another account for instance?

istrau2

MisterTicot the ledger tells you the transaction details before you sign.