Expose API to sign arbitrary data #405
Comments
|
This is already addressed in this PR. #391 |
|
re-opening just to track this functionality. It definitely is not addressed in #391 |
|
Trentin Bergeron commented: Solved by NEP → near/NEPs#413 |
|
nope, that proposal does not solve this issue. Even if that proposal did, this issue tracks the implementation within wallet-selector |
|
The current state of the NEP-413 doesn't tackle signing of arbitrary data. Current proposal is to sign application defined @austinabell maybe you can comment on NEP-413 and show your support for extending the method to be able to sign arbitrary data. I am also for having that option to sign application defined data, will post feedback soon on that PR. |
I likely won't. I haven't dug deep enough to share a helpful opinion, and my low-confidence stance on this is that this seems like an unhelpful standard, as the format of data to be signed to verify an account should probably be specific to the application. Doesn't feel like a "one size fits all" approach is helpful in the long-term as you'd need this standard and also a more general one to handle cases like this issue, and that feels redundant. Putting things like nonce and a domain string also seems like very specific use cases that do not generally apply, and for cases where more custom data is needed, applications would be forced to jam it into those fields, which feels janky. |
trechriron
added
Emerging Tech
|
Based on previous meetings/discussions with Daryl it was mentioned that this feature can be risky because users could sign real transactions instead of a simple message by signing arbitrary data. The |
Is your feature request related to a problem? Please describe.
Currently, to prove that you have the private key that matches a certain public key/account, you need to perform an operation on-chain. This is unfortunate because you should be able to sign arbitrary data to allow for dApps to prove you have a private key.
Take the use case of liking an image on an NFT marketplace. In the case of OpenSea, you just need to sign some data they provide to prove you own an account before tallying a like. In the case on NEAR, I've seen on Paras that it generates a function call access key just to prove the account, which is unnecessary and costs NEAR to perform the on-chain action.
This is a pretty trivial pattern that enables things like signing in to dApps off-chain, signing data that will be verified within a function call (maybe you wanted to ensure an action was signed by multiple parties without requiring all to pay the gas fee to sign a multi-sig and send the cross-contract call), or signing a transaction
Describe the solution you'd like
Describe alternatives you've considered
(not really another option I can think of)
Acceptance criteria
Additional context
Not needed for anything we are doing now, just pointing out for future benefit and enabling developers to build cool things
The text was updated successfully, but these errors were encountered: