elective-stereophonic
elective-stereophonic
Public key for fresh accounts - this is a wrong decision.
Please login or register.

Login with username, password and session length
Advanced search  

News:

Latest Stable Nxt Client: Nxt 1.12.2

Pages: 1 ... 5 6 [7] 8 9 ... 17  All

Author Topic: Public key for fresh accounts - this is a wrong decision.  (Read 30120 times)

ChuckOne

  • Hero Member
  • *****
  • Karma: +293/-17
  • Offline Offline
  • Posts: 3450
  • ☕ NXT-4BTE-8Y4K-CDS2-6TB82
    • View Profile
Re: Public key for fresh accounts - this is a wrong decision.
« Reply #120 on: August 28, 2014, 07:27:00 am »

Just like I thought. No decent answers from the core developers.


Here you get one from one of them:


I already posted a solution somewhere in those release threads: make it optional (maybe for one or two years and then compulsory).


There are two key issues here:

1) lack of communication - We talked about this internally. We will make is better next time.

2) lack of backward compatibility - Two sources: too short transition phase because of 1) and because of the fear to move too slowly


Well, the damage is done and we now need to address the OP issue. However, NOT in the 1.3 release as this is just an important technical overhaul of the NRS. It will stabilize the network, reduce computational effort and prepare the NRS for Smart Contracts. I beg you to stay patient on this matter. The sooner we get 1.3 up and running, the sooner we will have time to address the OP issue.
Logged

chanc3r

  • Hero Member
  • *****
  • Karma: +124/-50
  • Offline Offline
  • Posts: 1019
  • NXTInspect
    • View Profile
Re: Public key for fresh accounts - this is a wrong decision.
« Reply #121 on: August 28, 2014, 07:27:49 am »

Just to capture some fundamental issues, very briefly:
There are two related issues here. The first is that there is a problem with the current passphrase security for new accounts. The second issue is that there is a perceived and perhaps real disregard for the end users - particularly anyone that needs to interface with Nxt, such as merchants and payment processors or exchanges - on the part of the core developers.

If the second problem is solved first, that is, if the core developers can appreciate the challenges to the end users of having to re-write their interfaces to accommodate unannounced changes, then they can put in place an explicit roll-out procedure so as to:
1. Announce proposed changes in advance so that all users have a chance to weigh in on the debate, and end-users have time to adapt
2. Be backwards compatible for a period of time for non-mission-critical changes
3. Combine hard-fork level changes into a single release in order to...
4. Have a minimum number of hard forks per year (4 at most, 2 at best)
5. (Anything that I've missed?)

Such a process for changing Nxt is not more work or an imposition on the core developers, but is actually a great benefit to them and everyone else, and here is why:
Iff this procedure is put in place, then even very ambitious changes to fundamental core technologies can be considered, debated, coded, and then deployed without breaking current applications. This would encourage everyone to weigh in on issues and possible changes, and people would be seeking the best, long-term solution to problems rather than seeking the most expedient and least painful, short-term solution. No change would be too ambitious as long as there is a clear procedure for change and rollout, and as long as the benefit to Nxt is great enough. (Specifically, and for the purposes of this thread, this would allow even significant changes to the passphrase/account creation algorithms, while appreciating that short-term pain-mitigation (for recently deployed changes) is required.)

(This is meant to be a start; if you find it helpful, please add/edit as necessary to preserve the fundamental points in this thread.)

Very good proposal, this is something we can build on!

IMHO the communication between the different "levels" (core, client, merchants, external tools etc.) of nxt development must be improved. We wouldn't have this discussion here if there were good communication channels between the devs.

+1 This addresses the points I think concern most people.

While technical solutions for the impacts of the current new-accounts feature are important what is critical is we do better at keeping the ecosystem building around NXT functioning and able to smoothly transition between NXT releases.
Logged
NXT: 29996814460165 (NXT-JTA7-B2QR-8BFC-2V222)
@imrimr @NXTinspect

Eadeqa

  • Hero Member
  • *****
  • Karma: +83/-68
  • Offline Offline
  • Posts: 1888
    • View Profile
Re: Public key for fresh accounts - this is a wrong decision.
« Reply #122 on: August 28, 2014, 07:27:54 am »

IMHO optimal now would be
-  Roll back this change. Security issue with the short addresses is irrelevant at the moment.
Public key generation should be automatic when creating a new acc. You shouldn't be able to move on without generating public key in official NRS client.

Rollback isn't good solution now.

Quote
Public key generation should be automatic when creating a new acc. You shouldn't be able to move on without generating public key in official NRS client.

This doesn't work. You can't put public key on the blockchain if you don't have have Nxt in your account.


Logged
NXT-GZYP-FMRT-FQ9K-3YQGS

ChuckOne

  • Hero Member
  • *****
  • Karma: +293/-17
  • Offline Offline
  • Posts: 3450
  • ☕ NXT-4BTE-8Y4K-CDS2-6TB82
    • View Profile
Re: Public key for fresh accounts - this is a wrong decision.
« Reply #123 on: August 28, 2014, 07:29:37 am »

Not sure where you come from but here we use the "reference field" which is basically the same as messages for this purpose. People already know how to use that.

I don't know what you are talking about. The user buys something and is asked to make a payment to some address (lets say pay 1500 Nxt to NXT-GZYP-FMRT-FQ9K-3YQGS )  What does that have to do with reference field?



Because you cry for the reference field ("Kundenreferenznummer" and "Verwendungszweck" in the picture). What to put in there can be generated as well.


Btw. it has nothing to do with the OP issue.
Logged

chanc3r

  • Hero Member
  • *****
  • Karma: +124/-50
  • Offline Offline
  • Posts: 1019
  • NXTInspect
    • View Profile
Re: Public key for fresh accounts - this is a wrong decision.
« Reply #124 on: August 28, 2014, 07:34:25 am »

Public key generation should be automatic when creating a new acc. You shouldn't be able to move on without generating public key in official NRS client.

This doesn't work. You can't put public key on the blockchain if you don't have have Nxt in your account.

If it was a zero fee TX you could but I can see the problem with this because someone who wanted to harm NXT could just run a server creating accounts for free, filling up address space by broadcasting public keys..
Logged
NXT: 29996814460165 (NXT-JTA7-B2QR-8BFC-2V222)
@imrimr @NXTinspect

Eadeqa

  • Hero Member
  • *****
  • Karma: +83/-68
  • Offline Offline
  • Posts: 1888
    • View Profile
Re: Public key for fresh accounts - this is a wrong decision.
« Reply #125 on: August 28, 2014, 07:35:36 am »

Btw. it has nothing to do with the OP issue.

 I still don't know what you are talking about.

The OP is about merchant software which works by generating a unique address for each order. This can instead be done by attaching order number to the deposit address like I suggested a long time ago before block 123,000

NXT-GZYP-FMRT-FQ9K-3YQGS\message=1256
NXT-GZYP-FMRT-FQ9K-3YQGS\message=7581

where 7581 and 1256 are order numbers.

This suggestion was totally ignored by JL even though it solves OP problem.



« Last Edit: August 28, 2014, 07:38:55 am by Eadeqa »
Logged
NXT-GZYP-FMRT-FQ9K-3YQGS

coinomat

  • Hero Member
  • *****
  • Karma: +214/-18
  • Offline Offline
  • Posts: 1520
    • View Profile
Re: Public key for fresh accounts - this is a wrong decision.
« Reply #126 on: August 28, 2014, 07:38:45 am »

Please explain what's wrong with rollback. This is a mistake, and it's the easiest way to fix it.
And this probably will be good for NXT future, such changes should be discussed first before implementation.

As for this  public key - I fully understood the issue just right now, tricky situation indeed. Seems to be a major architecture flaw. Transaction to 64 bit addresses seems to be the most solid solution.
IMHO optimal now would be
-  Roll back this change. Security issue with the short addresses is irrelevant at the moment.
Public key generation should be automatic when creating a new acc. You shouldn't be able to move on without generating public key in official NRS client.

Rollback isn't good solution now.

Quote
Public key generation should be automatic when creating a new acc. You shouldn't be able to move on without generating public key in official NRS client.

This doesn't work. You can't put public key on the blockchain if you don't have have Nxt in your account.
Logged
Time to go further

Eadeqa

  • Hero Member
  • *****
  • Karma: +83/-68
  • Offline Offline
  • Posts: 1888
    • View Profile
Re: Public key for fresh accounts - this is a wrong decision.
« Reply #127 on: August 28, 2014, 07:41:04 am »

Please explain what's wrong with rollback. This is a mistake, and it's the easiest way to fix it.
And this probably will be good for NXT future, such changes should be discussed first before implementation.

It was actually discussed but obviously most people don't read all the threads.

Rollback is going back to something that was bad (64 bit address) without addressing your problem that can be solved other ways.

Please explain why this won't solve your problem?

NXT-GZYP-FMRT-FQ9K-3YQGS\message=1256
NXT-GZYP-FMRT-FQ9K-3YQGS\message=7581

where 1256 and 7581 would be order numbers ..
Logged
NXT-GZYP-FMRT-FQ9K-3YQGS

Squeaker

  • Jr. Member
  • **
  • Karma: +1/-0
  • Offline Offline
  • Posts: 30
    • View Profile
Re: Public key for fresh accounts - this is a wrong decision.
« Reply #128 on: August 28, 2014, 08:02:46 am »

This doesn't work. You can't put public key on the blockchain if you don't have have Nxt in your account.
but perhaps it could be propagated for a period of time as the equivalent of an unconfirmed transaction, that won't go in the block chain, and just expire away.

Something that you would manually do, so someone can send you NXT.

Take one of the NXT faucets, for example, and you have a fresh, unfunded NXT account. You give the faucet your address, and the faucet tells you your coin is pending, waiting for your key to be broadcast. You click the button in your NXT client to broadcast it, and when the faucet sees it in the never-will-confirm transaction (specifically for this purpose), it releases your coin, and sends it with the key you broadcast.

I'm sure there will be pros and cons to doing this, but may be worth discussing for a few messages...

=squeak=

edit: for vendor use tho, yes, I would agree with the additional optional parameter when sending coin... the equivalent of an invoice or order #... something the NXT client would just ignore, but that vendors could make use of for their own internal use... perhaps not even use "\message=" but put the reference # in perenthesis or something else easily parsed...

maybe NXT-GZYP-FMRT-FQ9K-3YQGS=122173\message="Have delivery guy knock when he brings my pizza, doorbell broken"
which would correspond to invoice/purchase-order/etc #122173, and having the \message, still be strictly a message that could be anything.

this should have probably been done for bitcoin(et al) as well, instead of having to keep monitoring (tens of) thousands of separate addresses all the time like exchanges have to do.

in addition, perhaps when someone creates an address, to specify if it is a personal or vendor account... so when someone tries to send coin to a vendor account, and doesn't include "=122173" (as in the above particular example), their client will reject it, throwing a popup up saying transactions to that address MUST include a reference # in order to send it... to hopefully avoid having the payment being ignored, when the vendor can't tell what they payment was intended for.

=s=
« Last Edit: August 28, 2014, 08:18:50 am by Squeaker »
Logged

coinomat

  • Hero Member
  • *****
  • Karma: +214/-18
  • Offline Offline
  • Posts: 1520
    • View Profile
Re: Public key for fresh accounts - this is a wrong decision.
« Reply #129 on: August 28, 2014, 08:13:53 am »

Yes, it could. Also why not use the message field in NXT transaction?
Merchant interface should work, that's the most important. Now it does not.
Please explain what's wrong with rollback. This is a mistake, and it's the easiest way to fix it.
And this probably will be good for NXT future, such changes should be discussed first before implementation.

It was actually discussed but obviously most people don't read all the threads.

Rollback is going back to something that was bad (64 bit address) without addressing your problem that can be solved other ways.

Please explain why this won't solve your problem?

NXT-GZYP-FMRT-FQ9K-3YQGS\message=1256
NXT-GZYP-FMRT-FQ9K-3YQGS\message=7581

where 1256 and 7581 would be order numbers ..
Logged
Time to go further

Eadeqa

  • Hero Member
  • *****
  • Karma: +83/-68
  • Offline Offline
  • Posts: 1888
    • View Profile
Re: Public key for fresh accounts - this is a wrong decision.
« Reply #130 on: August 28, 2014, 08:29:51 am »

This doesn't work. You can't put public key on the blockchain if you don't have have Nxt in your account.
but perhaps it could be propagated for a period of time as the equivalent of an unconfirmed transaction, that won't go in the block chain, and just expire away.

Not a bad suggestion, but isn't there still a risk of spam/DOS attack?

Logged
NXT-GZYP-FMRT-FQ9K-3YQGS

Eadeqa

  • Hero Member
  • *****
  • Karma: +83/-68
  • Offline Offline
  • Posts: 1888
    • View Profile
Re: Public key for fresh accounts - this is a wrong decision.
« Reply #131 on: August 28, 2014, 08:31:43 am »

Yes, it could. Also why not use the message field in NXT transaction?

See https://nxtforum.org/nrs-releases/nrs-v1-2-5-4412/msg81193/#msg81193

I suggested this a long time to address exactly this merchant problem, but nothing was done.
Logged
NXT-GZYP-FMRT-FQ9K-3YQGS

coinomat

  • Hero Member
  • *****
  • Karma: +214/-18
  • Offline Offline
  • Posts: 1520
    • View Profile
Re: Public key for fresh accounts - this is a wrong decision.
« Reply #132 on: August 28, 2014, 08:38:29 am »

Looking for a fast fix, is there a way to get public key of a new account through API?
Logged
Time to go further

Squeaker

  • Jr. Member
  • **
  • Karma: +1/-0
  • Offline Offline
  • Posts: 30
    • View Profile
Re: Public key for fresh accounts - this is a wrong decision.
« Reply #133 on: August 28, 2014, 08:44:48 am »

This doesn't work. You can't put public key on the blockchain if you don't have have Nxt in your account.
but perhaps it could be propagated for a period of time as the equivalent of an unconfirmed transaction, that won't go in the block chain, and just expire away.
Not a bad suggestion, but isn't there still a risk of spam/DOS attack?
It could be... I'll leave it to those familiar with the code and protocols to evaluate that risk, and how effective it could be.

Since it would be extremely unusual for that kind of a broadcast informational transaction to ever need to be sent more than once within a small amount of time (say, 1 minute) from a given IP address, peers could just drop new ones, and don't relay them to their other peers, if they already have one unexpired in their unconfirmed transactions list.

=squeak=
Logged

wesley

  • Hero Member
  • *****
  • Karma: +204/-3
  • Offline Offline
  • Posts: 1159
    • View Profile
Re: Public key for fresh accounts - this is a wrong decision.
« Reply #134 on: August 28, 2014, 08:47:02 am »

Looking for a fast fix, is there a way to get public key of a new account through API?

No, that's why it needs to be announced. You need to ask your customers for their account ID and public key if it doesn't yet have one.
Logged

Eadeqa

  • Hero Member
  • *****
  • Karma: +83/-68
  • Offline Offline
  • Posts: 1888
    • View Profile
Re: Public key for fresh accounts - this is a wrong decision.
« Reply #135 on: August 28, 2014, 08:47:29 am »

Looking for a fast fix, is there a way to get public key of a new account through API?

Instead of generating a new account that requires public key, can you just ask users to enter order number as message manually? I know this isn't a good solution as users will forget to enter the order number, but still this is an option.
Logged
NXT-GZYP-FMRT-FQ9K-3YQGS

Eadeqa

  • Hero Member
  • *****
  • Karma: +83/-68
  • Offline Offline
  • Posts: 1888
    • View Profile
Re: Public key for fresh accounts - this is a wrong decision.
« Reply #136 on: August 28, 2014, 08:48:29 am »

Looking for a fast fix, is there a way to get public key of a new account through API?

No, that's why it needs to be announced. You need to ask your customers for their account ID and public key if it doesn't yet have one.

I think he is asking for public for key for new account that he is generating for each order/user?
Logged
NXT-GZYP-FMRT-FQ9K-3YQGS

LiQio

  • Hero Member
  • *****
  • Karma: +50/-5
  • Offline Offline
  • Posts: 672
    • View Profile
    • NxtLoader for Windows
Re: Public key for fresh accounts - this is a wrong decision.
« Reply #137 on: August 28, 2014, 08:49:37 am »

Looking for a fast fix, is there a way to get public key of a new account through API?

A new account that was created by another user - NO.
A new account you created - YES, use getAccountId and specify the passphrase used.

wesley

  • Hero Member
  • *****
  • Karma: +204/-3
  • Offline Offline
  • Posts: 1159
    • View Profile
Re: Public key for fresh accounts - this is a wrong decision.
« Reply #138 on: August 28, 2014, 08:50:26 am »

Looking for a fast fix, is there a way to get public key of a new account through API?

No, that's why it needs to be announced. You need to ask your customers for their account ID and public key if it doesn't yet have one.

I think he is asking for public for key for new account that he is generating for each order/user?

getAccountId API call with secretPhrase as parameter, POSTed will return JSON with publicKey, accountRS and account.
Logged

coinomat

  • Hero Member
  • *****
  • Karma: +214/-18
  • Offline Offline
  • Posts: 1520
    • View Profile
Re: Public key for fresh accounts - this is a wrong decision.
« Reply #139 on: August 28, 2014, 08:50:56 am »

Yes sure.
We pregenerate 1000 accs and fund each one with 1 NXT.
To do this we need to know public keys.
Looking for a fast fix, is there a way to get public key of a new account through API?

No, that's why it needs to be announced. You need to ask your customers for their account ID and public key if it doesn't yet have one.

I think he is asking for public for key for new account that he is generating for each order?
Logged
Time to go further
Pages: 1 ... 5 6 [7] 8 9 ... 17  All
 

elective-stereophonic
elective-stereophonic
assembly
assembly