Dear OpenLedger Team,
thank you for the initiative! I read it and would like to comment on it. To your summary:
To minimize risk of both keys being stolen at the same time: Separate Active and Owner private keys, encourage their storage in different wallets (preferably on different devices).
This is a great idea. Already now in the BitShares UI one could create two local wallets with two different passwords defined on account creation.
To minimize the impact of Active private key theft: Severely limit permissions for Active private key, while allowing to more fine-grained permissions control with Owner private key.
There is work done currently to formulate a BSIP for this:
https://github.com/bitshares/bitshares-core/issues/1061#issuecomment-398017083 , which introduces custom active permissions, which would allow to create a "Trading private key". In combination with you proposed account and markets whitelist it's a great defense. The active key behavior should not be altered imo.
To minimize the risk of transactions coming from unknown sources signed with your private key: Introduce new Device-Tagged transaction allowing users to identify and block transactions sent from an unauthorized device and implement multi-signature accounts, essentially moving to 2FA.
This sounds interesting. How do you ensure that an attacker does not mimick the device id that is stored on-chain?
To make keys and account management more secure and user-friendly: Create simple desktop and mobile applications that allow users to easily manage their accounts and private keys, create multi-signature accounts, sign transactions, enable auto-sign feature, and receive notifications for specific transactions.
This would be gread, similar to Scatter I suppose? Is the idea the following: You are running said new program on the local computer and other application like the BitShares UI can request to get transactions signed?
To Active vs Owner key:
- Daily transfer limits can be set for each asset. So that a hacker who steals the Active key is not able to drain the account immediately.
- Limit the markets where Active key can place orders. So that a hacker can't sell the assets he got illegal access to for their fake assets (Markets whitelist)
- Specify accounts the user can transfer to. So that a hacker is not able to move funds to their own account (Accounts whitelist).
I like those three. Transfer/Trade volume limit, markets and transfer whitelists. In combination with my above mentioned trade authority only a market (and possibly volume) whitelist would necessary. In the same way the current asset blacklisting functionality could be optimized. For example: The well known binancecleos account could be blacklisted for OPEN.EOS, which *should* have the effect that no one can transfer OPEN.EOS to that account.
- Owner is able to suspend the account activity. This means that if a user suspects that Active key is compromised, they can suspend the account Active key and then any transaction signed with the compromised Active key will be blocked.
This is already possible simply by removing said active key.
In general: Will everything be available as open source and/or implemented directly in the BitShares UI?
Best regards,
Stefan