I'm trying here to wrap up my thought about the issues discussed here:
Although I'm quite affirmative in this paper, I invite you to read it as a work in progress and a proposal. You're very welcome to contribute and critic on our board:
Basically, there's two different ideas:
- We need a standard protocol to allow stellar payement through an URI scheme similar to mailto:email@example.com
- We need a secure way to sign transactions instead of relying on multiple web interfaces and applications for security reasons.
I actually did bring the second point, and while reading the first post I found both things go together very well.
Default link protocol
Torkus showed that we don't even need to define a new standard: what we need to do is simply translating a Stellar transaction definition in a URI semantic:
So here's how you would ask for payment on your website:
Torkus showed that this simple solution allowed us to handle any kind of Stellar transaction, so you could invite for inflation votes, for instance :
I really enjoy this kind of simple and elegant solution. Now, I wonder how this could be made real.
Standard transaction signing
The issue revolve around the fact that you should never give your seed. Putting it in a webpage - even if promised that it won't be actually sent - is a weak design as getting accustomed to this will undoubtedly open the possibility of very profitable cracks or simply reward dishonest wallet provider for cheating their customers.
We can't fully rely on hardware wallet aswell as this is costly Stellar aim to bring inclusion to the unbanked.
All this lead me to a simple idea: we need a standard little piece of software that allow us to sign transaction and to keep the seed safe. Because it would be its only purpose, the actual code could be light and as such easily reviewable. Because it would be standard, a growing number of competent service would rely on it and as such will eventually review it. Such program could ideally be developed by Stellar foundation, or maybe someone trusty central to the project.
I actually got a Ledger nano S, and to use it on my phone I had to download a little piece of software that make the USB bridge functional. Then I can go on myetherwallet and sign transactions and so on.
I would imagine this new program I'm talking about as a software equivalent of this process. As phones are the most widespread computers in the world, I would assume it would be a platform of choice to handle such software. I assume google/apple cloud sync are safe enough to backup the seed encrypted and allow users to simply sign with a pin code the same way I do with exchange applications for instance. Keypoints here is protect the seed over phone loss and pin signing. A kind of Authy for Stellar network. This would simplify further the process by keeping it secure enough, which's critical for mass adoption.
As for insecure-by-design platforms such as Windows, maybe it should somehow be configured to transmit the transaction to be signed to your own cellphone.
Combining the two ideas
Now that we have our default URI scheme and our standard signing program, let's see why it goes so well along.
Any website could now propose various transaction or paiement without puting users security at risk; without even having to think about it: what a comfort! Confidence is the keyword here, a major issue to get solved isn't it?
Imagine an ICO selling token this way:
Note that this refer to the transaction the user will actually emit.
All you need is a form were user input the amount and that return the proper URI for the transaction :)
A very explicit window would write in big letters and in human language the actual transaction to be made, and would ask for your pincode to confirm.
But there's more :)
Nowadays, a lot of energy and part of Stellar funding go to the creation of multiple wallet application and exchange service that all need to implement their own way to sign transaction.
Now, we've discussed how this is actually flawed design at a safety level.
The beauty of this fix is not only we can bring back safety and confidence: it changes the very idea behind wallet and service provider as they would truely become what they should be: front-ends for the low-level secure-by-design Stellar protocol
As programmers will be freed of the assle to implement secure transaction scheme, they would actually get more time to implement what will actually make their service shine.
For instance, exchange platform job would be to get and organize market data's in the best possible graphical way, and to generate for us the adequate stellar transaction link when we want to place an order. Doesn't it feel fresh and elegant?
What I'm pointing here is that this solution wouldn't actually cripple service expansion, on the contrary it would fuel them by making their job easier and their production secured by design.
As for the user, it would allow direct authentification on any such service using the signing program directly. No more need to create multiple account to discover this and that, or to screw around with mails and stuff. You just get your entry card to every service at once, putting aside customer retention and allowing the competition/cooperation game to perform its best.
Last but not least, as all those service would rely on the signing program, they would have both an incentive and enough skill to review its code. Our safety will be secured by the very same social mechanism that secure the blockchain itself: giving incentive to each node to make it work the best.