Ignorant (But Hopefully Not Stupid) Developer Question -- Or, Maybe, It's a Suggestion
So . . . . I've been working my way towards developing some useful tools for Steem. I'm up to speed on Piston, have written a few small research and up-voting apps and, now, I'm very interested in pursuing Ned's idea for a Steem Bounty System (https://steemit.com/bounties/@ned/it-s-time-for-a-steem-bounty-system). EXCEPT, I'm stymied by a major security question . . . . "How do users know who they can trust with their keys?"
Personally, as a developer, I don't *ever* want to touch or be anywhere near a user's keys (particularly the Active key which is necessary to move money). I don't want the fiduciary responsibility . . . . Similarly, as a user, I don't want to give my keys to anyone except the owners of the Steem blockchain (i.e. Steemit).
I've always assumed that the best way to handle this would be something like the way in which PayPal works (i.e. the calling website gives all the information to PayPal, who then handles the password, etc. and then returns the results to the calling website). Unfortunately, I'm finding nothing of the sort for Steem . . . .
So what is the best practice for this issue? Is there something available that I'm not aware of? Is there something in the works that I'm not aware of?
Websites *aren't* supposed to be collecting & using keys, are we?
Help?
Other posts from the family today:
Daughter-in-law's first post & IntroduceYourself
Let's Get This Party Started
Digital Wisdom's Robin Hood Whale-featured IntroduceYourself
Yes, Virginia, We *DO* Have a Deep Understanding of Morality and Ethics
Son's lastest entry in his continuing herpetology series
Do Lizards Dream of Ectothermic Sheep?
Interesting idea, though I personally don't like dilution.
dilution? I'm afraid I don't understand . . . .
A wallet either needs to have access to your keys or interface with something that does. You can limit this responsibility by asking for only specific keys: A software package that only posts can use the posting key instead and not the active or brain key. A signing app might only ask for the memo key. In these cases you are trusting software with one of your private keys.
There are bitcoin hardware wallets like Ledger. If you can delegate signing to a hardware wallet, you prevent a lot of problems.
Exactly! So what is the preferred "something that does [have access]" for Steemit? I want to collect money for bounties but don't want to be responsible for having had access to the user's active key. Is there a PayPal-like widget that I can interface with?
There is nothing adapted to Steem. Arguably you could write a client that examines transactions and asks the user whether they should be signed or not as say a Chrome extension. It must be smart enough to interpret the transactions to be usable.
Other services would need to be written or adapted to use said extension. In counterparty there is tokenly pockets.
There is a project from @kaptainkrayola called SteemConnect that acts like an SSO point and third-party apps can do OAuth on it. I think...
Well the idea is that users use their public key elsewhere but the active for Steemit only...
nice project
I'm with ya, I don't want to use my private keys anywhere I don't have to. Everyone needs to be very vigilant where they enter that sensitive information.
Solutions are being developed right now, but in the mean time, it's going to be best to build things in a way that doesn't require authentication with a user's account.
Turn key ownership into a token. Let the owner distribute tokens to their peers according to how much they trust them. Then the peers spend these tokens which are non-transferable to recover an account.
Of course figuring out who to send these tokens to isn't easy. Who can you trust? Maybe a company?