You are viewing a single comment's thread from:
RE: SteemWorld ~ Weekly Support ~ #17
Hey @steemchiller, would it be an option for you to integrate account creation via public owner/active/posting/memo keys instead of the master password? In the context of creating new Steem accounts for others, it could be very helpful if the creator would not know any of the private keys or the master password of the new account. This could help to onboard users without them having to trust the account creator and avoids any potential claims against the creator.
I don't think that it is possible to create an account without defining the private keys in the creation process. The owner of the new account should change the password after it has been created. On Steemit via https://steemit.com/@crokkon/password or with the coming 'Change Password' tool on SteemWorld (available soon).
I already thought about adding a more comfortable solution for creating accounts in just one step by creating it via the account @steemworld.org with temporary keys, but that will come later (in a few weeks/months).
The
create_accountblockchain operation only takes the owner, active, posting and memo public keys. The calculation of those from the master password has to be somewhere inside steemworld. It is not necessary for the account creator to know the corresponding private keys. It is correct that these keys can be changed by changing the master password, however the account creator can still recover the created account within the first 30 days if he/she knows the initial keys/master password.Edit: a possible workflow could be that the the new user uses the steemworld Key Generator tool to generate a set of keys, stores the master password and the private keys safely, and forwards the corresponding public keys to the account creator. Given support for that, the account creator could then create the new account with these public keys. This way, the account creator doesn't know any of the private keys at any point in time and the new users doesn't have to trust the creator (or fear a take-back with recovery).
Thanks, now I know what you mean! Of course, the API call just requires the public keys. The client would just need to send the account name + public keys (+ fee maybe) to the creator... Would be way easier than the solution I roughly planned before. I like the idea, will think about it ;)