How utopian.io acquired your post permission? --- The underlying mechanism of steemconnect
Before you reading the following contents, I hope you have a basic knowledge of public key encryption system and steem's authorization system, at least you should know the differences between the four keys: master(owner), posting, active, and demo key. During this writing, I feel more appreciated of steem's design, which splits permission elaborately and makes multi-signature easy to achieve.
Before to know how utopian.io acquired our post permission, let's see how these happened in steemit.com.
How do you login steemit.com?
You may answer without hesitation: type my username, password, and then login. Now I will ask you two questions:
- What is the password you are using to log in? Is it the master key? Or posting key?
- Will
steemit.comstore your password or your four mystery keys?
I bet you most can't answer :P, let me tell you.
The password is the seed string that generated when you registering your account, other four keys are deterministic calculated according to your account name and seed. The calculation occurs only in your web browser, neither your seed nor the resulted four keys will be uploaded.
We trust steemit.com not uploading our privates because it's the authority application of steem, the source code is open to anyone to review. In other hand we can easily supervise all communications between browser and steemit.com.
How articles are posted using steemit.com
First, let me demonstrate the mystery four keys deeply. The four keys, are actually four key pairs, each key pair contain a public and a private key. As to posting, the posting key pair will be used.
Assuming @cifer --- yes it's me, want to post on steemit.com, because steemit.com holds all the four key pairs (locally, as said before). As @cifer finish writing and hit the Post button, steemit.com will create a new comment type transaction using @cifer's name, sign it using @cifer's private posting key, and broadcast to all witnesses.
Then witnesses will lookup @cifer's account metadata, fetch the public posting key, use it to verify the transaction indeed issued by @cifer.
How do you login utopian.io?
Well, actually you are not login utopian.io, instead steemconnect.com. steemconnect.com issues a token under you authorization to utopian.io, thereafter you can post using utopian.io, oh let me speak exactly: utopian.io can post using your name!
So what is steemconnect.com? Why I need using it to login utopian.io?
The short answer, because utopian.io is a good, brilliant, outstanding service! Surely utopian.io can ask your private posting key or even your seed to login, but it doesn't, by using steemconnect.com, utopian does not ask any of your private keys at all.
What's the steemconnect.com? Why using it?
You have know the process of posting at steemit.com, let's talk about how to post using other third party apps, like utopian.io, busy.org, etc..
As has said before, surely we can using seed to login these apps, but this will expose you completely. Some apps requires only 1 or 2 of your four keys, yet exposing is still not a good idea. Despite of utopian.io and busy.org --- we know they are both trusty apps, but what if in future, every new app appear we exposing our key to it? No it's bad.
So, we need steemconnect.com now, it let us using third-party apps without exposing any keys to them. How this works?
Btw, this sounds like a Ad for steemconnect.com, but honestly not, I just want to show you how safely it is using utopian.
When you click login on utopian.io, you will be navigated to such a page, notice the url is v2.steemconnect.com.
then after you click Continue, you authorize steemconnect.com to write some data to your account meta, what data was written? you could find in steemd.com, from the most recent change, you will find such a record:
Yeah, have you noticed the account_auths field? Thanks for steem's sophisticated design, now I have the @utopian.app embedded into my account meta.
In such way, utopian.io can post article using my name but sign with it own private posting key. When witnesses receive this transaction it again lookup @cifer's account meta and find the public posting key. Note, this time witnesses will find utopian.app's key, use it verifying this transaction and pack the transaction into new a block.
By now, I have successfully posted using utopian.io without exposing any of my keys!
In the future, any third party service built on steem tend to use this steemconnect-like mechanism, if not, you should think over whether to use this service.
The end..
Enjoy yourself using utopian.io!
Open Source Contribution posted via Utopian.io
多谢。我不知道能不能信赖steemconnect。
另外utopian不能只拿我的post key吗?
steemconnect 也需要大家共同监督, 但是如果第三方应用都通过 steemconnect 接入, 将来我们也只需要监督 steemconnect 就好了. utopian 可以只拿 post key 的, 但是暴露我们自己的东西总归是不安全的. steemconnect 的思路是正确的, 不管是谁来做, 不管还叫不叫 steemconnect, 都会是趋势
抱憾终身啦,不懂英文。为会几种语言点赞!
回头翻译成中文 ^_^|| , 我英文也挺烂的, 写作不行
谢谢,写的很清楚。你知道如何撤销这种授权吗?也就是说如何把busy.org/utopian.app从那个posting key列表中去掉?
同问,因为 steemd 上写着 50% posting 我还挺担心每篇文章都给 utopian 分成的
这个放心好了, 不会导致分成的
本来想写撤销的, 但是现在想自己撤销的话很麻烦, steemconnect 有义务提供一个友好的界面让我们撤销授权, 给他们点时间吧~
Your contribution can't be approved. This is not official documentation you are working on. See the Utopian rules.
You can contact us on Discord.
[utopian-moderator]