attestation icon indicating copy to clipboard operation
attestation copied to clipboard

Published 20 hours ago verified publisher icon SmartTokenLabs

USE NftAttesatation hash signature as CSR

Open oleggrib opened this issue 3 years ago • 0 comments

Based on the https://github.com/TokenScript/attestation/issues/203 , last @jot2re comments say the same.

For NFT attestation currently User signs

  1. simple text string as CSR (Certificate Signing Request)
  2. whole object IdAttestation+NFTpayload and add signature to the object

My suggestion is to separate IdAttestation and NFTpayload
So

  1. user creates NFTpayload object. HASH it , adds it to the text template and sign that string. ("Sign to create your TwitterID attestation. nonce: 0x45a8b78... , timestamp: 3992770271")
  2. user send HASH+template+timestamp+users_string_signature+auth0_data to the attestation.id (attestation.id creates string and validate it against signature)
  3. construct object; IdAttestation+payload+step1_string_signature to the smart contract in this case IdAttestation signed by attestor, payload signed by user. attestation.id dont know what payload do we use and user need to make single signature only.

In case if Attestation TTL limited to 1 day, then it fix multiple problems:

  • CSR reuse
  • IdAttestation reuse when twitterId sold
  • avoid weird signature
  • avoid double signing

If @JamesSmartCell can update VerificationContract to read EIP712 signature then we can use EIP712 instead of the text.

@colourful-land , does that make sense?

oleggrib avatar Dec 22 '21 23:12 oleggrib