certified-assets icon indicating copy to clipboard operation
certified-assets copied to clipboard
verified publisher icon dfinity

Add ability to remove authorised principals

Open ocluf opened this issue 4 years ago • 3 comments

There is an authorize(other: Principal) function to add other principals but no deauthorize(principal: Principal) function which removes authorized principals. We would love to be able to have this functionality in the certified asset canister because we are building a DAO product where somebody could put their asset canister under control of the DAO.

One potential problem with this that if somebody who is malicious gains control of an authorized principal the deauthorize function could be used to lock everybody else out and upload a malicious frontend. Without a deauthorize function however somebody malicious could always spam the canister with a malicious frontend without someone stopping him/her.

My proposed solution would be to add a deauthorize function while making it so that the controllers of the canister are always authorized (they could wipe the canister and reupload anyways). This way somebody could hand over control to a DAO simply by changing the controller just like it normally works for other canisters.

I wouldn't mind making a pull request for this, but first I wanted to check if you would be open to the idea.

ocluf avatar Nov 24 '21 22:11 ocluf

@ericswanson-dfinity, @krpeacock, WDYT?

while making it so that the controllers of the canister are always authorized

How would you check that? By invoking https://docs.dfinity.systems/spec/public/#ic-canister_status in every update call?

I believe we should split deauthorize and controllers check into separate features. I think having deauthorize makes total sense, but not everyone might like fetching controllers in every update call.

roman-kashitsyn avatar Dec 10 '21 21:12 roman-kashitsyn

No that makes sense. Is an update call to the management canister as slow as a normal update call? I thought it might be faster because of this part in the Internet Computer specification:

"The IC management canister is just a facade; it does not actually exist as a canister (with isolated state, Wasm code, etc.)."

ocluf avatar Dec 11 '21 17:12 ocluf

Is an update call to the management canister as slow as a normal update call?

It's about the same and can easily increase latency by a factor of 2.

roman-kashitsyn avatar Jan 05 '22 20:01 roman-kashitsyn