Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Attestation of definition validity #3

Open
matejcik opened this issue May 28, 2024 · 1 comment
Open

Attestation of definition validity #3

matejcik opened this issue May 28, 2024 · 1 comment
Labels
question Further information is requested

Comments

@matejcik
Copy link

I would like to start a discussion about how the above should like, i.e., what is a way for different parties to attest that they have reviewed a definition to be valid, and how to convey that trust to others.

One thing I would love to see is an ability for the smart contract author to attach their signature, in a way verifiable against the contract itself. Something something, the private key that signs the contract would also sign the definition?
Note that I know very little about how EVMs sign smart contracts, so someone else would need to fill out the details here.

As a first idea, I'm thinking a json file alongside the definition, for somecontract.json, have somecontract.sig.json that is a collection of "signature information" for somecontract.json.

Each "signature information" entry would have:

  • required: algorithm specifier ("minisign", "gpg", "ethereum", ...?) It's not great to allow multiple different algorithms, but we should be good as long as we don't allow "null" right? :)
  • required: signer cryptographic identity (typically a public key, but possibly also a contract address or something)
  • required: digest being signed (of the "strict" version of the json) + signature of that digest
  • optional: signer name
  • optional: source of the public key (e.g. an URL on their own domain, as a semi-weak proof of identity of the key)
  • optional: git commit of the file being signed (so that we can look at history, what has changed since the signature was produced)
  • optional: url of the definition, possibly in a git repository (so that the .sig can be distributed independently?)
  • optional: trust level (what trust levels would make sense?)
@jnicoulaud-ledger jnicoulaud-ledger added the question Further information is requested label Nov 4, 2024
@jnicoulaud-ledger
Copy link
Collaborator

jnicoulaud-ledger commented Nov 4, 2024
edited
Loading

It does not cover all your points, but since Git/Github is used as the repository we could leverage it:

It is then possible for a consumer to verify a descriptor has been produced on this repository, and furthermore by a specific entity identified by their GPG key.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@matejcik @jnicoulaud-ledger