Replies: 1 comment 2 replies
-
Hi team, I saw a mention that the signature from the wallet is used as a key to encrypt the private key bundle, which is stored both locally and on the network – what security assumption was made here in using a signature as an encryption key? This feels concerning, I'm not aware of any paper that argues in favor or against the notion of a signature being used in such a circumstance, however signatures (especially on-chain) are generally considered transient in an authentication context – i.e. not intended to be kept as a secret long term, especially in a situation where the responsible signing key is used across many applications. I'm imagining a scenario where a malicious dapp asks a user to sign the same message, immediately granting the attacker access to the private key bundle (and thus all conversations and allows forgeries). Warm regards, Cassandra Heart |
Beta Was this translation helpful? Give feedback.
-
About the XMTP Litepaper
Here at XMTP Labs we believe the best way to build a messaging protocol for web3 is to do so with a commitment to being open—in our source code, in ecosystem participation, and especially in our motivations, ideas, and plans for contribution to XMTP.
It's in that interest that we have published a public draft of the XMTP Litepaper. While we very much consider it a work-in progress, it gives a good overview of why we're building it, how it works, and where we see it going in the future.
Discussing the Litepaper
I wanted to open this discussion to dig into the paper more—an open space for questions, ideas, thoughts, concerns, etc. We can also use this space to make mention of meaningful changes to the document, to be sure everyone is kept up to date.
Looking forward to digging in deeper!
Beta Was this translation helpful? Give feedback.
All reactions