how to coordinate multiple wallets

[warner]

What is the Problem Being Solved?

Users will expect to be able to have multiple coordinated user agents, e.g. one on their phone, and a second on their laptop. All agents should have equal functionality, and changes initiated by one agent should appear on the others.

Most platforms have some form of this (web browsers with synchronized bookmarks/passwords/tabs, chat clients, etc). There are more interesting design/security issues on platforms that are meant to be secure, because there is no central server which has the full authority, and instead each new agent must be embued with authority by an old one. This frequently involves generating some sort of cryptographic value on an existing agent, and having the human transfer it (type it into) the new one, then having the old and new agents communicate (encrypted) through an untrusted central machine to transfer the necessary data.

The cheap/lazy way to enable multiple user agents is to make them all identical. This fails as soon as the agents have any interesting amount of state, because they'll become hopelessly confused ("you think I said what? no that was my identical twin"). Instead, you need each agent to be distinct, but merely granted similar authorities, and to talk to each other to keep their user-facing status in sync.

Our platform makes this even more interesting, because of the dynamic state each vat/swingset holds. We might have a chain-side object that holds a bunch of Purses, which is easy enough to share between the agents, but any larger-scale structures or plans that aren't easily captured in that object, will need to be kept somewhere.

This overlaps a good bit with having a wallet recovery plan: the data that you'd need to recover from offline storage (perhaps as little as a single private key) if all of your agents were to die, is probably the same data that needs to be managed jointly by multiple living agents.

So the task is to allow two or more distinct swingsets, each holding its own wallet vat, to coordinate with each other. We'll probably need some way for all of a user's wallets to find each other and broadcast events to each other. And we'll need a way to add a new agent to the existing set, with some sort of secure authorization process.

Description of the Design

needs to be designed

Security Considerations

• it must be possible to add a new agent, but only if an existing one agrees, which requires a human-meaningful/comparable/approvable way to identify the candidate agent and signal acceptance
• whatever authority is being given to chain-side resources must be clearly documented, along with which objects have power over what. We should be able to segregate authorities such that the compromise of a single object or vat on the chain does not lead to compromise of one or more user wallets

[warner]

cc @michaelfig @rowgraus

[Tartuffo]

@michaelfig pre-dates on-chain wallet effort, if this is no longer relevant, please close.

[dckc]

obsolete in favor of on-chain wallet plans (#3995)