Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add EIP-5131: ENS Subdomain Authentication #5131

Merged
merged 36 commits into from
Jul 9, 2022
Merged
Changes from 2 commits
Commits
Show all changes
36 commits
Select commit Hold shift + click to select a range
02fdd31
Add EIP-603: ENS Auth Linking
wwhchung Jun 3, 2022
d926f0a
rename eip-603 to eip-5131 and remove external links
wwhchung Jun 3, 2022
3e3b45c
changing to an ERC
wwhchung Jun 3, 2022
069848e
additional context
wwhchung Jun 3, 2022
03d63ba
add refrence implementations
wwhchung Jun 3, 2022
31fd495
rename
wwhchung Jun 3, 2022
d779068
edits as per suggestions
wwhchung Jun 3, 2022
a24fa63
further content edits
wwhchung Jun 3, 2022
e51e8ed
grammar fix
wwhchung Jun 3, 2022
5676cce
short description change
wwhchung Jun 3, 2022
3c70189
update discussion link
wwhchung Jun 3, 2022
c0c8ded
update ref implementation
wwhchung Jun 3, 2022
713c03f
update with new reference code
wwhchung Jun 3, 2022
51a0753
format edits
wwhchung Jun 3, 2022
dc3ad8a
update reference implementation
wwhchung Jun 3, 2022
1c3abd7
Update eip-5131.md
wwhchung Jun 3, 2022
54a20ef
add additional code for sample implementation
wwhchung Jun 5, 2022
00458df
clean up Abstract and move contents into Motivation
wwhchung Jun 6, 2022
47558a2
Update eip-5131.md
wwhchung Jun 6, 2022
8360e7e
Update EIPS/eip-5131.md
wwhchung Jun 10, 2022
bb9dace
edits
wwhchung Jun 10, 2022
fc02098
Update EIPS/eip-5131.md
wwhchung Jun 13, 2022
248dad3
Update EIPS/eip-5131.md
wwhchung Jun 13, 2022
c1b51af
Update EIPS/eip-5131.md
wwhchung Jun 14, 2022
b59c292
Update EIPS/eip-5131.md
wwhchung Jun 14, 2022
9bd601c
Update EIPS/eip-5131.md
wwhchung Jun 14, 2022
7d59810
Update EIPS/eip-5131.md
wwhchung Jun 14, 2022
ace2c39
Update EIPS/eip-5131.md
wwhchung Jun 14, 2022
8ce77e1
Update EIPS/eip-5131.md
wwhchung Jun 27, 2022
1f7f35c
Update EIPS/eip-5131.md
wwhchung Jun 27, 2022
0b880a1
Update EIPS/eip-5131.md
wwhchung Jun 28, 2022
43f8ba4
update Specification for EIP-5131
wwhchung Jun 28, 2022
bf02f83
update Rationale section
wwhchung Jul 3, 2022
c3c8687
improve Motivation section
wwhchung Jul 3, 2022
a9fe2e6
Update EIPS/eip-5131.md
wwhchung Jul 8, 2022
a7c605a
Update EIPS/eip-5131.md
wwhchung Jul 9, 2022
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
119 changes: 119 additions & 0 deletions EIPS/eip-5131.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,119 @@
---
eip: 5131
title: ENS Auth Linking
description: Use ENS to link hot wallets as approved signers for a root ENS address.
wwhchung marked this conversation as resolved.
Show resolved Hide resolved
author: Wilkins Chung (@wwhchung)
discussions-to: https://ethereum-magicians.org/t/eip-603-ens-authentication-link/9458
status: Draft
type: Standards Track
category: Interface
created: 2022-06-03
requires: 137
---
wwhchung marked this conversation as resolved.
Show resolved Hide resolved

## Abstract
At current, web2 and contracts validate asset ownership and wallet control by requiring you to sign a message or transaction with the wallet that owns the asset.
wwhchung marked this conversation as resolved.
Show resolved Hide resolved

Examples:
- In order for you to edit your profile on OpenSea, you must sign a message with your wallet address.
- In order to access NFT gated content, you must sign a message with the wallet containing the NFT
- In order to claim an airdrop, you must interact with the smart contract with the qualifying wallet address.

This method of validation is problematic from a security standpoint (interacting with a malicious site or contract can compromise your wallet's assets) and a convenience standpoint (e.g. if your assets are on a hardware wallet that is not easily accessible).

This EIP proposes a solution which uses the Ethereum Name Service Specification (EIP-137) as a way to link one or more signing wallets (presumably less secure) to authenticate a main wallet.
wwhchung marked this conversation as resolved.
Show resolved Hide resolved


## Motivation
As explained in the abstract, the current method of using a person's main wallet for authentication of control and asset ownership is both insecure and inconvenient. It is as if, in order to authenticate, you must give an application root access to your wallet. This proposal provides an easy way to do 'read only' access to a wallet by leveraging existing infrastructure.
wwhchung marked this conversation as resolved.
Show resolved Hide resolved

Some solutions propose dedicated registry smart contracts to create this link, or new protocols to be supported. Rather than 're-invent the wheel', this proposal aims to use the widely adopted Ethereum Name Service in order to bootstrap a safer and more convenient way to sign and authenticate.
wwhchung marked this conversation as resolved.
Show resolved Hide resolved


## Specification
The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in RFC 2119.


Let:
- `mainAddress` represent the wallet address we are trying to authenticate or very asset ownership for
wwhchung marked this conversation as resolved.
Show resolved Hide resolved
- `mainENS` represent the reverse lookup ENS string for `mainAddress`
- `authAddress` represent the address we want to sign with in lieu of `mainAddress`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we going to add any requirement on this being an EOA?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd say not (for both authAddress and mainAddress) because we wouldn't gain anything from such a restriction, would we?

Copy link
Contributor

@blmalone blmalone Jun 6, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On second thought, we shouldn't be restricting it because a smart contract address could be used pretty easily with the right setup.

- `authENS` represent the reverse lookup ENS string for `authAddress`. It must be in the format `auth[0-9]*.<mainENS>`.
wwhchung marked this conversation as resolved.
Show resolved Hide resolved

### Setting up one or many `authAddress` records
The pre-requisite assumes that the `mainAddress` has an ENS ETH resolver record configured.

1. Using your `mainAddress` wallet, sign into ens.domains and create a subdomain record for `mainENS` called `auth[0-9]*`. This becomes the `authENS`
wwhchung marked this conversation as resolved.
Show resolved Hide resolved
wwhchung marked this conversation as resolved.
Show resolved Hide resolved
2. Set the ETH resolver record for this `auth[0-9]*` subdomain to the `authAddress`
wwhchung marked this conversation as resolved.
Show resolved Hide resolved
3. Using `authAddress`, sign into ens.domains and set the ENS reverse record to `authENS`

Repeat this process with as many addresses as you would like.
wwhchung marked this conversation as resolved.
Show resolved Hide resolved

### Authenticating `mainAddress` via `authAddress`
Control of `mainAddress` and ownership of `mainAddress` assets is proven if any one of associated `authAddress` is the msg.sender or has signed the message.

Practically, this would work by performing the following operations:
1. Get the reverse ENS record for `authAddress`
2. Parse `auth[0-9]*.<mainENS>` to determine the linked ENS
3. Do a lookup on the linked ENS record to determine the linked `mainAddress`


## Rationale
The proposed specification allows one to link multiple addresses as 'authentication addresses' to a core main address. This is beneficial from a security standpoint (if the authentication address is compromised, the assets held by the main address is not), and convenience (if the authentication address is a simple MetaMask wallet but the main address is a hardware wallet).
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So I think this section is reading more like motivation than rationale. I think you should consider moving a fair bit of this content above and focus on answering why certain design decisions were chosen over other decisions here.


### Example:
wwhchung marked this conversation as resolved.
Show resolved Hide resolved
I need to own an NFT to get into an event. I have my phone (hot wallet linked to auth.wilkins.eth), but not my ledger (wilkins.eth) If I sign with my phone, this verifies I own the main wallet and the NFTs in the ledger, letting me into the event safely.

Further, I have multiple devices:
- My iPhone has mobile metamask hot wallet, and I can add it as an auth account by setting auth1.wilkins.eth to that wallet (and the corresponding reverse record).
wwhchung marked this conversation as resolved.
Show resolved Hide resolved
- My iPad has the same and can be set to auth2.wilkins.eth, etc.

Lost my device? No problem, just delete the record. No need to import/reimport seed phrases.
wwhchung marked this conversation as resolved.
Show resolved Hide resolved
wwhchung marked this conversation as resolved.
Show resolved Hide resolved


## Reference Implementation

### Client Side
In typescript, the validation function, using ethers.js would be as follows:
```
async function getLinkedAddress(provider: ethers.providers.Provider, address: string): Promise<LinkedAddress | null> {
wwhchung marked this conversation as resolved.
Show resolved Hide resolved
const addressENS = await provider.lookupAddress(address);
if (!addressENS) return null;

const authMatch = addressENS.match(/^(auth[0-9]*)\.(.*)/);
if (!authMatch) return null;

const linkedENS = authMatch[2];
const linkedAddress = await provider.resolveName(linkedENS);

if (!linkedAddress) return null;

return {
ens: linkedENS,
address: linkedAddress
};
}
```

### Solidity
In solidity, the validation signature would be:
```
/**
* Validate that the message sender is an authentication address for the mainAddress
*
* @param ensRegistry Address of ENS registry
* @param senderENS Sender ENS. This is passed in for gas efficient checking against main address ENS
* @param mainAddress The main address we are checking against
* @param mainENSParts The array of the main address ENS domain parts (e.g. wilkins.eth == ['wilkins', 'eth']).
* This is used vs. the full ENS a a single string name hash computations are gas efficient.
*/
function validate(address ensRegistry, bytes calldata senderENS, address mainAddress, string[] memory mainENSParts) view returns(bool);
```


## Security Considerations
The core purpose of this EIP is to enhance security and promote a safer way to authenticate wallet control and asset ownership when the main wallet is not needed and assets held by the main wallet do not need to be moved. Consider it a way to do 'read only' authentication.
wwhchung marked this conversation as resolved.
Show resolved Hide resolved
wwhchung marked this conversation as resolved.
Show resolved Hide resolved
wwhchung marked this conversation as resolved.
Show resolved Hide resolved


## Copyright
Copyright and related rights waived via [CC0](../LICENSE.md).