Clarify choice of passphrase in SEP-10 #345
Conversation
| * The value of key is not important, but can be the name of the anchor followed by `auth`. It can be at most 64 bytes. | ||
| * The value must be a 64 byte long base64 encoded cryptographic-quality random string | ||
| * signature by the web service signing account | ||
| * `network_passphrase`: (optional but recommended) Stellar network passphrase used by the server. This allows the client to verify that it's using the correct passphrase when signing. |
There was a problem hiding this comment.
Looks good to me. I'm a little bit worried that network_passphrase is optional. It requires code that handles this situation and if developer forgets about it it may result in null pointer exceptions or using empty passphrase.
There was a problem hiding this comment.
Agreed. I think this is a necessary evil to make the change backwards compatible.
|
I want to point out that server’s network passphrase is implicitly bound to the challenge transaction as part of server’s signature, and the client is required to “verify that transaction envelope has a correct signature by server's signing key“, which I think provides a reliable way to protect from network mismatch issues and halt the flow before it gets to client-side signing. It might be convenient to extend the response with |
I think the problem we're trying to solve is having to guess the passphrase if the first signature is incorrect. I agree that in most cases it will be pubnet or testnet passphrase but it's not defined anywhere so in reality the passphrase can be anything. Also, in #339 (comment) I pointed out that we had very similar problem in the past (two components were talking to each other but using different passphrases) and it was really difficult to debug. |
network_passphraseto make debugging signature issues easier.Addresses problem mentioned in stellar/go#1468
Closes #339
@nebolsin I'd love your feedback.