SmartTokenLabs/attestation

USE NftAttesatation hash signature as CSR

Opened this issue · 0 comments

oleggrib commented

Based on the #203 , last @jot2re comments say the same.

For NFT attestation currently User signs

  1. simple text string as CSR (Certificate Signing Request)
  2. whole object IdAttestation+NFTpayload and add signature to the object

My suggestion is to separate IdAttestation and NFTpayload
So

  1. user creates NFTpayload object. HASH it , adds it to the text template and sign that string. ("Sign to create your TwitterID attestation. nonce: 0x45a8b78... , timestamp: 3992770271")
  2. user send HASH+template+timestamp+users_string_signature+auth0_data to the attestation.id (attestation.id creates string and validate it against signature)
  3. construct object; IdAttestation+payload+step1_string_signature to the smart contract
    in this case IdAttestation signed by attestor, payload signed by user. attestation.id dont know what payload do we use and user need to make single signature only.

In case if Attestation TTL limited to 1 day, then it fix multiple problems:

  • CSR reuse
  • IdAttestation reuse when twitterId sold
  • avoid weird signature
  • avoid double signing

If @JamesSmartCell can update VerificationContract to read EIP712 signature then we can use EIP712 instead of the text.

@colourful-land , does that make sense?