T8493 Posted August 5, 2016 Share Posted August 5, 2016 (edited) Is it possible to use regular keys for signing transaction when you use GateHub wallet? Regular keys can be disabled and in case of a breach one can simply disable regular key outside of the GateHub wallet. This is maybe the only proactive way of how can one actively defend himself in case of a breach. Edited August 5, 2016 by T8493 enej, rippleric, jn_r and 1 other 4 Link to comment Share on other sites More sharing options...
rippleric Posted August 5, 2016 Share Posted August 5, 2016 What exactly is a regular key used for? Link to comment Share on other sites More sharing options...
T8493 Posted August 5, 2016 Author Share Posted August 5, 2016 3 minutes ago, rippleric said: What exactly is a regular key used for? Regular key can be used for signing transactions. However, it can be disabled or changed at will. From https://ripple.com/build/transactions/#setregularkey : Quote In addition to the master key, which is mathematically-related to an address, you can associate at most 1 additional key pair with an address using this type of transaction. The additional key pair is called aregular key. If your address has a regular key pair defined, you can use the secret key of the regular key pair to authorize transactions. A regular key pair is generated in the same way as any other Ripple keys (for example, withwallet_propose), but it can be changed. A master key pair is an intrinsic part of an address's identity (the address is derived from the master public key). You can disable a master key but you cannot change it. You can protect your master secret by using a regular key instead of the master key to sign transactions whenever possible. If your regular key is compromised, but the master key is not, you can use a SetRegularKey transaction to regain control of your address. In some cases, you can even send a key reset transaction without paying the transaction cost. rippleric 1 Link to comment Share on other sites More sharing options...
karlos Posted August 5, 2016 Share Posted August 5, 2016 moved to gateways Link to comment Share on other sites More sharing options...
enej Posted August 11, 2016 Share Posted August 11, 2016 On 5. 8. 2016 at 3:17 AM, T8493 said: Is it possible to use regular keys for signing transaction when you use GateHub wallet? Regular keys can be disabled and in case of a breach one can simply disable regular key outside of the GateHub wallet. This is maybe the only proactive way of how can one actively defend himself in case of a breach. This is a very interesting idea. The only question I have is which cold storage "solution" might be used for easily deactivating the regular key. Did the old Ripple Trade client allowed you to "manage" regular keys for an account? duje 1 Link to comment Share on other sites More sharing options...
nikb Posted August 11, 2016 Share Posted August 11, 2016 33 minutes ago, enej said: This is a very interesting idea. The only question I have is which cold storage "solution" might be used for easily deactivating the regular key. Did the old Ripple Trade client allowed you to "manage" regular keys for an account? @enej, I don't believe the client offered any functionality associated with the regular key. Put me down as a "yes, please" in the "add a way to import a wallet given the wallet's public address and a regular key." Or, at least a way, to set a regular key on a given wallet and use that. Link to comment Share on other sites More sharing options...
T8493 Posted August 11, 2016 Author Share Posted August 11, 2016 46 minutes ago, enej said: The only question I have is which cold storage "solution" might be used for easily deactivating the regular key. Someone will have to build a (trusted) app which can be used to deactivate regular key by entering the secret key manually. Whether this app should be offline or online is debatable. I think the whole Ripple ecosystem has one big problem: how to distribute/deploy apps (wallets, etc.) in a trusted way. Javascript/HTML per-se doesn't support code signing (except maybe subresource integrity feature, which is just hashing and not supported by all major browsers). I think the proper solution is probably outside of the pure javascript/HTML scope. Link to comment Share on other sites More sharing options...
RafOlP Posted August 11, 2016 Share Posted August 11, 2016 5 minutes ago, T8493 said: Someone will have to build a (trusted) app which can be used to deactivate regular key by entering the secret key manually. Whether this app should be offline or online is debatable. I think the whole Ripple ecosystem has one big problem: how to distribute/deploy apps (wallets, etc.) in a trusted way. Javascript/HTML per-se doesn't support code signing (except maybe subresource integrity feature, which is just hashing and not supported by all major browsers). I think the proper solution is probably outside of the pure javascript/HTML scope. One solution is to use this: Quote Another important working feature is creating and revoking regular keys. This is awesome because it allows managing an account without using the Master Key, so the later can be kept totally private and offline, and used only in an emergency situation. Than use the regular key to create a wallet at gatehub, using it when gatehub asks for your secret key. T8493 1 Link to comment Share on other sites More sharing options...
T8493 Posted August 11, 2016 Author Share Posted August 11, 2016 (edited) 41 minutes ago, RafOlP said: Than use the regular key to create a wallet at gatehub, using it when gatehub asks for your secret key. Ok, this is one possibility. But how can users get this application? First option is via this link: https://s3.amazonaws.com/static.rippex.net/client/carteira-ripple-win64-1.4.0-rc3.zip But: how can users be sure that the compiled code doesn't do anything malicious? how can users be sure that the package wasn't tampered with while it is on Amazon servers? If user wants to compile code for himself, he has to (according to https://github.com/rippex/ripple-client-desktop) Fork and clone the ripple-client-desktop repository Run npm install Download nw.js In the ripple-client-desktop repository, make a copy of the config_example.js file and name it config.js Run gulp in your command line for development Run gulp packages in your command line for the production ready client Your desktop client is in the packages/RippleAdminConsole directory 99% of the users can't do this. They need something that works with one click. Edited August 11, 2016 by T8493 RafOlP 1 Link to comment Share on other sites More sharing options...
RafOlP Posted August 12, 2016 Share Posted August 12, 2016 (edited) 4 hours ago, T8493 said: Ok, this is one possibility. But how can users get this application? First option is via this link: https://s3.amazonaws.com/static.rippex.net/client/carteira-ripple-win64-1.4.0-rc3.zip But: how can users be sure that the compiled code doesn't do anything malicious? how can users be sure that the package wasn't tampered with while it is on Amazon servers? If user wants to compile code for himself, he has to (according to https://github.com/rippex/ripple-client-desktop) Fork and clone the ripple-client-desktop repository Run npm install Download nw.js In the ripple-client-desktop repository, make a copy of the config_example.js file and name it config.js Run gulp in your command line for development Run gulp packages in your command line for the production ready client Your desktop client is in the packages/RippleAdminConsole directory 99% of the users can't do this. They need something that works with one click. Even checking download hashes helps only a minority (because of tech limits or laziness or a sense that trusting someone says an opensource software is what is says it is). I think I understand what you are trying to achieve but being technically sure about something requires technical knowledge. One example: even a developer who has a technical understanding about java or Go or JS or Python will have to have specific knowledge about how cryptography works and what are the best practices for implementing it in order to be sure it is a safe code. Then what happens is that everybody trusts all the experienced cryptographers who are unlikely to collude because they are good people or because they fear other groups of developers might prove them wrong. So when those reputable and accountable experts say something in chorus, it is very unlikely they are wrong or misguiding everyone on purpose. Edited August 12, 2016 by RafOlP T8493 1 Link to comment Share on other sites More sharing options...
yxxyun Posted August 12, 2016 Share Posted August 12, 2016 https://yxxyun.github.io this support set and use regular key. When using regular key, first set wallet address and not enter the master key , then in the info tab > account > set wallet secret enter your regular key. rippleric and T8493 2 Link to comment Share on other sites More sharing options...
T8493 Posted August 12, 2016 Author Share Posted August 12, 2016 (edited) 2 hours ago, yxxyun said: https://yxxyun.github.io this support set and use regular key. @yxxyun, is your wallet just redesigned (material design) Ripple labs wallet? Or have you changed anything else (significantly)? Does this repository contain the source code of your (redesigned) wallet: https://github.com/yxxyun/ripple-wallet ? What is this repository: https://github.com/yxxyun/ripple-client-desktop ? Edited August 12, 2016 by T8493 Link to comment Share on other sites More sharing options...
yxxyun Posted August 12, 2016 Share Posted August 12, 2016 1 hour ago, T8493 said: @yxxyun, is your wallet just redesigned (material design) Ripple labs wallet? Or have you changed anything else (significantly)? Does this repository contain the source code of your (redesigned) wallet: https://github.com/yxxyun/ripple-wallet ? What is this repository: https://github.com/yxxyun/ripple-client-desktop ? The source code is https://github.com/yxxyun/ripple-wallet , it is a redesign of the ripplerm's wallet. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now