ECIP 1013: ETC On-Chain Cryptographic Signing and Authentication Protocol
| Author | Cody W Burns |
|---|---|
| Status | Draft |
| Type | Standards Track |
| Category | ECBP |
| Created | 2016-10-10 |
Abstract
With all financial systems and software, the possibility of fraud and theft are constant threats. This ECIP addresses on chain, independently verifiable, timestamping of project release binaries which can be used for any project and is presented for consideration on all ETC released software.
Motivation
Loss of trust in decentralized and open projects can be a major obstacle to be overcome for widespread adoption. The ETC wallet creation method protocol allows for a simple verifiable method of demonstrating proof of existence and authority for any public project.
Trustless File Verification Problem
All ETC binaries are created and distributed with a SHA-256 hash for cryptographic verification of a file’s integrity. The hash distributed with the file is a verification that the file has not been altered from its release state. A motivated malicious actor has the ability to fork/clone an entire repository and create new hash signatures based on the malicious code for distribution. Multiple distribution channels for compiled software are used for the sharing of open source software projects currently and lack a distributed method of signature verification across all channels opens a possible attack vector.
Specification
Wallet Creation from a File Hash
For distributed proof of existence, any files SHA-256 hash is used as an ETC private key to create a public address. This address can be distributed with the binary instead of the hash, but it is not necessary as the address is reproducible. Any user will be able to recreate the public address by creating the hash of the file.
On-Chain Proof of Existence
The development team responsible for the creation of a project should send a trivial amount of ETC to the newly created public address from a publicly known account related to the owners. This will serve to both time-stamp the project on the chain and serve as authoritative verification of the account. For the ETC core projects, this can be the public donation address.
Independent Verification
Independent verification is possible of any project from any source using this method. As long as a user is capable of creating the sha256 hash of a file, the public key can be verified for transactions. This process also prevents cross chain verification as only one chains wallet will be funded providing a fork-checking functionality. The first user to independently verify a project is capable of claiming the trivial ETC sent for timestamping.
UNDER NO CIRCUMSTANCE SHOULD A PROJECT HASH WALLET BE USED FOR ANY PURPOSE OTHER THAN PROOF OF EXISTENCE!!!!
###Implementations This process does not require modification to any ETC projects. Block explorer projects, acting as impartial third parties, should be encouraged to implement client side drag and drop SHA-256 file hashing for ease of verification to lay-users who are unfamiliar with hashing.
A decentralized whois contract could be constructed for true decentralized verification, but is not an obstacle to implementation.