Note: This post shows a proof-of-concept for challenge-response mechanisms for Circles, it is not meant to be a best practice, especially as private key handling is involved. Please be careful!
Suppose you want to pay someone you don’t know personally and therefore she doesn’t trust you. If there is no transitive trust path between you and this person, you cannot pay in Circles.
However, if this person can verify “attributes” of yourself, she might trust you, allowing you to pay her directly.
What could these attributes be?
All kind of internet services which provide some kind of digital identity can be used:
- SMS, E-Mail
- Keybase, 3Box
- Telegram, WeChat, WhatsApp
- Twitter, FB
- Github (Gist)
Or a combination of those.
The merchant wants to sell a digital service to a customer, but cannot be sure the Circles the customer wants to pay with are his “real” ones. To increase trust the merchant wants to link the Circles account to other services she trusts, like Mail, Twitter, etc. This still makes it possible for the customer to betray her, but at least she can refer to something then (like replying to the Mail).
To link the Circles account to a signed message transferred on these internet services, an indirection is necessary as the Signer’s account (the Device Address) is not identical to the Gnosis Safe Profile Address (but is the Owner of this Profile Address).
As merchant, you have to pass a “challenge” to the customer. This can be almost anything, a number, a phrase, a sentence - something that is not easily guessable and individual.
As customer, you have to sign this “challenge” with your Device Address private key.
As merchant, you have to verify the signature and that the signing address of the signature matches the Owner address of the Circles Gnosis Safe.
If the addresses match, you can trust the Circles account and get paid. You now know that the Owner of the Circles account signed your “challenge” and sent you the signed message.
Merchant passes MyPersonalChallenge55523 to the customer to sign it with the Device Address private key and send it via Keybase, Mail, SMS, post it on Twitter, send it via Telegram, etc.
Customer extracts private key from circles.garden and imports it into MetaMask, Nifty (recommended) or MyEtherWallet directly (not recommended).
- Import to Wallet
- Customer signs challenge in MyEtherWallet with “sign-message”.
Customer sends the JSON via the agreed-upon services.
Merchant uses “verify message” to verify the address.
Merchant calls the Gnosis Safe (https://xdai.gnosis-safe.io/app/#/safes/SAFE_ADDRESS) of the Circles account she wants to trust and ensures (one of) the Owners is the recovered address.
- Merchant can now trust the Circles account.