Knowledge dump so you dont recreate the same system but worse and now with your entire financial history 😬
1. Authentication
2. Recovery
3. Revocation
of access to the dapp's account via my "wallet."
4. Granting
5. Revoking
of permissions to access information in my "wallet"
1. Authentication
2. Recovery
3. Revocation
of access to the dapp's account via my "wallet."
4. Granting
5. Revoking
of permissions to access information in my "wallet"
https://twitter.com/BrantlyMillegan/status/1409940065401413642
"Wallet" in this case is the thing that you trust so you dont have to trust all dapps. Also:
- holds your private key(s) / evm account(s)
- signs with those keys
- may have multiple identities of yours
- controls access to whatever information, keys, or requests for your signing
- holds your private key(s) / evm account(s)
- signs with those keys
- may have multiple identities of yours
- controls access to whatever information, keys, or requests for your signing
1. Allow me to Authenticate myself to the dapp in the future to access whatever an "account" is for that specific dapp. Allow me to do so even if time has passed or even if I'm on a new device.
Don't allow others to illegitimately authenticate themselves as me.
Don't allow others to illegitimately authenticate themselves as me.
2. Allow me to Recover access to my dapp account, even if I lose or change my wallet or address.
Lost keys fall on wallets but dapps should think about mechanisms dapps may be able to provide.
Moreso, dapps shouldnt discriminate if I move keys/addresses/wallet providers.
Lost keys fall on wallets but dapps should think about mechanisms dapps may be able to provide.
Moreso, dapps shouldnt discriminate if I move keys/addresses/wallet providers.
3. Allow me to Revoke the ability for an address, key, wallet, whatever it is, to Authenticate my dapp account.
This gives me an painless way to mitigate loss at dapp level if my key/wallet/etc is compromised.
Note: Revocation = WAAAY easier than Authentication and Recovery.
This gives me an painless way to mitigate loss at dapp level if my key/wallet/etc is compromised.
Note: Revocation = WAAAY easier than Authentication and Recovery.
Reminder: wallet has keys. addresses. ALL the juicy details.
When you "sign in with Ethereum," the dapp should get NOTHING. It's a placeholder account. A dapp-created UUID. A dapp-created token. Whatever "it" is. No address, balance, profile pic. Nothing. Nada.
When you "sign in with Ethereum," the dapp should get NOTHING. It's a placeholder account. A dapp-created UUID. A dapp-created token. Whatever "it" is. No address, balance, profile pic. Nothing. Nada.
Bc the only way the "Sign In" button can reduce friction HONESTLY and TRUSTLESSLY is if it...
- reduces time/effort/steps required by me
and
- doesn't expose me to undue risk or harm. even if I lack knowledge, diligence.
Therefore, clicking the button can't do much.
- reduces time/effort/steps required by me
and
- doesn't expose me to undue risk or harm. even if I lack knowledge, diligence.
Therefore, clicking the button can't do much.
4. Allow me to Grant Permission for a dapp to access my info or funds, or to request my signature on a msg/tx, on an as-needed and when-needed basis.
Wanna know my balance? Give me something of value.
Wanna know my address? Aka my entire financial history? Value. Now.
Wanna know my balance? Give me something of value.
Wanna know my address? Aka my entire financial history? Value. Now.
5. Allow me to easily Revoke permission for a dapp to access my information or funds, or to request my signature on a msg/tx.
Note: Always far easier to revoke than to auth/grant/recover.
Note: Always far easier to revoke than to auth/grant/recover.
Bonus points:
6. Kill & Exit
Revoking != deleting. But I should be able to easily fully exit dapps that exploit me.
This would bake in a one click revoke access + revoke permissions + disallow allows + remove all my info/personalization.
All that can be killed, should be.
6. Kill & Exit
Revoking != deleting. But I should be able to easily fully exit dapps that exploit me.
This would bake in a one click revoke access + revoke permissions + disallow allows + remove all my info/personalization.
All that can be killed, should be.
Bc we don't just want a button that says "Ethereum."
We want a mechanism that is better than what we currently have.
One aligned with + representative of this ecosystem's goals.
One that gains value *from* that.
One that empowers individual people over all else.
We want a mechanism that is better than what we currently have.
One aligned with + representative of this ecosystem's goals.
One that gains value *from* that.
One that empowers individual people over all else.
Part II
This thing has a decent potential to be harmful if it's creators dont grok their role.
They must create and maintain the tenuous hierarchy between all the players to ensure people remain the #1 priority even when dapps leverage all they've got tryin' to get their way.
This thing has a decent potential to be harmful if it's creators dont grok their role.
They must create and maintain the tenuous hierarchy between all the players to ensure people remain the #1 priority even when dapps leverage all they've got tryin' to get their way.
Bc it doesn't work if you end up being subservient to dapps at the expense of people.
In fact, all y'all need to be subservient to those real individual people. They are the only reason you even have value.
So users are more valuable to you than you are to users.
In fact, all y'all need to be subservient to those real individual people. They are the only reason you even have value.
So users are more valuable to you than you are to users.
But you are more valuable to dapps than dapps are to you.
Without you, dapps need to expend resources to build their own thing. Then they need to build their own trust.
If dapps choose to save resources, choose to ride your trusty coattails, they choose to play by your rules 😄
Without you, dapps need to expend resources to build their own thing. Then they need to build their own trust.
If dapps choose to save resources, choose to ride your trusty coattails, they choose to play by your rules 😄
That said, you can't get carried away here. You're entitled to make demands of dapps but not entitled to be a greedy, centralized gatemaster.
That would be forging a different path to the same "oops we rebuilt the current system but maybe worse" outcome.
😬
😬😬😬
That would be forging a different path to the same "oops we rebuilt the current system but maybe worse" outcome.
😬
😬😬😬
So just as you bound dapps on one side, bound yourself on the other.
The rules you set for dapps by must be:
clearly defined
universally applied
carefully considered
easy to challenge
hard to change.
Cuz you cant legitimately demand they dont exploit while you exploit them lol.
The rules you set for dapps by must be:
clearly defined
universally applied
carefully considered
easy to challenge
hard to change.
Cuz you cant legitimately demand they dont exploit while you exploit them lol.
Oh, btw, what exactly are you demanding?
Mostly it's about ensuring dapps can't (not won't) exploit users. See Part I. Like, they can't get a users address upon account creation. Or access GRANT without REVOKE.
All that's relatively easy compared to what happens over time tho.
Mostly it's about ensuring dapps can't (not won't) exploit users. See Part I. Like, they can't get a users address upon account creation. Or access GRANT without REVOKE.
All that's relatively easy compared to what happens over time tho.
Which means the culture and values you establish from day one matter a lot.
Each dapp will always have some need or desire or opinion on how you should do things to best serve their use-case. Often they're well-intentioned. And not even dangerous or exploitative...in their case.
Each dapp will always have some need or desire or opinion on how you should do things to best serve their use-case. Often they're well-intentioned. And not even dangerous or exploitative...in their case.
But shit goes sideways the second you start conflating what a dapp values with your own values. Instead if serving them, you need to make choices that benefit people on the whole.
If everything is properly aligned, your value grows BECAUSE you prioritize your values.
If everything is properly aligned, your value grows BECAUSE you prioritize your values.
Here your value grows when you prioritize people over all else. Bc people give you your value. 🌈 Alignment 🌈
So thats the role of the creator of this sign in thing. And all who build something that straddles the line between users and dapps.
Way easier said than done. Lol.
So thats the role of the creator of this sign in thing. And all who build something that straddles the line between users and dapps.
Way easier said than done. Lol.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
