译文/Translated:
使用完整翻译的Ricardian合约提升用户理解度
用户安全的一个重要成分在于抵御钓鱼式攻击或诱饵攻击(引诱用户同意并非由协议所导致的后果)。而在区块链中,这种情况可以是当一个网站或应用向用户显示它们正在审核一项操作,却向核心管理应用(例如Authenticator或钱包)显示另一项交易。网站向用户显示一件事,但却向区块链发送另一件事。例如,用户可能被误导,相信自己正在向某项交易发送小数额的代币,但事实上,他们正在将自己的全部代币发送给骗子。
EOS可用性的关键自其伊始便是为定义Richardian合约提供支持,该合约协同智能合约,以人类可阅读的普通英语的形式帮助用户(非开发人员)理解操作意图。由于区块链操作通常不可逆转,因此代码透明且可审核的目的可通过区块链得以实现。我们此前通过Dan Larimer过去的文章《如法律般的代码意图》提及过此概念的作用以及其对用户体验及用户安全的效用。在Richardian合约之前,普通用户无法或几乎无法理解自己在智能合约之上在为怎样的操作签名。目前所采用的认证者(Authenticator)或钱包(Wallet)(用以为用户呈现需要私钥签名的交易)通常不具备翻译Ricardian合约的能力,无法让用户理解。因此,当前的方案是依靠应用程序向用户解释智能合约在前端显示了什么,而无需审核区块链上的相关操作。
Ricardian合约发布
今日发布的内容介绍了Ricardian合约两项新的功能,该功能在Authenticator显示Ricardian合约数据的方式上建立了持续性和透明度(Authenticator向用户展示需要签名的交易)。Ricardian合约规范依据添加meta数据的JSON(制作格式的Markdown/CommonMark子集)和各类替代的Handlebars对模板语言进行了定义。智能合约开发人员可以依据该规范,安排各种规格的智能合约,从而让用户理解其内容。
此外,我们建立了Ricardian伪语言,一款用以翻译Ricardian合约规范的工具,该工具展示了依据新规范建立的Ricardian合约是如何显示的。Authenticator开发人员使用此伪语言持续翻译Ricardian合约,同时智能合约开发人员也可将其用作编写和测试工具。
做个类比,大家可以将Ricardian合约规范视作HTML规范,而Ricardian伪语言就像一个浏览器,浏览器可以翻译遵循HTML规范的文件。
而对于EOSIO区块链用户,Ricardian合约规范和伪语言项目能让其能清楚地了解自己在授权同意怎样的协议。我们鼓励智能合约开发人员遵循Ricardian合约规范提升自身的智能合约,也请Authenticator开发人员采用Ricardian伪语言为用户更清晰地解释他们所同意的区块链操作会带来怎样的后果。
保持连接
若您有兴趣提供反馈,并与我们团队密切合作,共同优化EOSIO开发者体验,您可以联系我们的开发者关系团队,发送邮件至:developers@block.one。
您也可以在EOSIO开发者门户订阅我们的邮件列表,获得更多更新信息。我们很高兴将继续为EOSIO的开发者们完善软件的使用,我们将持续为区块链的大规模应用奠定坚实的基础。
所有标有商标™和®的产品和公司名皆为其所有者持有。使用这些名字并不代表我司与其存在任何从属关系,也不代表我司对其认可。
免责声明:Block.one作为EOSIO社区的一员,自愿做出自身贡献,并不对软件的总体性能及任何相关应用程序负责。对于此处所述版本以及相关GitHub版本或EOSIO软件,我们不作任何明示或暗示的陈述、保证、担保或承诺,包括且不限于提供担保,保证适销性或对某一特定目的和非侵权的适用性。在任何情况下,无论是合约操作、侵权行为或其他,亦无论是否与软件或文档相关,或由于软件使用导致,或在软件和文档上的其他交易导致的任何索赔、损害赔偿或其他债务,我们均不承担责任。任何测试结果或绩效数据具有指示性,无法反映所有情况下的绩效。任何对第三方或第三方产品、资源或服务的引用都不受Block.one的认可或推荐。对于您使用或信任这些资源的行为,我们概不负责,并且不承担任何责任和义务。第三方资源可能随时更新、变更或终止,因此此处的信息可能已过期或不准确。任何人使用或提供此软件向第三方提供软件、商品或服务应当就授权条款、免责声明和免责事项向该第三方提出建议。
原文/Original:
Cultivating User Understanding with Richly Rendered Ricardian Contracts
A critical component of user security is preventing phishing attacks or bait and switch attacks which trick users into agreeing to something that isn’t actually going to happen as a result of their agreement. In blockchain, this can occur when a website or application indicates to a user that they are approving one action, but present a different transaction to the key management application (i.e. Authenticator or wallet). The website says one thing, but issues something else to the blockchain. For example, a user may be lead to believe they are sending a small number of tokens to an exchange, but in actuality, they are sending all of their tokens to a thief.
A pillar of EOSIO’s usability since its dawn has been support for defining Ricardian Contracts that are paired with Smart Contracts to serve as human readable representations of an action’s intent in plain english for any user (not developer) to understand. The intent of code being transparent and auditable comes into play as blockchain actions are often irreversible. We’ve published on the power of this concept before in Dan Larimer’s past articles on the intent of code as law and the effect this has on user experience and security. Before Ricardian Contracts, it was near impossible for an average user to understand or be expected to understand exactly what actions they were signing in a Smart Contract. Existing Authenticators (wallets) that present transactions to users for signing with their private keys are often not equipped to render Ricardian Contracts in a way that cultivates understanding, so, current solutions rely on applications to explain to the user what a smart contract says on the front end without any auditable association to the actions taking place on the blockchain.
Ricardian Contract Releases
Today’s release introduces two new features for Ricardian Contracts to create consistency and transparency in how Ricardian Contract data is presented to users in Authenticators which ask them to sign transactions. The Ricardian Contract Specification defines a template language based on JSON for adding metadata, a subset of Markdown/CommonMark for formatting, and Handlebars for variable substitution. Smart Contract developers can follow the specification to richly format Ricardian Contracts to cultivate understanding for their users.
In addition, we built the Ricardian Template Toolkit, an implementation of a renderer for the Ricardian Contract Specification that demonstrates how Ricardian Contracts built to the new specification can be displayed. This Template Toolkit can be used by Authenticator developers to consistently render Ricardian Contracts and by Smart Contract developers as an authoring and testing tool.
As an illustrative analogy, one could think of the Ricardian Contract Specification like the HTML specification and the Ricardian Template Toolkit like a browser that can render documents that follow the HTML specification.
For EOSIO Blockchain Users, the Ricardian Contract Specification and the Ricardian Template Toolkit projects enable a clear understanding of the agreements to which they are consenting. We encourage Smart Contract Developers to enhance their Smart Contracts by following the Ricardian Contract Specification, and Authenticator developers to adopt the Ricardian Template Toolkit to provide a much clearer rendering to users of what will happen when they approve a blockchain action.
Stay Connected
If you are interested in providing feedback and working more closely with our team to improve the EOSIO for developers, you can send our developer relations team an email at developers@block.one.
You can also keep up to date with future updates by subscribing to our mailing list on the EOSIO Developer Portal. We are excited to be continually improving the usability of the software for EOSIO developers as we continue laying a foundation for the mass adoption of blockchain technology.
All product and company names are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.
Disclaimer: Block.one makes its contribution on a voluntary basis as a member of the EOSIO community and is not responsible for ensuring the overall performance of the software or any related applications. We make no representation, warranty, guarantee or undertaking in respect of the releases described here, the related GitHub release, the EOSIO software or any related documentation, whether expressed or implied, including but not limited to the warranties or merchantability, fitness for a particular purpose and noninfringement. In no event shall we be liable for any claim, damages or other liability, whether in an action of contract, tort or otherwise, arising from, out of or in connection with the software or documentation or the use or other dealings in the software or documentation. Any test results or performance figures are indicative and will not reflect performance under all conditions. Any reference to any third party or third-party product, resource or service is not an endorsement or recommendation by Block.one. We are not responsible, and disclaim any and all responsibility and liability, for your use of or reliance on any of these resources. Third-party resources may be updated, changed or terminated at any time, so the information here may be out of date or inaccurate. Any person using or offering this software in connection with providing software, goods or services to third parties shall advise such third parties of these license terms, disclaimers and exclusions of liability.
原文链接/Original URL:
