News.EOS.WiKi Bilingual News & Info Of EOS

EOSIO Lab™发布—iOS和Chrome扩展验证器参考应用/EOSIO Labs™ Release: iOS and Chrome Extension Authenticator Reference Applications

E

译文/Translated:

上个月,我们推出了EOSIO Labs™,这个项目的核心是开放创新。通过EOSIO Labs,我们可以借助思想领袖、工具和软件促进了关于区块链技术未来的对话。从声明-证明安全模式通用认证库,以及我们最新发布的EOSIO Explorer,可以说我们这个项目已经顺利进行了。

到目前为止,Labs的研究主要关注密钥和密码管理以及EOSIO™验证器系统,这是有充分的理由的。区块链验证器作为密钥管理者对用户来说相当于是和区块链应用互动的门户。它们是用户安全和整体体验的重要组成部分,因此,它们对于区块链技术的大规模应用是必不可少的。

现在,EOSIO生态系统上有几个杰出的验证器。我们社区在高速发展,因此越来越多的人可以体验到区块链技术。但是,如果我们想不断加速大规模应用和使用该技术,我们要做的还有许多。

EOSIO参考验证器应用

今天EOSIO Labs发布的工具会把我们近期发布的工具、软件和思想领导联系成一个统一的应用体验,其目的是解决用户目前会面临的一些安全和可用性问题。我们很高兴地发布EOSIO参考认证器应用。

要说明的是,我们今天展示的应用是作为实验性的参考开源软件,并不是上传到应用商店的专利产品(我们也不鼓励这么做)。这么发行是因为我们希望能够鼓励通过发布工作代码和例子促进验证器对安全性、交互性和可用性的不断改善。

EOSIO参考iOS验证器应用

EOSIO参考iOS验证器应用是应用于iOS的应用,它能够让用户登录以下两种应用并授权同意交易 1)手机Safari上的Web应用  2)该设备的其它本机iOS应用。密钥管理和签名都在苹果的Secure Enclave和/或密钥链中进行,受到设备的生物识别保护。

要达到这个目的,该应用借助了最近刚发布的适用于Swift的EOSIO SDK 以及适用于Swift的EOSIO SDK:Vault签名提供程序

例子:第三方移动Web应用认证 和签署交易过程

EOSIO参考Chrome扩展验证器应用

EOSIO参考Chrome扩展验证器应用让用户可以登录桌面上的Google Chrome上运行的Web应用并签署交易。密钥管理和签名发生在Chrome扩展应用中,并受到密码短语保护。

例子:在桌面Google Chrome上的Web应用中验证和签署交易

集成应用

通过通用验证库用于UAL的EOSIO参考验证插件,Web应用和EOSIO参考验证器应用集成起来。本次发布的版本包含了一个名为的Tropical Stay 的Web应用范例来展示工作方法。此外,应用还可以直接使用EOSJS和其它合适的签名提供者。

本地移动应用也可利用适用于Swift的EOSIO SDK和适用于SDK的参考iOS验证器签名提供者和iOS应用集成。

主要特点和创新

无缝、多链支持

研究期间,我们注意到很多常见的验证器应用只支持一个基于EOSIO的区块链,如,EOS公网。支持其它链的通常需要用户使用RPC端点或者网络设置验证器,以便验证器可以和应用交互的链通信。

这给普通用户带来了巨大的挑战,随着未来越来越多的EOSIO区块链推出,其复杂度只会越来越厉害。实际上,不难想象未来应用会自己运行一个专用链。

我们打算通过让EOSIO参考认证器应用完全链无关,以此来解决该问题。实际上,验证器应用不会直接和EOSIO节点通信,完全不会

我们确保展示和签署交易所需的所有信息是通过提起交易的应用传递的,从而实现上述目标。[参见EOSIO Authentication Transport Protocol Specification]交易在验证器应用签署之后,签名回到提出交易的应用,由它来公布交易。

我们不需要配置任何RPC端点。所有的EOSIO链都会被支持。所有的交易安全都受到声明-证明安全模型保护

用户不需要改变浏览习惯就可以使用

我们还注意到,许多常见的验证器—尤其是移动端的—需要用户完全改变浏览习惯才能使用区块链Web应用。在这些验证器中,用户需要从专用的app内部区块链网页浏览器浏览这些基于区块链的web应用,而不是使用他们日常的网页浏览器。此外,移动平台上大多数的验证器应用不支持应用内部交易签署(即,其它本地移动应用发起的交易)。

EOSIO参考iOS验证其应用让用户可以从手机Safari上运行的Web应用和其它本地iOS应用登录并批准交易。这是通过EOSIO身份验证传输协议深层连接URL查询字符串传输完成的。

应用识别加强

The EOSIO Reference Authenticator Apps demonstrate another key feature — that of domain-verified, chain-attested app identification. During selective disclosure (i.e., sign in) and transaction signing requests, apps are clearly identified to the user by an app name, icon and domain. These, along with other metadata, are retrieved from an application manifest served from the app’s domain and are asserted as part of the transaction. For more information on how this works, and its related benefits, see our previous EOSIO Labs Release: The Assert Manifest Security Model.

EOSIO参考验证器应用还有另一个重要特点——经过域名验证、区块链验证的应用程序识别。在选择性公开(即登录)和交易签名请求期间,用户是通过应用名、图标和域识别应用。这些数据和其它元数据一起从应用域所提供的应用程序清单中检索,并作为交易的一部分进行。了解更多其工作信息和相应的好处,参考我们之前的文章:声明-证明安全模型。

丰富的李嘉图合约

EOSIO提供丰富的李嘉图合约,明确地向用户解释了他们同意的动作的意义。然而,很多钱包并没有把这些同意条款解释给用户。还有一些甚至是用计算机,而非人类,能读取的解析格式向用户展示交易内容(如JSON, YAML)。

Chrome扩展应用和iOS参考验证器应用都利用了李嘉图模板工具包在签名过程中提供用户一致、透明和用户有用的交易数据。要获得更多信息,参考我们最近的文章:李嘉图合约规范和李嘉图模板工具包

验证的未来

这些参考一个用提供了有趣,也很可能是非常靠谱的,解决方案,处理现在用户在区块链钱包上会遇到的一些限制和问题。我们把这个方案提交给社区,这是我们一直以来关于用户体验可以到怎样的程度的对话的一部分。我们还有很多问题要解答,很多难题要克服,也还有很多可能去探索。比如:

  • 我们如何给移动端用户提供安全、直观的白名单/自动签名体验?EOSIO参考验证器应用目前只支持手动签名。
  • 如果密钥是在一个安全的环境下生成的,如苹果的Secure Enclave,它们要怎么通过无缝、安全、用户友好的方式加入用户的区块链账户中?在有很多EOSIO链的环境中,这个要怎么顺利进行?
  • 如果密钥无法挽回地被储存在安全设备中,如果用户丢失了设备怎么办?如果没有第三方保管人,备份和恢复工作怎么作?多设备同步要如何进行?
  • 如果一个普通用户只想浏览网页和应用而不去思考它们是不是由区块链支持,我们如何帮他们剥离区块链技术的所有复杂元素?更广泛来说,我们怎么才能把区块链安全和透明的好处带给大众而不牺牲方便性和可用性?
  • 像这样的区块链验证其是否可以完全在Web上取代密码?这样的工具是否可以成为通用的验证器,把区块链的力量带给每个正在使用它的人?

最后这些问题才是真的有趣的问题,这也是我们最近一篇文章的内容:没有密码的未来——建立更安全更好用的验证器系统。

我们相信很多这样的问题的答案都在活跃的EOSIO社区之中可以找到。我们希望这次的开源发布,以及它带来的很多观点能够鼓励钱包开发者,让他们在探索区块链密钥管理、签名和验证的时候能够有新思路。

Next Steps 下一步

如果您想自己尝试EOSIO参考验证器应用,您可以参考以下资源

  • EOSIO 参考iOS验证器应用
  • Github README
    开始使用示例应用
  • EOSIO 参考Chrome扩展验证器应用Github README
  • Tropical Example Web App
  • 如果您还有其它问题、建议和想法,我们希望您能记录问题或在这些repo下面提起Pull Request请求、分离和自己解决该问题。
  • 联系我们
  • 如果您愿意给我们反馈并想和我们团队并肩让EOSIO软件更进一步,您给可以给我们的开发者关系小组发邮件:developers@block.one.
  • 您还可以通过在EOSIO开发者入口订阅我们的更新。我们希望能够不断为EOSIO开发者提供更好用的软件,同时,我们也不断为区块链技术的大规模应用奠定基础。

·      


  • 所有标有商标™和®的产品和公司名皆为其所有者持有。使用这些名字并不代表我司与其存在任何从属关系,也不代表我司对其认可。
  •  
  • 免责声明:Block.one是作为EOSIO社区的一员志愿对其做出贡献,但是并不能保证软件的整体性能和应用的性能。我们不代表、保证、确保或执行这里描述的任何版本、GitHub上发布的文件、EOSIO软件或者先前提到的,不管是明确说明或者暗示的,任何文件的发布,包括但不限于承诺书、商业性、为某个目的的实用性、不侵权性等。在任何情况下,我们都不对任何说法、损失或责任负责、不管是涉及合约、侵权或被侵权的情事件,不管这是因为软件或文件或使用或软件和文件中涉及的其它事宜导致,还是和这些情况相关,我们都不对此负责。测试结果或者性能数据都是有指示性的,不可能反应所有情况下的性能。任何关于第三方的引用、第三方产品、资源和服务都不是Block.one背书和支持的。第三方产品可能在任何时间被升级、改变或暂停,所以这里提供的信息可能会过时或不准确。任何使用本软件提供的关于第三放软件、产品和服务的个体应该建议这些第三方提供执照有效期、免责声明和免责条款。Block.one, EOSIO, EOSIO Labs, EOS, heptahedron和相应的图标都是Block.one的商标。这里提到的其它商标都是他们相应持有人的产权。

原文/Original:               

Last month, we introduced EOSIO Labs™, an initiative centered on open innovation. Through EOSIO Labs we can contribute to the conversation around the future of blockchain technology with thought leadership, tools, and software. From the Assert Manifest Security Model to the Universal Authenticator Library, and our most recent release, the EOSIO Explorer, this initiative is well underway.

To date, much of our Labs research has focused on key and password management and the EOSIO™ authenticator ecosystem, and for good reason. Blockchain authenticators as key managers serve, for users, as the gateway to interacting with blockchain-based applications. They are a critical component of the user’s security and overall experience, and, for that reason are critical to the mass adoption of blockchain technology.

Today, there are several excellent authenticators in the EOSIO ecosystem. The community is innovating at an incredibly swift pace and blockchain-enabled experiences are becoming more and more accessible because of it. Nonetheless, more work is needed if we are to continue fueling widespread adoption and use of this technology.

EOSIO Reference Authenticator Apps

Today’s EOSIO Labs release ties several of our recently-announced tools, software, and thought leadership pieces together into one, cohesive experience that aims to address some of the security and usability concerns users currently face. We are excited to release the EOSIO Reference Authenticator Apps.

To be clear, the implementations we are showcasing today are being released as experimental reference Open Source Software and not as proprietary products for uploading on app stores (and we discourage anyone from doing so). By releasing them in this way, we hope to encourage ongoing improvements to the security, interoperability and usability of authenticators by contributing working code and examples.

EOSIO Reference iOS Authenticator App

The EOSIO Reference iOS Authenticator App is an implementation on iOS that allows users to sign in and approve transactions from 1) web applications running in Mobile Safari and 2) other native iOS apps on the same device. Key management and signing take place in Apple’s Secure Enclave and/or Keychain and are protected with the device’s biometric authentication.

To achieve this, the app leverages the recently-announced EOSIO SDK for Swift library and the EOSIO SDK for Swift: Vault Signature Provider.

Example: Authenticating and Signing a Transaction from a Third-Party Mobile Web App

EOSIO Reference Chrome Extension Authenticator App

The EOSIO Reference Chrome Extension Authenticator is an implementation that allows users to sign in and approve transactions from web applications running in Google Chrome on desktop. Key management and signing take place in the Chrome extension secured by a passphrase.

Example: Authenticating and Signing a Transaction from a Web App in Google Chrome on Desktop

Integrating Applications

Web applications integrate with the EOSIO Reference Authenticator Apps using the Universal Authenticator Libraryand the EOSIO Reference Authenticator plugin for UAL. This release also includes an example web application called Tropical Stay which demonstrates how this works. Alternatively, apps can directly use EOSJS along with the appropriate signature provider.

Native mobile applications are able to integrate with the iOS app using EOSIO SDK for Swiftand the Reference iOS Authenticator Signature Provider for the SDK.

Key Features and Innovations

Seamless, Multi-Chain Support

During our research, we noticed that many popular authenticator applications support only one EOSIO based blockchain — for example, the EOS Public Network. Those that support other chains often require users to configure the authenticator with RPC endpoints or networks so that their authenticator can communicate with the chain(s) their app interacts with.

This presents quite the challenge for ordinary users with complexity that will only increase as more EOSIO-based blockchains are launched. Indeed, it’s not hard to imagine a future in which applications operate their own app-specific chains.

We set out to address this friction by making the EOSIO Reference Authenticator Apps entirely chain agnostic. In fact, the Authenticator Apps do not communicate with EOSIO nodes directly, at all.

This is achieved by ensuring that all of the information required to display and sign a transaction is passed in by the application proposing the transaction. [See: EOSIO Authentication Transport Protocol Specification.] After the transaction is signed in the Authenticator App, the signatures are returned to the proposing app. It’s the job of the proposing app to broadcast the transaction.

There are no RPC endpoints to configure. Any EOSIO chain is supported. And it’s all secured by the Assert Manifest Security Model.

Works Without Requiring Users to Change Browsing Habits

Another observation we made was that many popular authenticators — especially those on mobile — require users to fundamentally change their browsing habits if they want to use blockchain-enabled web applications. In these authenticators, users are expected to browse these blockchain-enabled web applications from within the confines of a specialized, in-app blockchain web browser instead of just working with the users’ everyday web browser of choice. Furthermore, most authenticator apps on mobile platforms do not support inter-application transaction signing (i.e., signing transactions proposed by other native mobile apps.)

The EOSIO Reference iOS Authenticator App allows users to sign in and approve transactions from web applications running in Mobile Safari as well as other native iOS apps on the same device. This is accomplished using the EOSIO Authentication Transport Protocol and the Deep Linking URL Query String transport.

Enhanced App Identification

The EOSIO Reference Authenticator Apps demonstrate another key feature — that of domain-verified, chain-attested app identification. During selective disclosure (i.e., sign in) and transaction signing requests, apps are clearly identified to the user by an app name, icon and domain. These, along with other metadata, are retrieved from an application manifest served from the app’s domain and are asserted as part of the transaction. For more information on how this works, and its related benefits, see our previous EOSIO Labs Release: The Assert Manifest Security Model.

Richly-Rendered Ricardian Contracts

EOSIO provides for rich Ricardian contracts that plainly explain to users the action or actions they are agreeing to. Many wallets, however, do not take advantage of the ability to display these agreements to their users. And some resort to displaying the contents of the transaction to their users in formats which are intended to be parsed by computers, not humans (e.g., JSON, YAML).

Both the Chrome Extension and iOS Reference Authenticator Apps leverage the Ricardian Template Toolkit to provide users with a consistent, transparent, and user-friendly presentation of transaction data during the signing process. For more information, see our recent EOSIO Software Release: Ricardian Contract Specifications and the Ricardian Template Toolkit.

The Future of Authentication

While these reference implementations provide interesting, and hopefully compelling, solutions to some of the limitations and issues users face with blockchain wallets today, they are by no means the ultimate solution. We are submitting them to the community as part of the continuing conversation around what the user experience couldbe. There are still questions to answer, problems to solve, and possibilities to explore. For example:

  • How do we provide a safe and intuitive whitelisting/autosign experience for users on mobile? The EOSIO Reference Authenticator Apps currently only support manual signing.
  • If keys are generated in a secure element, such as Apple’s Secure Enclave, how do they get added to a user’s blockchain accounts in a seamless, secure and user-friendly way? And how does this work smoothly in a world with many EOSIO chains?
  • If keys are stored irretrievably within a secure element, what happens when a user loses their device? How does backup and recovery work without a third-party custodian? And how can multi-device syncing be facilitated?
  • How do we abstract all of the complexity of blockchain away from everyday users who simply want to interact with their websites and apps without having to think about whether or not they’re backed by a blockchain. More generally, how do we bring the security and transparency benefits of blockchain to the masses without sacrificing convenience and usability?
  • Could a blockchain authenticator like this one replace passwords on the web entirely? Could tools like this become general-purpose authenticators that happen to also bring the power of blockchain to everyone using them?

Those last questions are especially interesting and are the topic of our recent article, “A Passwordless Future: Building Towards More Secure and Usable Authentication Systems.”

We believe that the answers to many of these questions lie with the active and engaged EOSIO community. We hope that this open source release, and the many ideas that it brings together will inspire wallet developers to explore new ways of thinking about key management and signing for blockchain, and authentication more generally.

Next Steps

If you would like to try the EOSIO Reference Authenticator Apps out for yourself, here are a few resources to get you started:

If you have questions, suggestions, ideas, etc., get involved. We invite you to log issues or submit Pull Requests against these repos. Or fork them and innovate on your own.

Stay Connected

If you are interested in providing feedback and working more closely with our team to improve the EOSIO for developers, you can send our developer relations team an email at developers@block.one.

You can also keep up to date with future updates by subscribing to our mailing list on the EOSIO Developer Portal. We are excited to be regularly improving the usability of the software for EOSIO developers as we continue to lay a foundation for the mass adoption of blockchain technology.


All product and company names are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

Disclaimer: Block.one makes its contribution on a voluntary basis as a member of the EOSIO community and is not responsible for ensuring the overall performance of the software or any related applications. We make no representation, warranty, guarantee or undertaking in respect of the releases described here, the related GitHub release, the EOSIO software or any related documentation, whether expressed or implied, including but not limited to the warranties or merchantability, fitness for a particular purpose and noninfringement. In no event shall we be liable for any claim, damages or other liability, whether in an action of contract, tort or otherwise, arising from, out of or in connection with the software or documentation or the use or other dealings in the software or documentation. Any test results or performance figures are indicative and will not reflect performance under all conditions. Any reference to any third party or third-party product, resource or service is not an endorsement or recommendation by Block.one. We are not responsible, and disclaim any and all responsibility and liability, for your use of or reliance on any of these resources. Third-party resources may be updated, changed or terminated at any time, so the information here may be out of date or inaccurate. Any person using or offering this software in connection with providing software, goods or services to third parties shall advise such third parties of these license terms, disclaimers and exclusions of liability. Block.one, EOSIO, EOSIO Labs, EOS, the heptahedron and associated logos are trademarks of Block.one. All other trademarks referenced herein are the property of their respective owners.

原文链接/Original URL:

https://medium.com/eosio/eosio-labs-release-ios-and-chrome-extension-authenticator-reference-applications-d5cf900f7b00

About the author

By user
News.EOS.WiKi Bilingual News & Info Of EOS

Recent Posts