Canary Interface ERC #801
Canary Interface ERC #801
Conversation
ligi
force-pushed
the
add_canry_erc
branch
3 times, most recently
from
1fb11c3 to
6f89c92
Compare
ligi
changed the title
ligi
force-pushed
the
add_canry_erc
branch
3 times, most recently
from
8021dae to
bd4185f
Compare
|
I think there should be a uint256 "lifespan" variable rather than the TTL implementation, defined as a block number. If the lifespan block number is less than or equal to the current block number, the canary is dead. feed() would take a duration parameter that is added to the current lifespan. addFeeder() should have additional parameter maxLife that functions as a cap to the amount feeder's can add to the lifespan. Valuable effects would include: • large enough negative values to feed() potentially replace poison(), and other (smaller) negative values allow for reducing canary lifespan without killing it (useful if the canary user knows there is an impending warrant and wants to provide notice sooner, but is unable to update it themselves to immediately kill the canary) • allowing feeders to extend lifespan by varying amounts (useful for when somebody knows they will be unable to feed for a period of time greater than the TTL, but doesn't expect a warrant to be served in the mean time) • disallowing certain feeders from being able to increase the lifespan (kill only if maxLife is a large enough negative value assigned to a certain feeder, one reason why lifespan should be defined as a block numer) |
|
Thanks for the feedback! Like the ideas and will most likely change the proposal to address most of them - just not sure about timespan per feeder yet - have to think about this a bit. But am glad I did not yet implement as otherwise I would have to throw away code to fit the new API |
|
I would urge not to include a permission management interface (the Consider a Canary whose only feeder account has been compromised. If it is possible to transfer its permissions to another account, that is in full control of the attacker; then revoking or destroying the initial compromised feeder (disbanding a multisig, deleting a proxy contract, whatever other additional means might have been used) would do nothing for the Canary. It can still be fed by an attacker. Including an interface is proposing people use it; and suggesting that it is sufficient. Making an interface optional for concrete implementations - or for people to use - is asking for a systemic edge case, where interpretation of the result isn't binary. |
EIPS/eip-canary-standard.md
Outdated
|
|
||
| EIP: 801 | ||
| Title: ERC-801 Canary Standard | ||
| Author: ligi<ligi@ligi.de> |
There was a problem hiding this comment.
A space before < would look more normal.
EIPS/eip-canary-standard.md
Outdated
|
|
||
| #### isAlive() | ||
|
|
||
| Returns if the canary was feed properly to signal e.g. that no warrant was received. |
There was a problem hiding this comment.
Grammar: I think it should be the canary was fed. I'm not a native speaker and so might be mistaken.
EIPS/eip-canary-standard.md
Outdated
|
|
||
| #### timeToLive() | ||
|
|
||
| The time in seconds that can elapse between feed() calls without starving the canary dead. |
There was a problem hiding this comment.
Is an implementation allowed to change the return value of timeToLive() from time to time? Or is that intentionally left open?
EIPS/eip-canary-standard.md
Outdated
|
|
||
| #### feed() | ||
|
|
||
| Extend the life of the canary by timeToLive() seconds. |
There was a problem hiding this comment.
I guess not anyone is allowed to do this, so, something like: "throws when the caller is not one of the feeders."
EIPS/eip-canary-standard.md
Outdated
|
|
||
| Extend the life of the canary by timeToLive() seconds. | ||
|
|
||
| **NOTE**: this should trigger the event listed below |
There was a problem hiding this comment.
Is it the case, even when needsAllFeeders() is true, each time feed() is called, the event should fire?
EIPS/eip-canary-standard.md
Outdated
|
|
||
| ``` js | ||
| function poison() | ||
| ``` |
There was a problem hiding this comment.
I think Poisoned() is an interesting event to watch.
EIPS/eip-canary-standard.md
Outdated
|
|
||
| #### (optional) addFeeder(address feeder) | ||
|
|
||
| Add address that is allowed to feed (and therefore also poison) the canary. |
There was a problem hiding this comment.
Who can successfully call this method?
EIPS/eip-canary-standard.md
Outdated
|
|
||
| #### (optional) removeFeeder(address feeder) | ||
|
|
||
| Remove address that is allowed to feed the canary. |
There was a problem hiding this comment.
Who can successfully call this method?
EIPS/eip-canary-standard.md
Outdated
| ``` js | ||
| event Feed(address feeder) | ||
| ``` | ||
|
|
There was a problem hiding this comment.
Maybe there should be an event for new/deleted feeders.
|
I agree with Yoichi that this contract doesn't need to have super tight security measures since there's little at risk in terms of user's funds or service infrastructure. Those measures can certainly be optional. It's when you want to give limited abilities (kill only), or have tighter control over the lifespan of the canary (reduce time until it expires, extend the time in varying amounts), that adding additional feeders becomes useful. The worst-case scenario should be that the canary contract owner PK is compromised, and the owner must redeploy another contract and push some updates to their website or other platforms that display info on the canary to make the original one irrelevant. I don't think this would cause significant harm if it were to happen. I don't think it's the contract's responsibility to protect the owner's private key. That should be assumed. |
|
@pirapira thanks so much for the comments - will adapt them soon |
|
@ligi my pleasure. Since the feeder itself can be an Ethereum contract, maybe it's possible to avoid specifying authentications. They can be implemented in feeder contracts. |
|
@pirapira Was also thinking yesterday there is already too much implementation detail in here and split things up. And already a lot of new ideas came up in the comments here. So I was thinking what really defines the Canary? And in the end it might be just:
and maybe:
Then other ERC might specify different types of canaries (getType()?) - like SimpleCanary, MultipleFeedersCanary, AutomaticContractTriggerCanary, NegativeFoodCanary, .. |
ligi
force-pushed
the
add_canry_erc
branch
4 times, most recently
from
c36de76 to
46b7dcc
Compare
|
Guess my thoughts match with the previous two comments, except arriving at a similar conclusion by different path. Below tangent to the PR; sorry.
I beg to differ! If we consider "push some updates to their website" as a valid escape from a "feeder PKs compromised" scenario, then the purpose of using a blockchain is moot. From summary:
My concern is not for a human being browsing a website (even an IPFS/Swarm one), where an update can be pushed without warning. My concern is for an automated agent, for whom the canary may be the only source of truth. The only acceptable outcome on "feeder PK compromise" - or any other failure that is likely to lead to disaster - should be death of the original canary. It must not be allowed to linger! This brings in the question of how exactly was the key compromised - and there are many scenarios for this one. My first comment briefly describes one where, even if the original feeder's keys are destroyed, the canary stays alive. This is made possible by including an interface that's not essential for the basic purpose of the contract. It might as well be implemented elsewhere (and I argued that it should). Which brings up the second point:
Let's not assume a particular use, e.g. "I haven't been served a subpoena". For example, EAC used a canary to indicate service availability. So, although the canaries themselves did not hold funds for anyone but the service operator, it was certainly not safe to use the service if the canary was dead. In short: when speaking of the canary's security, it is not (only) the canary itself that is being protected, but (also) what the canary represents. |
EIPS/eip-canary-standard.md
Outdated
| * `5` = Multiple mandatory feeders (as defined in ERC-TBD) | ||
| * `6` = IOT (as defined in ERC-TBD) | ||
|
|
||
| `1` might also be used for a special purpose contract that does not need a special type but still want to expose the functions and provide events as defined in this ERC. |
There was a problem hiding this comment.
still want to->still wants to.
EIPS/eip-canary-standard.md
Outdated
|
|
||
| #### RIP | ||
|
|
||
| MUST trigger when the canary died. |
There was a problem hiding this comment.
I don't think this is implementable. When the canary contract is never called, it cannot produce events, even though the canary dies after a while.
I think "MUST trigger when the contract is called the first time after the canary died" is implementable
|
@pirapira thanks a lot for review and merge - much appreciated! |
|
Something that occurred to me - this contract probably wouldn't require much modification to be used as a way to release funds in the case of losing control of a private key (loss/death/capture). If the contract isn't pinged with a feed()-like transaction regularly, it automatically releases stored funds to a specific address or ENS name. Personally, I would use something like this and set the interval to be something like 1 year between feed() calls. Would this be a new ERC or something integrated into this contract? |
|
Is there a chance to integrate a "Dead Man's Switch"? Or would that be a different interface? |
|
@AtLeastSignificant should work - but I would see the funds-release/management in another contract that consumes/uses this interface @superphly I think this should be directly usable as a Dead Man's Switch |
|
Have you given thought to integrating with Ethereum Alarm Clock for the RIP event / the Dead Man's Switch? |
|
@hyperfekt sounds reasonable - but I like KISS in the beginning and getting complicated later |
|
@hyperfekt I just wrote an updated canary contract for the ethereum alarm clock that is similar to what I think you're proposing. It schedules a transaction to itself every two hours and if one of the transactions fails it dies. It implements the As to your point about event notifications in the alarm clock I'm not really sure what you mean. If you'd like to join us on the Gitter chat , we are currently making some changes to the contracts and are open to ideas |
The canary can e.g. be used as a warrant canary.
A standard interface allows other applications to easily interface with canaries on Ethereum - e.g. for visualizing the state, automated alarms, apps to feed the canary or contracts (e.g. insurance) that use the data.
Solves the following problems with current (warrant) canaries:
Signing a news headline is more work and less secure than using Ethereum for this task. The effort it takes to sign a news headline also leads to organisations not going this route at all and e.g. just adding a signal to twitter or some other site - which is way less secure and brittle.
ERC-801 could be the standard to solve this problem
in the same post:
The immutability of Ethereum can also help here.
As far as I see a lot of problems that are outlined in the post could be solved by leveraging Ethereum for this use-case - this gives me hope that it could even bring back https://canarywatch.org or lead to a similar service as there is no more need for an authority like the EFF to do the otherwise difficult task of interpreting the canary state.
Makes it also possible to keep the canaries alive with hardware wallets and improve security this way.