Ethereum

What if a site wants to manage a key directly, but have it derived from the user's wallet? This seems like a growing use case with embedded wallets. Should we have a method that just passes sites keys that are generated deterministically to their domains?

What if a site wants to manage a key directly, but have it derived from the user's wallet? This seems like a growing use case with embedded wallets. Should we have a method that just passes sites keys that are generated deterministically to their domains?

https://ethereum-magicians.org/t/wallet-getexposedappkey/20958

co founder of @metamask . Making computers behave for us.

Is private key information touching the network? I feel like crypto rule #1 is "never put your privates on the Internet".

Maybe the site can, on the backend, generate an hd root key that can then be blessed by the user such that the site can generate new time bound ephemeral keys as needed.

It's scary enough having keys floating in the site's origin just in the local browser 😅  Either way, passing private keys around seems dirty.

Yeah, I largely agree. I’d prefer to never move keys, and wish sites existed that could not phone home, and could be static. The modern browser makes things that would ideally be great be dangerous.

Even exposing a signing interface (as many of the session key implementations are doing) has a similar issue: any dependency on those sites can also sign freely.