Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[EIP] Security Warning #1

Merged
merged 1 commit into from
May 16, 2018
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions EIPS/eip-1001.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,10 @@ Where all of the key + value pairs are optional, allowing for maximum flexibilit
`name` (optional) is a name ofthe private key - e.g. "paper wallet"
`type` (optional) is the type of key (STRING) - Defaults to ECDSA

### Security Warning

Since private keys are highly sensitive information, it is considerably safer if input (via QR code, keyboard etc.) is handled directly by the target application, rather than going through some IPC mechanism (e.g. the Intent mechanism in Android OS), trusting third-party applications (such as a QR code reader) with the private key. Thus, it is **recommended** to display a security warning, whenever the application receives a private key through IPC messaging, warning the user about the risks associated with using a third-party application to input private keys.
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Just not sure about the mention of keyboard here. Keyboard opens a big can of worms on android and I also do not think humans should enter their private keys via keyboard. Let's discuss this in person later.


## Compatibility and Versioning
Future upgrades that are partially or fully incompatible with this proposal must use a prefix other than `private_key-` that is separated by a dash (`-`) character from whatever follows it, as specified by ERC #831.

Expand Down