Discuss about one proposal on jserv's twitter (2017-12-20)

# Discuss about one proposal on jserv's twitter (2017-12-20) ## Discussion [original article](https://docs.google.com/document/d/1xEO-4hUsQBUEY-bW2OS7qsM2hdlkf8-SXebc0QezZyw/edit) **User registration for an IOTA enabled website:** 1. User clicks to register on amazon.com 2. A QR code/number is given by amazon.com representing a new seed 3. User tells his app that he wants to create a new registration 4. App tells him to scan or enter the code 5. After that seed is shared between app and amazon.com 6. User logs in as described above **User login into an IOTA enabled website:** 1. Amazon.com creates and shows a QR code/number which is gibberish (random) 2. The user scrolls in his app to the entry which represents amazon.com 3. User enters the given number (by scan or keyboard) and a transaction is initiated 4. The address for the transaction is based on a seed shared by the app and by amazon.com 5. 0 IOTA is send to the generated address including the gibberish as attachment 6. The website sees the transaction in the shared wallet and verifies the transaction and the user enters his account ## Flow ![](https://i.imgur.com/4Rwklfu.png) [Edit me ...](https://docs.google.com/drawings/d/1rRe6s7z1Aa-tilCVcBDku1992BlNVF4N5_Q-PoEaF94/edit?usp=sharing) - - - ![](https://i.imgur.com/RD52sGH.png) [Edit me ...](https://docs.google.com/drawings/d/1b_05udK0deW6h9XjOYBF9A32HLvUVsnJqJEYrOMKPCM/edit?usp=sharing) ## Disadvantages 1. 註冊時期，我們不應該在線上產生 seed，這是不安全的，就像 PASSWORD 或是 RSA KEY PAIR 不該由線上產生一樣。 2. 登入時期的 Random Code，應該是放在 transaction tag 上，在基於 seed 內的 address index 上的 address 上 Tangle 尋找 transaction 以利核對 tag，但這樣做在 seed 在 transatiton 上的角色毫無意義，如下圖所示： ![](https://i.imgur.com/ygQpj1j.png) [Edit me ...](https://docs.google.com/drawings/d/1_7lrS2PDgfkeHDI1vePZknKJggYVKHzEdPn3sZ4w8cY/edit?usp=sharing) ## Better Solution 我們可以直接用 TangleID 做好這件事情，如下： ![](https://i.imgur.com/qfQUYZz.png) [Edit me ...](https://docs.google.com/drawings/d/1MbIGSTkayUHIG7R2Ohb_Q0WN5X3634xSsn5Bp3-svJg/edit?usp=sharing) - - - ![](https://i.imgur.com/lyfgdmi.png) [Edit me ...](https://docs.google.com/drawings/d/1CJOLGxbIL8KhxYcT_G2pK2pt85Kg-lUfCM9LBvyTY2Y/edit?usp=sharing) ## Conclusion * TangleID 的 solution 能夠解決原始方案註冊時 seed 在 client/server 中傳輸的安全問題。 * 但兩個方案在做 login 的時間成本不會差很多。相同的： [API (find_transaction)](https://github.com/iotaledger/iota.lib.py/blob/master/iota/api.py#L198).