Can SQRL be used for authentication in a DApp?


IceBear

Member
Apr 25, 2021
5
0
Hi there,

at the moment I am searching for solutions to implement authentication and accounting into so-called DApps.
So the problem with that is that there is essentially zero trusts between all the involved parties.
That's why I think it could be possible to implement SQRL into DApps, the thing is I am entirely new to SQRL,
may this idea is just a fallacy after listening to that two-hour talk but essentially it should be possible to put SQRL onto the IPFS for example?
What do y'all think about this idea?

Kind regards,

IceBear
 

PHolder

Well-known member
May 19, 2018
1,232
205
I don't know much about DApp's but I get the concept. The problem for SQRL in this context is that it is a client/server design--you need a server to be the authority with respect to who is authorized and who is not. It seems to me that DApps are all peers and there would be no server.
 

IceBear

Member
Apr 25, 2021
5
0
You are true about the part with DApps being decentralized, what I however wonder about is how asymmetric cryptography is matching that scheme.
If I send you a PGP encrypted mail, for example, I do not need to trust my server and my server does not need to be in a position of higher authority than your server. The PGP encryption still protects the content, so I am curious if it would be possible to just sign content on a platform and give control over it based on the per-site key SQRL would generate.
 

PHolder

Well-known member
May 19, 2018
1,232
205
Nope, SQRL is explicitly designed around a client/server model. Something new could be invented, but it wouldn't be SQRL or even related. The idea with SQRL is that there is a server with a database of clients you want to allow access. I guess, if your idea is to allow the DApp to be the server, then SQRL clients could authenticate against the DApp I guess. But then how would the DApp manage the clients? It would need a store of client public keys, that rando's couldn't mess with.
 

IceBear

Member
Apr 25, 2021
5
0
Well, IPFS is hash-based storage, therefore the security of the content is cryptographically ensured. As public keys are public, people who stumble above them by accident shouldn't be able to do damage. So I guess this shouldn't be a problem, you might wonder about how people are reaching out to such an app, basically by the hash of the apps sourcecode. Therefore this should work aswell.
 

PHolder

Well-known member
May 19, 2018
1,232
205
Well presumably the app needs to write to the storage to add a new account's public key. If no one can write to the data, then you can't have authentication to begin with. And what's to stop another copy of the app from overwriting that data with different data. I guess the point is why have authentication if anyone can write to the data? You're going to need to explain your desired use case better than "can it work"... "can what, specifically, work?"
 

IceBear

Member
Apr 25, 2021
5
0
Everyone can write data, nobody can delete it. That's why it should be able to work out, considering everyone attaches a signature to their content authentication should be possible.
 

PHolder

Well-known member
May 19, 2018
1,232
205
SQRL is designed around the end user managing their own state, and the server prevents one user from affecting another. If the client is also the server, then a malicious client can write fake data. If I can write data, then I can, in essence, overwrite data. This will cause confusion. I can write a record saying your account is disabled, or that your password is changed, or well, anything really.
 

AlanD

Well-known member
May 20, 2018
129
23
Rutland, UK
Everyone can write data, nobody can delete it. That's why it should be able to work out, considering everyone attaches a signature to their content authentication should be possible.
But you would need some centralised database ( list of keys) to authenticate the signatures in case of dispute.