You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hayk's domain-identity track has three PRs open across two repos. Sit with the diffs, validate the security model end-to-end, leave the actionable comments. This is a thread that touches identity binding, RPC surface, and the SDK builder all at once — needs one reviewer who can see all three at the same time so the contract between layers stays consistent.
Already-known high-severity points from the first review pass (need to be confirmed addressed or pushed back on):
node Verify website ownership for domain identities #897 — the signed proof message has no hostname / sender / nonce binding. An attacker who fetches the victim's .well-known/demos-cci.txt once can re-host it on their own domain and the same message + type + signature verifies. Either bind hostname + sender + a server-issued nonce/timestamp into the signed payload, or this binding proves nothing about which domain you actually control.
node Verify website ownership for domain identities #897 — the RPC is authRequired: false with no per-IP rate limit. Even with the SSRF guard, every node becomes an open HTTPS GET proxy. Either gate the RPC or rate-limit it.
sdks Decoding how crosschain transactions worked in the Legacy Frontend #91 — the domain claim ships its own flat web2 sub-context and re-signs the legacy dw2p message rather than aligning with the new ClaimReference + dacs-*:v1: scheme shipped on feat/sr4-cci-channel-transcript. Aligning keeps us shipping ONE identity format across SR-4 and DACS-3; not aligning means we ship two.
Acceptance
Each of the three PRs has either an approval or a request-changes comment with the concrete blockers
Domain proof verifier binds hostname + sender + nonce into the signed payload
What
Hayk's domain-identity track has three PRs open across two repos. Sit with the diffs, validate the security model end-to-end, leave the actionable comments. This is a thread that touches identity binding, RPC surface, and the SDK builder all at once — needs one reviewer who can see all three at the same time so the contract between layers stays consistent.
PRs in scope
getDomainProofRPC + domain verification (CCI side) — Verify website ownership for domain identities #897addDomainIdentity+ domain identity types — Add domain identity (website ownership) support sdks#91What to focus on
Already-known high-severity points from the first review pass (need to be confirmed addressed or pushed back on):
.well-known/demos-cci.txtonce can re-host it on their own domain and the samemessage + type + signatureverifies. Either bind hostname + sender + a server-issued nonce/timestamp into the signed payload, or this binding proves nothing about which domain you actually control.authRequired: falsewith no per-IP rate limit. Even with the SSRF guard, every node becomes an open HTTPS GET proxy. Either gate the RPC or rate-limit it.web2sub-context and re-signs the legacydw2pmessage rather than aligning with the newClaimReference+dacs-*:v1:scheme shipped onfeat/sr4-cci-channel-transcript. Aligning keeps us shipping ONE identity format across SR-4 and DACS-3; not aligning means we ship two.Acceptance
getDomainProofRPC is gated or rate-limitedClaimReference/dacs-*:v1:scheme OR has a documented reason it cannotSource
Earlier review summary on these PRs is in conversation context; concrete file:line citations there too.