Scope and use cases for addresses (and not key pairs)

+1 vote


I'm a newbie to Multichain and I'm trying to understand how everything fits in terms of users. Let me explain.

Typically in an application, security is defined by authentication and authorization. Authentication is about users and their passwords (to be simplistic), and authorization is about what an already authenticated user can do or cannot. These are basic security concepts.

If I try to extrapolate such concepts to Multichain, this is where I need some help to fit them properly, so please correct me if I'm mistaken.

As far as I understand Multichain, there are two types of authentication:

  1. At the node level --> Where you can configure whether anyone can join (public blockchain) or they need to be granted access (private blockchain).
  2. At the wallet level --> Where you get an address and can start running actions against the blockchain (based on your permissions, of course).
While the former seems pretty clear to me, the latter poses some doubts:
  • If I get an address in a node, and permissions for whatever actions, then such address becomes both the username and the password because I just need to indicate it when running commands like publishing or subscribing to a stream; in other words, I don't need to sign anything or use any private key (which is not even visible when you create a new address with 'getnewaddress') and just the address is enough. Is my understanding correct?
  • So if I just need the address, isn't this a security issue as anyone who finds it out can impersonate me?
  • Therefore, when using 'getnewaddress', is such address actually becoming sort of the "do not share, do not disclose" information, similarly to a private key?
My confusion here is basically that I've been playing around with public test blockchains in the past (Ethereum, Bitcoin) and when creating a wallet (i.e. an address in the scope of Multichain), I was given also the private key, so whenever I wanted to send a transaction, I had to use my wallet address, but always sign it with my private key. However, in Multichain you would only need the wallet address.
Now sure if I'm exposing my concerns properly here, but I would like to really understand what the use cases are for addresses created with 'getnewaddress'.
Also reading the docs I've found a reference in 'getnewaddress' to a parameter 'accounts', but I haven't been able to find any documentation around it. Could you also please elaborate a bit more on this?
asked Jan 17, 2019 by emedina
I'm trying to understand the same. Especially in case of WebBrowser sitting halfway around the world, what is equivalent of a wallet? Where is the private key stored in case of web client?

1 Answer

0 votes
Best answer

Behind every address is a private key that is only known to the node that generated that address. And anything done by this address is only accepted by the network if signed by that corresponding private key. So when you call getnewaddress you're also creating a corresponding private key and storing it in that node's wallet.

answered Jan 18, 2019 by MultiChain
selected Jan 19, 2019 by emedina