Typically in an application, security is defined by authentication and authorization. Authentication is about users and their passwords (to be simplistic), and authorization is about what an already authenticated user can do or cannot. These are basic security concepts.
If I try to extrapolate such concepts to Multichain, this is where I need some help to fit them properly, so please correct me if I'm mistaken.
As far as I understand Multichain, there are two types of authentication:
- At the node level --> Where you can configure whether anyone can join (public blockchain) or they need to be granted access (private blockchain).
- At the wallet level --> Where you get an address and can start running actions against the blockchain (based on your permissions, of course).
While the former seems pretty clear to me, the latter poses some doubts:
- If I get an address in a node, and permissions for whatever actions, then such address becomes both the username and the password because I just need to indicate it when running commands like publishing or subscribing to a stream; in other words, I don't need to sign anything or use any private key (which is not even visible when you create a new address with 'getnewaddress') and just the address is enough. Is my understanding correct?
- So if I just need the address, isn't this a security issue as anyone who finds it out can impersonate me?
- Therefore, when using 'getnewaddress', is such address actually becoming sort of the "do not share, do not disclose" information, similarly to a private key?
My confusion here is basically that I've been playing around with public test blockchains in the past (Ethereum, Bitcoin) and when creating a wallet (i.e. an address in the scope of Multichain), I was given also the private key, so whenever I wanted to send a transaction, I had to use my wallet address, but always sign it with my private key. However, in Multichain you would only need the wallet address.
Now sure if I'm exposing my concerns properly here, but I would like to really understand what the use cases are for addresses created with 'getnewaddress'.
Also reading the docs I've found a reference in 'getnewaddress' to a parameter 'accounts', but I haven't been able to find any documentation around it. Could you also please elaborate a bit more on this?