[DO NOT MERGE] Use notary-server
#12
Conversation
forcing nightly
modified notary server: https://github.com/mhchia/notary-server/tree/work-with-extension Changes - websocket connection to notary-server - HTTP request to /session first and get sessionId - Craft it through web_sys - Send HTTP request with `fetch` - Usually it's done with window, but in web worker there is no window - Use WebSocket API to establish wss connection to notary server - Chang notary-server to accept a param `sessionId` - In browser there is no way to add headers, so we couldn't add "X-Session-Id" - Prover config must use the session id returned from the notary server Concerns - Now we have to manually set notary server as trusted since the cert is self-signed. - rootCert couldn't be added when initiating HTTP request due to browser security config
|
@mhchia , just a quick thought about 2. Self-signed root cert (this approach requires some changes on the notary-server side) |
|
sry, this is actually a deeper topic. we first need to decide if it useful to allow the extension to use |
|
@themighty1 thanks a lot for your insights! 😊 Sorry that I didn't add context about the self-signed root. From my understanding from the discussion with @yuroitaki (please feel free to correct me if I misunderstood your points 🙏 ), it seems like we'll eventually be using an officially signed cert from a proper CA chain for the notary server in production. Given that, I'm thinking it might make sense to connect notary server with |
|
OK, makes sense about assuming that the notary will be using a proper CA-signed cert for now. Note however, for p2p (notary-less) scenarios where the prover proves interactively to the verifier, requiring the verifier to have a CA-signed cert seems unnecessarily burdensome. |
|
@themighty1 Thanks for the input! Now there is already a public notary server with a properly signed cert so it works well now. About the p2p scenario, for websocket on browser to work without verifying certs, I think you're right we would need to go with the TLS over a plain ws as you mentioned |
|
p2p scenario is tracked in #19. Closing this PR since it's stale |
Based on #11 . For this PR to be ready, we'd need some changes in notary-server.
Issues
1. No way to set
X-Session-IdNotary Server expects a header
X-Session-Idto getsession_id, but browser WebSocket API doesn’t allow setting custom headers. Possible workarounds can be seen here. Promising ones aresessionIdthrough the headerSec-WebSocket-Protocolconst ws = new WebSocket("wss://127.0.0.1:7047/notarize", ["sessionId", sessionId])Sec-WebSocket-Protocoland getsessionIdsessionIdthrough url params:const ws = new WebSocket("wss://127.0.0.1:7047/notarize?sessionId={sessionId}”)sessionIdsThis PR uses option 2 but now I'm leaning towards option 1 since it seems to have fewer side-effects.
2. Self-signed root cert
In the browser, no way to accept root cert when initiating http request, due to browser restriction. Now we can bypass it by manually setting the notary server as trusted.
What is done?
Talk to the notary-server instead of the simple-notary.
Steps to run
Step 1: Fill in information twitter message information
tlsn-extension/wasm/prover/src/lib.rs
Lines 43 to 52 in 9f40dc2
Step 2: Open a new terminal. Build and run a websocket proxy
Step 3: Open a new terminal. Run a modified notary server
Step 4: Build the wasm and run the dev server
Step 5: Load built extension
Go to
chrome://extensions, clickLoad unpacked, select thebuilddirectoryStep 6: Run notarize
Open the TLSN Extension and click
Notarize. Check out the console by clicking theoffscreen.htmlin the inspect views section in TLSN Extension