[CAIP-171] - drop cryptographic/entropic UUID requirement?

[bumblefudge]

Discussing with RPC Chair today, there was some discussion about different future in-browser architectures and whether they would have any internal need for sessionIds, or if session management will happen elsewhere and without need to align with dapp tracking of them.

Do browser-extension or browser-internal/DOM-internal wallets have opinions on this? Would the obligation to create this identifier for dapp counterparties and parity/interoperability with WC and mobile wallets be onerous? Does entropic requirement have security properties and values for other wallets? INPUT WELCOME, whether here or at RPC WG calls.

[kdenhartog]

It's not clear to me what the question is here. Is the concern that we don't think session identifiers need to exist or that we don't believe they need to have cryptographic requirements around them?

There is a way that we could achieve the same security requirements by binding the session to the origin it's connected to and have the wallet maintain an internal mapping where it checks every session identifier is being used by the correct origin. Then the cryptographic requirements wouldn't be necessary since we'd achieve the security in a different way.

In theory this is actually a more secure design because these session identifiers are capability objects theoretically could be stolen to conduct a session hijacking attack to bypass permissions. The advantage to the cryptographic requirement though is that you can delegate the session permissions to a first/third party iframe which may be useful. In general, I've leaned towards not wanting to allow cross origin sharing of information because it can lead to cross origin tracking and other unexpected privacy and security violations, so maybe it's better that we don't actually use a cryptographic entropy requirement and instead require the wallet to maintain state connecting the origin to the session identifier?