I would propose doing this in reverse: create a new authority for transferring and merging cards. Posting key as it is on Steem isn't supposed to allow transferring of assets, which makes having Monsters tied to it something of a security hole.
I'd much rather see some new sort of Monsters active password that is required to do any of the asset-adjustment class of actions, which would accomplish the same thing as your proposal with essentially the same amount of work.
You could then allow them to be signed with active key as well for people who want to do them through blockchain actions.
I'm not sure how this works to be honest... how do you prevent transfer jsons that people have right now from being transfered with the posting key? Or do you first have to get everyone to tranfer those jsons to that other "authority" dominion?
Heck i'm not sure I'm even talking about it correctly.
And you can do all steemmonsters actions still on the blockchain with open transparency?
Custom_json has a required_auths attribute, I presume that can be changed to Active without too much trouble, although I haven't tried it. It would involve changing the transfer system to require it on the back end.
Doing it without active key would probably require the back end to publicly document transactions in order to keep the transparency, which does make it more centralized.
I'm revising my opinion of how much more work this would be as I think it through, though. It's probably easier to just get card delegation working, so we can move all of our Monsters into cold accounts.
Why not just create a simple login for your friends with normal passwords that they can remember. And it has zero risk. Because it only let's the user do battle related transactions.
Yeah, I think your idea makes sense if delegation isn't imminent. My issue with it is it doesn't solve the security hole of having large assets tied to the same key I have in code and hand out to front ends. But I'm less convinced those two issues can be solved at the same time than I was when I wrote the first comment, having thought it through some more.
Yeah i think you're looking more at the security hole which they can still work on. I just want to give access to friends to play... and I'm not even willing to give them a posting key even if they couldn't do transfers and other steem transactions... i just don't want them to have a key at all.