Hi,
It took me a while but I finally had to time to think a bit more about the proposal and I am bit concerned about its practicalities.
The idea of isolating apps as much as this proposal does is in my opinion not necessarily a good thing.
Of course this is use case dependent but I think users would benefit more in isolating a subset of apps, like games vs defi vs social platforms, instead of apps themselves.
After all one of the main benefit of blockchain is interoperability and while such proposal does not block interoperability it makes it harder for let say 2 games to easily let players use their items in both.
The reason why, is that the proposal hide away the persona account.
I’d like to propose a change so that app keys would only act as delegate signing keys on behalf of the persona account. In a way that smart contract can validate that such delegate has indeed right to act on behalf of the persona for that particular action.
This means that such appkeys would never perform any transaction and should not hold any fund.
This is obviously a considerable change to the idea but this is what I am looking for as an app developer and that is why I proposed a similar mechanism via changes to EIP-712 so that the account remain a identifier shared across app.
Appkeys would be able to integrating it at a lower level though, supporting all signature scheme.
Also, as mentioned in my previous comment I really think the proposal should add a mechanism to use content-addressable network URI as application names. This should actually be the preferred method since it ensure the application code cannot change (assuming it is not linking to other URI, in which case the browser can show a warning).
ENS names and DNS names on the other hand should not be considered for app keys without a warning to the user. After all ENS and DNS are vulnerable to the name owner changing the underlying application.
For ENS, if the name resolve to a content-addressable URI as mentioned above, then the application name should be based on the URI and in that case no warning would be necessary.