Why does 3speak need an active key?

EDIT 7/2/2020 - update here: https://hive.blog/hive-181335/@awbvious/update-threespeak-does-not-need-your-active-key-directly

I'm putting this to the community, because I'm not getting much of a satisfactory answer from support. I suspect there is a really good reason, and I'm just not understanding. I'm hoping some of you can explain in the comments.

Here's what I wrote to [email protected] on June 17, 2020

So, I'm new to Hive, but I understand there are three different types of keys. I was surprised you asked for my active key and not my posting key. Further, your FAQ says "Once you have an account, you need to login with Hivesigner. You will need to provide your ACTIVE key ONLY on the first login. Then you can post comments which can earn." Well, when I tried openhive.chat, it too used Hivesigner, but I never had to give my active key directly to openhive.chat to use Hivesigner. There was another window that opened to enter a key directly into Hivesigner (and, further, that window was fine with accepting my posting key).

Why can't 3speak work with either a) my posting key and/or b) authorization handled through a Hivesigner window where I never have to directly give 3speak my active key?

Also, if neither of those are acceptable, what would happen if I logged in with my active key, then went to wallet.hive.blog and reset my owner key and got a new active key? Would 3speak.online still work or would I need to enter that new active key again? Does 3speak.online save my active key in some sort of database? If the answers no, then changing my password as soon as I activate my hive account with 3speak should work, shouldn't it?

Thanks.

Here's what I got in response on June 19, 2020

Hi Awbvious,

What is important to note is that, your active key is required in order to grand any Dapp posting authority at the blockchain level.

I wrote again on June 20, 2020

You mention "posting authority."

If I need to give authority to post, wouldn't that be my posting key?

When I go to https://wallet.hive.blog/@[username]/permissions (put username in url) it says

"Posting Key
This key should be used for social networking actions, like posting, commenting and voting. This key has a limited set of permissions and it is not able to be used for monetary actions. So you can't lose money if someone else gets access to this key.["]

As for Active key it says

"This key has additional permissions for more sensitive monetary-related actions, like transferring and exchanging tokens. When performing a wallet related action, you may be prompted to authenticate with your Active key. You should only enter your Active Key into apps which you trust because anyone with access to this key can take your tokens."

Perhaps what you need falls into a "wallet related action" but you only say "posting." If it is a different action, I'd like to know first what it is. And then, what about this from my original email:

"Also, if neither of those are acceptable, what would happen if I logged in with my active key, then went to wallet.hive.blog and reset my owner key and got a new active key? Would 3speak.online still work or would I need to enter that new active key again? Does 3speak.online save my active key in some sort of database? If the answers no, then changing my password as soon as I activate my hive account with 3speak should work, shouldn't it?"

So, I have one wallet, with one key, that is according to you is needed "to grand [sic] any Dapp posting authority at the blockchain level" and according to another source that "anyone with access to this key can take your tokens."

It doesn't seem to make much sense to give this key to /every/ DApp on Hive, unless there is some way of knowing that key is not going to be intercepted by a bad actor. It would make far more sense to use a key with less permission (e.g. a posting key) or a trusted intermediary (e.g. hivesigner by putting the key into it and NOT into the DApp) or a sub-account (e.g. a key attached to an allocated/isolated portion of funds, yet still your username, which is not currently part of Hive functionality to my knowledge) or keep funds on an account owned by the DApp (e.g. sort of like how a centralized exchange would do it, thus no key at all, and you would simply do wallet-to-wallet transactions to send funds) or a temporary key (e.g. one that only needs to be given once but can [and] does change, which is kind of like the workaround I'm suggesting, but you have yet to say whether my 3Speak would work if I immediately change my active key after giving it--and of course this is still not as ideal as a temporary key expressly for this purpose, but such is not current functionality as far as I know). Any of these would be better than, supposedly, trusting every DApp with access to a key that can take all your tokens (and, as I've yet to hear otherwise, I could not change and still expect the DApp to work). Say there are 100 DApps on Hive someday and all of them use such a key, someone uses all 100, and 1 of these happens to have an exploit. Suddenly, you've made the security of the other 99 DApps moot for that user. A single point of failure causes the user to lose all their coins. That doesn't make much sense for a "decentralized" [application], does it?

Please address all of my concerns.

Thank you

I haven't gotten a response yet, but really, I don't get it. Hive.blog, which I am using right now to post onto Hive, requires my posting key. Why does 3speak want my active key?

Also, check this out, this url https://peakd.com/hive-100421/@threespeak/3speak-s-login-system-simplified-and-an-exciting-update-for-the-creators says

Once you add your "Private Posting Key" and Click on "Next", you will be redirected to your channel's dashboard.

Why does this say Posting Key, but this https://3speak.online/intl/faq says

You will need to provide your ACTIVE key

I'm also not the only person who noticed this discrepency, if you do a find-in-page on https://peakd.com/hive-100421/@threespeak/3speak-s-login-system-simplified-and-an-exciting-update-for-the-creators for the word "active" at least three other users are puzzled by this as well. And apparently the user churdtzu asked support and got pretty much the same one-sentence answer that I got from support. Thoughts?