Григорий КлюшниковMay 1, 2023

The portable identity people always, inevitably forget one simple truth: the identity and the means of accessing it should be separable. I've explained them way too many times that a public key is not a viable form of identity. They still keep insisting on using public keys as identifiers.

The fatal flaw of the use of cryptographic keys for identity is that
- Once leaked, it can't be revoked to prevent further unauthorized access and impersonation
- Once lost, it can't be recovered and a new key pair, thus a new identity, is required

This stuff is non-negotiable really. I worked at VK, they have an entire department dedicated to restoring people's access to their accounts. People are terrible with passwords and they will be even more terrible with private keys.

Show threadJeff MartinMay 1, 2023
@grishka yeah! I'm trying to design a decentralized identity system and I keep struggling with this problem too. If the using the pubkey as the identity is the problem, then what's the solution? And solutions that appeal to some centralized authority to resolve the issue aren't allowed, because, well ... decentralized. How can we do better?
Show threadГригорий КлюшниковMay 1, 2023
Jeff, as far as I'm concerned, it's a fundamentally unsolvable problem. The best mostly-decentralized identity systems we have (email, ActivityPub) ultimately rely on DNS.
Show threadJeff Martin

@grishka That's what I was afraid of. It does seem unsolvable.  

DID at least comes close to a reasonable solution here, because people get to choose which centralized authority they want to use (ie the resolvers), but most of those resolvers are blockchains. Ugh. There has to be a better way.

May 1, 2023 at 8:52pmWeb