Григорий КлюшниковMay 1, 2023

The portable identity people always, inevitably forget one simple truth: the identity and the means of accessing it should be separable. I've explained them way too many times that a public key is not a viable form of identity. They still keep insisting on using public keys as identifiers.

The fatal flaw of the use of cryptographic keys for identity is that
- Once leaked, it can't be revoked to prevent further unauthorized access and impersonation
- Once lost, it can't be recovered and a new key pair, thus a new identity, is required

This stuff is non-negotiable really. I worked at VK, they have an entire department dedicated to restoring people's access to their accounts. People are terrible with passwords and they will be even more terrible with private keys.

Show threadJeff MartinMay 1, 2023
@grishka yeah! I'm trying to design a decentralized identity system and I keep struggling with this problem too. If the using the pubkey as the identity is the problem, then what's the solution? And solutions that appeal to some centralized authority to resolve the issue aren't allowed, because, well ... decentralized. How can we do better?
Show threadГригорий КлюшниковMay 1, 2023
Jeff, as far as I'm concerned, it's a fundamentally unsolvable problem. The best mostly-decentralized identity systems we have (email, ActivityPub) ultimately rely on DNS.
Show threadMark W. AlexanderMay 2, 2023

@grishka @cuchaz @cwebber
Step 1: Put whatever org coordinates international zip codes in charge of DNS.

Oh, and eliminate profit off DNS and domains.

Step 2: ???

Show threadГригорий КлюшниковMay 2, 2023

Mark W. Alexander, as far as I'm aware, there's no such organization. Each country's postal service has its own zip code system without regard for international uniformity. For example, Russian zip codes map one to one to post offices. I was surprised to find out that it's not like that in other parts of the world. In some countries (UK and iirc Canada) zip codes even contain letters.

If you eliminate profit off of DNS and domains, how do you keep a scarce resource available to everyone? How do you prevent squatters from registering an entire dictionary worth of domains in every TLD and then extorting people? Current implementation at least tries to be fair.

Show threadMark W. Alexander

@grishka @cwebber
You can charge for services and still be not for profit. #ICANN did it for decades.

Which, also, managed domains pretty well for most of the growth of the Internet. It wasn't broke until capitalism shot it in the ass.

May 2, 2023 at 2:55pmWeb