-
Notifications
You must be signed in to change notification settings - Fork 597
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NIP-22 Key Migration #1056
base: master
Are you sure you want to change the base?
NIP-22 Key Migration #1056
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This doesn't answer some important questions:
- What if the key has been lost, not leaked, and they can't publish the event?
- How are "close acquaintances" identified? This isn't a straightforward web of trust problem, because you might not follow anyone who follows the original pubkey.
I'm all in favor of social key rotation but a lot more details need to be filled out before it becomes possible.
Lost keys get lost forever. This is not a key recovery protocol. It's just for migrations.
Web of Trust
You will have to wait until somebody you follow makes the change or you might need to get more information from outside of Nostr. Again, this is nothing different than what users already do today. Clients don't actually need to do anything automatically. They just need to present information and wait for the user to have the confidence to migrate. |
Need to extend the NIP by adding the following things:
Leaving these things up for interpretations will lead to incompatibility |
It doesn't work. This just opens another attack vector where the person that steals the key recommends the wrong keys.
Acks and Nacks are not needed. Just track the contact list instead.
There are no ways to be incompatible in this NIP. Clients can recommend different actions and review systems and that's all good. No matter what happens, everybody else can see the final changes in contact lists. |
This comment was marked as spam.
This comment was marked as spam.
Yep, clients need to put some warnings. But this is the same case for any migration scheme. Once you start there is no way back. |
I actually like the passive approach you show, so that clients are not forced to take actions on behalf of their users, just warnings and options in the ux. |
Yep. My issue with any proof is that they quickly become attack vectors. If we had provable derived keys for everyone in Nostr from the beginning, that would have worked better. But we don't. Assigning a master key to today's keys is dangerous because anyone can write messages in the past and even hide them until the attack is ready. Trusting the proof becomes a problem. So, I think we need an intermediary key migration procedure where we can move users to key schemes that might offer additional proof (master key) options. This PR is that intermediary option. :) |
I understand, but I think that with your approach the process of verifying whether a rotation event is valid or not becomes difficult to distinguish, and therefore less reliable and expensive. It is true that relying on proofs is something that can introduce some attack vectors, but the absence of them I think makes the process expensive in terms of ability to distinguish whether a rotation event is trusworthiness or not. |
Sure, but the social proof defined in #1032 only works if the key has a master key pair, which Simple Keys / current keys don't and if somebody has access to them today can easily create one. I am a firm believer that most keys in Nostr have leaked already. My own key is probably out there somewhere. Attackers are just waiting for #1032 to become a reality and start creating those secure checkpoints and master keys before users even take notice. |
Why? as long as the user has web of trust and a recognizable social graph anyone can use this proof. |
If you rely on Web of Trust, then you don't need proofs. It's about trust on top of everything else. Sure, proofs are a datapoint in the process, but because the proofs themselves can be faked (that's why you need the web of trust on #1032 ), the proofs can't be used to make any trust assessment. In fact, they can be used to diminish the need for a web of trust assessment. They serve as a mere conversation starter, which is the same Let's say an attacker has my key right now. The attacker creates an open timestamped For instance, the attacker can easily create DMs from me telling each of my closest friends that I will be rotating to a new key, wait the 60 day period, and then send them all. Then send one today referencing those DMs saying that it's all good: "I am just doing what I told I would be doing 60 days ago. I am sure you were too busy to see these messages, but here is a reminder". Then add a couple more public events discussing the same transition that ONLY those target friends will see and you have a convincing story that my friend doesn't need to call me to check. The automatic migration then goes through and suddenly the Web of Trust get tricked into accepting the attacker and people start following the new key. All of that can happen in this PR as well. But here, the attacker can't use Nostr identity management proofs to decrease the need for the social verification off-nostr. |
Hopefully, with this PR focusing on Web of Trust, we can get to a point where new key-controlling schemes can do these migrations without any web of trust component. Those are the proofs that make sense to have. |
Liked this part "Clients SHOULD use Generic Repost (kind:16) with a stringified version of the kind:18 to warn followers and guarantee its retention in as many relays as possible." What I don't like is that kind 18 is already used here xD~ though I could change it. If I see someone I follow and trust holding the kind:18 copy with an interface saying: "Hey, Bob says it's changing his profile to Bob X and your friend Joe confirms it is true. Do you want to follow the new profile?", I would click "Yes" button. The kind:18 alone can't be trusted. |
Obviously. Maybe I need to make this more clear in the text. It only works because somebody is validating it outside of Nostr. |
Yeah I guess it is obvious I was just saying what I understood Hhehe Easy to implement. On the other hand #1032 is soooooooo big of a read with like 4 new kinds and 2 time windows =0 |
@vitorpamplona If I got it right, you are recommending clients to actively look for:
Maybe it is better to recommend just one flow and 2) feels simpler. For that, reposts could be an automatic client action after following anyone that signals on For example, if there is a Then my follows would receive the repost. I mean, the process could start from the new account. The user would just paste the old privkey > then client would publish the It would be great if #539 was a thing so that the |
That's what's good about this. Having to wait 60 days from
I think the flow will depend on the client. I suspect most clients can easily add a
Not really. The repost just warns followers. It shouldn't mean that the person has decided if it is valid or not. The truth can only come from contact lists.
Good point, the client should post everywhere, just like NIP-65 changes.
Agree. |
Adds clarification that this requires web of trust validation Adds k-tag to generic reposts Adds optional behavior to client.
…into key-rotation # Conflicts: # 22.md
I really agree, my intention was to respect the previous work of the previous most accepted pr to introduce secure identities, and master/subkey roles. But different points of how to deal with key rotation seems complicated and inconvenient to me (I guess that's why it has never been implemented properly). However I like this proposal because of the simplicity and it can make #1032 smaller, and focus only on secure identity management. For me the fundamental idea behind #1032 is to have an identity based on a subkey, and master key as a source of truth, which is mostly used to make relevant public announcements about a subkey, and can be stored cold. Talking about the kinds used I only introduced |
@vitorpamplona What about the possibility of adding an In my proposal if a subkey of a secure identity is compromised the master keypair does a subkey rotation announcement event, and the subkey should do the same, but also point to the masterkey pair event. |
I think we can add those when master key pairs become available. I am not convinced a master key pair rotation should reuse kind18s. They could have their own method to avoid the Web of Trust recommendation here. |
Yes, absolutely, the master key rotation comes with a revocation certificate and a checkpoint. I've also been thinking about simplifying #1032 by using the scheme you suggest here, as it's arguably a drop-in replacement for the I've also been thinking that it would be interesting to be able to signal a trust level on a user's new keys, for example when a user issues their
|
That alone is a huge simplification to me.
Those trust levels make sense. But should that be in the NIP or a client's feature? I tend to minimize the specs and let relays/clients figure out the best way to implement each NIP. I think we could have a client offering such levels and if they become a common way to represent it, then they can turn that part into a NIP (or extend this NIP). |
@vitorpamplona Saw your answer but have you considered the It would be added to any new account's Upon an user following the new account with such metadata field, even if they didn't know the old one, their supporting client would then fetch on the new account's write relays the This way the reposting mechanism would keep working far in the future each time someone follows the new account. Even if the
Hmm, maybe better if instead the client fetchs the |
About the But maybe there is a reason for the new key to sign where it came from. |
Oh sorry you're right, although there can be many fake kind:18s p-tagging the key just to mess things. Talking about another detail, after some time it may be a problem relying on an event signed by an abandoned account cause its client won't keep publishing the same kind:18 with an updated created_at and relays tend to delete old events. Yeah, Just ideas, don't know. |
This comment was marked as spam.
This comment was marked as spam.
I am not sure what's hard about it and why it needs to be mandatory. People already switch keys today in the same way with kind 1 posts and friends retweeting or replying to the post. It's the same thing, but now the client can help users navigate it. They can keep doing the kind 1 texts to migrate as well. The existence of this NIP doesn't forbid people to migrate in the manual way. |
Since this is just for migrations, and not for recovery from a lost key, I think the interpretation of a kind-18 is far too strong:
I would like to put out a new key with a kind-18, but I don't want people thinking my old key is not me anymore. I will have to post under both keys for some time as the community learns my new key. |
The reason for coupling migration with the deprecation of the current key is the uncertainty surrounding whether Remember, I couldn't square those forms of attacks in this WoT-based migration scheme without coupling migration and deprecation of the key. But I am open to ideas. |
A different way to put this:
|
If I were an attacker and I had your old key, I wouldn't put out a kind-18. I would just use your old key directly. Therefore because this is possible, every message by everybody at all times must not be trusted??? |
You would if you could lock me out of my own account and fully control the conversations with my friends.
No. I think |
This is a key migration procedure that simply formalizes how we migrate keys today: via waiting for confirmations by friends of the key.
There is no automated migration procedure, no proofs of control, and no forced key derivation paths.
The goal is to offer a way to migrate current keys to new key schemes so that we can introduce the idea of key derivation to most users today. I strongly believe that many potential identity management proposals are held back by their need to make it work with current keys. This establishes something everyone can implement that can get us out of this hole we put ourselves into.
Read here