-
Notifications
You must be signed in to change notification settings - Fork 597
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Key Migration and Revocation #1452
base: master
Are you sure you want to change the base?
Key Migration and Revocation #1452
Conversation
For those familiar with similar proposals by @pablof7z, @fiatjaf, @nvk and @vitorpamplona on the topic, I've written a summary of the differences. In comparison with: #829
In comparison with: #637
In comparison with: #1056
This proposal is, more or less, a merger of all three of the above proposals. |
One thing that isn't clear is how this protects against an attacker stealing your key, then publishing a new recovery key event with an older date, then proceeding to do the key rotation with his own recovery key and now he owns your identity. |
If an attacker steals a private key and publishes a new and fraudulent Recovery Keys Setup Event with an older date, it can be detected as fraudulent by everyone that has published their own dated and signed copy in a Recover Keys Attestation Event of the previously seen and honest Recovery Keys Setup Event. Attestations can be either private or public, public attestations can help those that have not made such attestations to be able to detect if it is fraudulent (in addition to the other methods). |
You mean my client has to cache forever all fiatjaf's key setup event to try to ascertain time order? |
@pablof7z The Recovery Keys Attestation Event is saved on relays, for both private (encrypted) and public. |
This might become an issue, relays are not designed to offer data relation guarantees |
Ok, yeah, I assumed so, but how can OTS be optional, if you're not requesting clients to keep track of all setup events; how do you order by date? |
@nvk Can you clarify what you mean by "data relation guarantees" and how that is relevant? |
@pablof7z OTS is optional because ordering by date of all Recovery Keys Setup Events for a pubkey isn't necessary for determining which one is valid. Here is an example:
|
Sorry, autocorrect. "Retention" |
@nvk Okay, that makes more sense. Data retention by relays depends on the relay and the terms of service. Redundancy of relays, paid relays and private/personal relays all help to backup ALL notes and events. Some relays will delete older events to free disk space; in that process, it should be emphasized that relays SHOULD NOT delete Recovery Key Attestation Events and Key Migration Attestations Events. |
The problem is user expectations and guarantees, |
If anyone is interested in helping to implement in clients and relays and flush out details in the specification, please reach out to me! Thanks! |
@nvk If it is a problem, it would be for the Nostr protocol and all events; if events can disappear from all relays then Nostr isn't a censorship-resistant network! |
Doesn't feel right, happy to be proven wrong. Also aside from the previous proposal I'm not sure I have any better ideas. |
They can and they do every day. Not your relay, not your data. Nostr is a censorship resistant protocol, not network. It allows users to use backup relay networks at their will, but if they put everything in a single relay and that relay goes out of business, all their data is gone. |
Ok, hear me out.. Nostr... but on a blockchain MIC-DROPPED |
IMHO better to use single use seals for the on-chain commitments, rather than OTS. Peter Todd made both OTS and single-use seals, in that order. I dont think I would implement this when single-use seals offers imho a vastly superior path to data, with history, audit trail, and recoverable profiles. No issues with clients opting into this, but I think it may lead to a fractured landscape of solutions (which itself is not the end of the world). |
It's not a censorship-resistant network. Spam is censored all the time. Relays are not data stores, they just transmit notes, and other stuff, from one user, to another. If you want to store events, it is much better not to use nostr for that, but rather, the cloud, which was designed for storage, and has super mature tooling. |
First, if I am Alice, how do I know that I should attest to Bob's key recovery setup event? Do I call him on the phone? Is it just because I have never seen one before? Because maybe an Imposter sends a second one, but that is the first one I have seen and so I attest to the wrong one. Second, in your scenario Alice becomes aware of an imposter recovery key setup event. But how does the rest of the network learn? Most people don't follow Alice, and even if they could they don't trust her. Third, what if Bob creates one and thinks it didn't work, so he creates a second one. Isn't he now seen as an attacker on himself? |
They don't have to disappear from ALL relays, just the ones I happen to talk to. Nostr is censorship resistant only in so much as it doesn't have a single point of failure. |
"Censorship resistance" means that any entity attempting to censor you can be easily worked around (by starting your own relay). The protocol has no guarantees about content retention, censorship, or availability of relays. The only guarantee you get is ones you create yourself (for example by using a paid relay like nostr.land, or hosting your own relay that you can hold your own notes forever on). |
@mikedilger Great questions.
|
I might be too dumb for these things but I don't feel very comfortable implementing this. The reason I thought #1056 would be good is exactly because it didn't touch any of the key attestation and verification procedures. It just passed ALL that responsibility to users directly: "Nostr cannot help you. Relays and clients do not have the information you need. You need to pick up a phone and find person X to ask what is the new key they are going to use. And you cannot use Nostr for that. It's all on you." Here, because there is a "nostr" way of doing it, an attacker can use any of these events to confuse users into believing a key is migrating. Because there are so many kinds, relay checks, clients with varying levels of compliance, replaceable events and all of which can happen in the past, present and future, with expiration and event deletions, in separate relays that don't talk to each other or relay that are fully controlled by the attacker, etc... it creates more problems than what it might solve. Even with this, in the end, it boils down to Web of Trust. This PR just codifies that into a sequence of Nostr events that apps can verify without the User having to call a friend. That's the delta improvement here. Is the complexity worth that delta? Are we safer in this procedure or just with kind 1 posts saying that I am migrating? And can we expect Clients to implement all of this without bugs and in a UX that match each other to avoid further confusion and a potential form of attack? I don't know... It might be that this NIP is trying to do too much. |
I've started implementing the events for this NIP in go-nostr and can be found at: https://github.com/braydonf/go-nostr/tree/key-migration-and-revocation/nipxx This NIP has been updated to reflect changes based from that implementation. Several clarifications and changes have been made. |
@vitorpamplona I think it can help. If someone that I follow has their private key compromised, I can still trust my own events. As far as implementation, it helps me to better understand the problem and to discover a solution that I may not have previously seen. For example, here are some things that I'm thinking about after my first round of implementation and will be addressing in another set of updates:
|
I've made several simplifications and updates to this NIP and it feels much closer to a solution! Next, I'll work on implementing it more in go-nostr and updating the UX design wireframes. |
Okay, here are some of the UX wireframes for secure identities, as now included in this NIP. Link to animation: |
I've realized that the user metadata attestation portion of his drafted NIP can have a lot of other uses beyond the scope defined in this NIP and have separated it into another (see #1499). I will leave this NIP, as drafted, for the time being. The remaining portions, the revocation piece can likely merge with @vitorpamplona #1056. It would rename it Key Revocation and not Key Migration (and mostly leave out the migration/transfer portion). The migration keys part can be another NIP of it's own that can define the scheme for pubkeys on a user's metadata and methods to verify them. |
Yeah I think that is a good move. I updated the text on #1056 to match the revocation ideas from here. |
Cool, sounds good. I'm convinced this will all work and would like to go through and document how in more detail. Various scenarios and attacks can be enumerated and how each is mitigated. This should also help to find any issues, if they remain. Implementation seems fairly straight forward so far, I don't foresee any issues here. It'll still be useful to explore to uncover anything unexpected in both clients and relays, that can likely follow. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
some small changes. makes everything look better.
Read in Full