Honest question, how do I recover a lost identity?
The reason why this attack worked is primarily because of a recovery system. I agree this is a significant vector, but I can't see how decentralized solves this?
At the moment with blockchain wallets, once you've lost your private key, you're screwed. There is no recovery.
So, I'm all for decentralized but if it is truly my identity, I need a way back if I lose it. Not sure how to solve that vector even in a decentralized case.
Do I need to upload my identity to specific 'verifiers'?
You need to stop thinking identity singular, and identity as valuable. Have many and treat them as disposable. Of course you can't do this on the 2020 web that consists of four websites filled with screenshots of each other, but that's just one of the many reasons to burn those websites to the ground and resist any attempts to remake them. And it turns out your parents were right about not using your real name on the Internet. Social media and their consequences have been a disaster for the human race.
But that's not really identity then right? That just becomes my hnews/reddit username that's unverified.
I read @elonmusk because I trust it's him and I'm interested in what he says. Personally, I genuinely like Starship + Starlink updates... I ignore most the other stuff. But still, I want to see those awesome rocket tweets!
So, I want to know what he says.
He can change his username because it got hacked/whatever... but then I personally have to see what he changed it to... how do I know that he is the one who changed it? how do i know it's not some rando dude impersonating him?
Your hnews username is an identity. A small, weak, and reasonably disposable one, that you can have many of. Why do you want to use your God damn real name on the Internet unless you are a public person already? What do you have to gain? Hate mail, Death threats and calls for your firing? I've always wanted more of those. You do not WANT to be verified. Verified is a euphemism for doxxed.
You could trust it was Elon because it's published on his own website instead of on the worst thing to happen to human communication since writing was invented (I.e., Twitter)
For other cases we can evaluate merit based on previous performance and character of published material instead of "identity". I do not care who is behind a pseudonymous blog if the blog is good.
The most natural solution for most people is to give shards of your key to various friends/family that you trust not to collude and reconstitute your key (or be socially engineered -- make them talk with you on video chat or something). Require 5 out of the 9 shards to reconstitute it.
Obviously you can scale up your security according to the value of your account and your threat model.
That's a great method for preventing loss as opposed to allowing recovery.
We need to keep the conversation in recovery because eventually it'll happen. Your 5/9 people could have n+1 unwilling parties where n is the losable amount.
It is unrealistic to say it will _never_ happen.
When my identity is lost... is it lost for good? how do i recover?
If it's lost for good, and i make a new 'identity' then what is my 'identity'... is it just... my reddit username?
The reason why this attack worked is primarily because of a recovery system. I agree this is a significant vector, but I can't see how decentralized solves this?
At the moment with blockchain wallets, once you've lost your private key, you're screwed. There is no recovery.
So, I'm all for decentralized but if it is truly my identity, I need a way back if I lose it. Not sure how to solve that vector even in a decentralized case.
Do I need to upload my identity to specific 'verifiers'?