|
|
|
|
|
|
by maccolgan
1663 days ago
|
|
|
The root of identity is still not a public key. To perform essential actions on such a website doesn't need your public key. You are only proving that you have access the private key correspondent to the public key stored in the database entry, and nothing else. Authz is still database records and not inherently trustless akin to cryptographic authentication. Imagine I had a entirely PGP-based comment system, where the key used to sign comments serves as the identity rather than a database record. The software remaining the same, not even the owner of the database can change the text of the comment without also changing the key, which would immediately destroy the utility of such an action. Applications utilizing MetaMask are actually able to develop this kind of application where it's trustless end to end. Furthermore, comments could also be embedded as a transaction to a hash of the URL (or something akin to that), where anyone with an access to a ethereum node, public or private can access a global comments system. >You don't need a blockchain for identity. The unique feature that Blockchains provide is protection against double spending (without reliance on a single party), but that isn't a concept relevant to authentication. Blockchain doesn't solve the Authn problem, it only solves the Authz problem. I can hypothetically make my own game which has a DRM that can only be unlocked if your private key owns the access NFT. They are complementary. |
|
|
Why not just sign content with a private key? Buy a YubiKey for $50, generate a key, announce it to the world via an account you control, continue to host content on non-blockchain servers. Your content can be verified with the same public key and no one can forge it.
I guess I just don't see the benefit of blockchain-distributing your public key, and how that helps protect from forgery. What's to stop me from publishing a 2nd message impersonating you with a new key saying "oops I lost the first key"? Or, conversely, what if you needed to generate a new key with no way of signing it with the older key? Or much worse: what if you haven't posted your key yet and I publish a key for @somebody first? Whatever medium you then use to announce "this person isn't me" can also be used by an attacker to discredit the real public key, or by you to announce your public key.