[web3isgoing]

Document signing: vitalik.eth signs a PDF, everybody can verify the PDF is signed by his private key. He has to broadcast his public key for this, and probably also a content hash of the document so that we can be sure we are verifying the correct PDF. He can broadcast this on Twitter, but that is not a secure and tamper proof ledger, and it is centrally owned, and it's not a great storage mechanism for this system to scale to thousands or millions of signatures. LibreOffice could create a new service like keybase.io but that is also centralized and we saw how that went. Another alternative is these messages are broadcast through a public and decentralized ledger.

How does this fit with zero knowledge proofs that the blog mentions? There may be signature attestations you can make that you want to be private from the receiver, but made in a way that the receiver can still verify the signature is valid.

[jeroenhd]

LibreOffice already has PGP support for signing documents, which is the standard mechanism for distributing trust among open source projects.

I suppose we can stuff PGP keys into the blockchain but I don't see the additional value. Each key needs to be trusted by the receivers independently (or through a web-of-trust-like system) so I don't see the added value of a tamper proof ledger.

[hiq]

> He can broadcast this on Twitter, but that is not a secure and tamper proof ledger, and it is centrally owned, and it's not a great storage mechanism for this system to scale to thousands or millions of signatures.

Public blockchains[0] are not known to scale either. I can open a Twitter account for free and publish a signature right now, and do it on several other platforms at the same time to have some kind of redundancy.

I only care about the medium being tamper-proof to be able to prove the signature is at least this old (if it's in a certain block, the signature was made before this block. If it's in a certain message on Twitter, it was made before this message).

So from first principles, blockchains brings this theoretically better time-stamping mechanism, because somebody controlling Twitter could change timestamps there, while nobody could on a blockchain. In practice though, the redundancy is enough, and it's hard to change something people care about on the Internet without people noticing.

Overall this use-case somewhat legit (more legit than most), but it's a niche within a niche.

[0]: as defined in https://www.schneier.com/essays/archives/2019/02/theres_no_g...

[web3isgoing]

I don't think redundancy is a clean solve. It might give more confidence to the message time stamp to see the same message replicated across 10 different websites, but this does not scale. Eventually if you do aim for a distributed database you end up down the path of consensus mechanisms and blockchains.

What I outlined is unlikely to ever be realistic on a L1, but recursive zk rollups that post proofs to L1 do scale very well and have strong security and tamper-proof guarantees.

[alphager]

> Another alternative is these messages are broadcast through a public and decentralized ledger.

There is no such thing as free computing and data storage. Involving the group of strangers that run public decentralized ledgers requires paying transaction fees. Decentralization in itself is a dubious benefit.

A centralized service would be way cheaper to run (so cheap that it could be free for the end-users) with perhaps a one-time fee for identity verification purposes. The technology exists since decades (X509), is proven in the field and usable today.