[pona-a]

It was a more general remark about decentralized identity. I can't say if the average social media user wants or needs this kind of control over their identity, but I'd much rather have say my DNS tied to a cryptographic credential stored I manage than be delegated to a third party, able to say return a tampered OPENPGP entry to a specific IP without me ever knowing.

[account42]

I'm pretty sure most people would prefer to be able to recover their DNS in case of catastrophic failure over 100% cryptographic security. The technical aspects of security are never the whole picture.

Or to put it another way: Not being able to recover access is not something most people will accept and if your technical security measures don't consider that they will be worked around. If people need to go through support to recover their DNS more often then support will be used to giving out access to people's account and that will also reduce YOUR actual security.

[pona-a]

The point of cryptographic identity is, unless the primitives were fundamentally flawed, there be no way to recover it without the key material. Otherwise it's just another means of access control, like say a passkey or an ssh key, which are convenient but we usually allow some recovery options with.

Yes, it takes hard discipline--which may lapse no matter the level of experience--to setup offsite recovery with true cryptographic secrets, but it is possible. You can say backup a KeePass file to BackBlaze, protected by a 7-word passphrase. Now all you need for recovery is access to BackBlaze (so same as a centralized service) and your memory of the passphrase, with no one but you having access.

I don't know what the stakes are for most social media accounts or websites. But wouldn't it bring some peace of mind if say Graphene's registrar couldn't just press one button to serve malware on grapheneos.org, which you won't detect until you compare the hashes with say Twitter?