[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Ring] Lost device = Lost account?
|
From: |
Bruno Pagani |
|
Subject: |
Re: [Ring] Lost device = Lost account? |
|
Date: |
Mon, 2 Jan 2017 18:26:02 +0100 |
Le 02/01/2017 à 18:00, Simon Désaulniers a écrit :
> Hello gentlemen,
>
>> Just remembered this from a Ring blogpost:
>>
>> “Graduate and PhD students seek to resolve the question of DHT
>> Indexation. To contact a Ring user, it is necessary to know his
>> 40-character ID. The DHT indexation will allow users to look for another
>> user’s Ring ID through information he has made public such as his name
>> or a public alias, while preserving his anonymity. Wondering how it’s
>> possible? Marco Rebado, Sylvain Labranche and Simon Désaulniers are
>> precisely devising a solution. In the meantime, feel free to communicate
>> confidentially with Ring!”
>>
>> This predates blockchain use but maybe is still being worked on. ;)
> I am the only one student still active on the subject of the indexation. I
> just
> wanted to point out that the indexation in the DHT doesn't provide the same
> trust yielded by the use of the blockchain in Ethereum.
Of course, that’s what I’ve been implicating. :) If you rely on this for
security, then blockchain is probably the best thing. But I, for one,
don’t feel comfortable into relying on indexation for security (unless
done in a keybase[0] manner, as long as people understand its stakes).
The identity of your pair should rather be confirmed by RingID
comparison (eventually using bar code like it’s done in
Conversations[1]), just as you do for PGP keys. The indexation should
really only be a search engine. And then, there are far less issues with
things like username expiration. But I suppose that maybe this is not
“noob-friendly”, which is an issue if you target as much people as
possible, and you wouldn’t add indexation if that wasn’t the case. ;) I
wonder however if providing a false (or weakened) sense of security is a
good thing.
> Therefor, it cannot be used to manage username expiration. This should be
> done using the Ethereum
> contract. I think it would be possible. In fact, we have been talking about
> this
> between us in the Ring team.
Nice, I wasn’t knowing about that. However this looks like a potential
security issue in your model (being able to expire username, unless done
by the actual owner, is an issue if you rely on username:RingID
indexation for security), and then I’m still not sure whether Ethereum
contracts are a good idea, and in the light of my above statements, I
see no reason for blockchain against DHT indexation. But again, that’s
only my opinion based on my understanding of things, and you
definitively know more about this than me. ;)
> Additionally, the indexation on the DHT is more
> like a search engine and would not really bring anything new for the use case
> of
> saving your data using only a single device.
I think we’re all aware of this, that point came on the table because
once you realized having lost your account, this is the next thing
you’re going to realize (username not available anymore) and will not
like about. ;)
Regards,
Bruno
[0] https://keybase.io
[1] https://conversations.im
signature.asc
Description: OpenPGP digital signature