Open chrisjmccreadie opened 10 years ago
maybe its just the photo that needs to be kept up to date?
Hey @chrisjmccreadie, I just put a time frame in to remind people that over time keys can be lost or stolen, you may have changed your appearance, moved to another place etc. It's just a way to keep the data up to date and to confirm the key is still valid. But it's entirely optional and I think over time people will form their own trust levels for the kind of keys they like and the ones they don't according to how old they are, who they have been signed by, the way the Key Signing party was conducted etc.
Would it possibly be better to offer a decentralized storage of some of this information, updated as it changes in the blockchain? Since you would more or less need access to the blockchain to verify an identity, it would probably be helpful to be able to update it in the blockchain as well. The passport would merely mark a physical sort of 'land mark' in the identity's history, and the rest is calculated based on the information in each block, up to the present identity.
Ooh yeah, I like the landmark metaphor, so the passport is like a checkpoint in the data. This is similar to the thread by @patcon here: https://github.com/MrChrisJ/World-Citizenship/issues/15
For now, until things like StorJ are online the distributed storage could be done on a self seeded Torrent with each 'port' who downloads it becoming the seed for the next one. Of course the easiest thing to do is just host it on your own website or use someone like Keybase as a service.
I could also see it being possible that if these PGP Keys become important enough that many people will chose to air gap them using crypto-stick or something. Then they might create child identities that they will rollover with various sets of relationships. Like one for work and another for personal correspondents.
Have I understood you right?
I think periodic renewal is an important component. Humans don't exist forever, so identification should not either. Required renewal is a simple and great way to deal with death (among other things). No one needs to update an ID's 'status' (invalidating it) when someone passes, it simply expires.
Whether the time frame should be 1 year or not is hard to say. It's a good starting point though.
@MrChrisJ You're on the right track. In terms of decentralized storage for the identity informaiton, I meant storing it in the blockchain. That makes it nonreputible, at least in theory, and thus you can verify that Person X has had a World Passport for N years, renewed it Y times, changed their Public Key Z times and it is currently DEAD BEEE FFFF ... . Thus you can essentially audit their identity and its history, without needing any centralized authority to provide the information, and it cannot be falsified, changed retroactively, etc. Imagine if you were trying to identify some guy you're trying to buy a computer from, and all he has is a driver's license. You don't know who this guy is any more than the license tells you, which for all you know could be fake or out dated. They could have even changed their name and they're not Frank anymore. The only reason I don't think something like StorJ or a self-seeded torrent would work is because it doesn't provide nonrepudiation, you can't guarantee that something hasn't been altered, without essentially making another block chain. But that doesn't mean I'm right, there's definitely some room for discussion with this.
I think 1 year sound very short, especially for use by remote people, with little services.
Why not, recommend renewal every 3 or 5 years, depending on how "current" the licence needs to be, for what it is being used for. i.e as identification for purchasing restricted goods (5 years), or (eventually) travel a more current one might be needed.
That is, I think the old licenses will still be valid in the block chain and they could make their own (side) chain, to further prove identity, with more surety. You would updated depending on the "regulation" around that use case that you need to comply with.
I feel the renewal idea is important as well. One year is a good starter :)
@larssorenson
The only reason I don't think something like StorJ or a self-seeded torrent would work is because it doesn't provide nonrepudiation, you can't guarantee that something hasn't been altered, without essentially making another block chain.
Unless I'm misunderstanding the concern, I think some of the decentralized storage solutions coming down the pipe are content-addressable, meaning that the "path" is not based on location (like an ip pointing to a server), but based on the data itself (like a hash of a photo). So any unique object has a unique hash. And therefore knowing you have the same address tells you that you definitely have the same data :)
I think solutions like IPFS are also versioned, so you can see how an object's hash address relates to the future and past versions (or so I've heard).
@wrapperband Maybe in the end, it's up to the person acting on an ID to decide, just like with PGP keys?
Re: Maybe in the end, it's up to the person acting on an ID to decide, just like with PGP keys?
That's a good point, that's why I said "recommended renewal", based on the identity proof "use case". Also that most uses cases I can see, 3 years renewal would be sufficient.
Since the "developers" will be aware of the security of the system more than the common user. Advice / help for the uninitiated is something worth considering. Deciding on PGP keys, aren't trivial things to get your head around. i.e. Complex areas with advantages of autonomy, but also with extra responsibility and knowledge requirement. Some use advise would be advantageous, at least initially.
:+1:
Why is this necessary to renew it every year. Surely the math behind the crypto does not change.
Surely as long as this ID continues to be used and passes integration by the places it is being used to prove its existence and there should be no need to renew it. Unless I missed this key part of this point