Closed JustinDrake closed 7 years ago
We tried that in the last version and had to disable it. It's not possible to validate that many signatures when a node has a ton of followers.
Why does every signature need to be validated? It doesn't; unless there's suspicion of cheating. Strategies like verifying a few signatures at random would also work. It's not all or nothing.
The signatures are validate when you received a follow request. But it's when viewing someone else's followers that it's problematic.
When viewing someone else's followers, you need to have the option of verifying signatures. Forcing the verification of every signature is indeed stupid. Centralised verifiers (like Duo Search) also need the option to call out on cheaters.
Forwarding @tyler-smith comment from Slack:
I agree a way to verify followers would be nice. It’s something that’s worth thought and coming up with a solid plan for.
I still thing that follower signatures are a good idea, and the burden of signature verification can be very light (i.e. by default, skip verification when viewing someone else's followers). IMO, without signatures it's a free-for-all and followers provide little value.
Of note here is that there are signature schemes where signatures can be agglomerated into a single signature, and verified as if it was just one signature. (From a more theoretical standpoint, the hammer for the nail here is zk-SNARKs.)
In any case, to clarify my original suggestion, I think we should include signatures but not have the reference client verify them (at least not now).
Close in favour of https://github.com/OpenBazaar/openbazaar-go/issues/583
It seems that a node can fake its followers given that a "follower" is just a string without a proof-of-follow. Is that correct?
If so, why not add signed proof-of-follow messages?