Phishing attack prevention

[wintifrosch]

Any registrar MUST verify (and guarantee to all future users of a nickname) the legitimacy of a nickname. On what basis can we trust a registrar? How can we ensure that even trusted registrars will add one single fraudulent record?

[wintifrosch]

It's better to not trust the registrar. The registrar may even omit verifying the claim and publish whatever the user is presenting. The user brings an URL in the nickname metadata, where anyone can verify the claim.

There will be a bunch of different types of claims, like «twitter account» or «google account», each with an own verification method.

The effort needed to create such a verifiable claim depends, and the same is true for the verification process. If the registrar is not able to verify the claim before registering a nickname, the nickname registration will fail, causing costs for nothing.

Probably we need open source code snippets for every supported «claim type», maybe in several programming languages.

[wintifrosch]

See page Proof of nickname ownership for more thoughts about the effort needed to provide or verify a claim of nickname ownership.

While providing an verifying those claims seems to be easy for social media account handles, it seems hard for mobile numbers and for e-mail addresses - the ones expected to be most requested by users.