← Back to context

Comment by Sargos

4 years ago

> I don't think you necessarily need blockchain. Can't you just prove that you are who you say by signing something and sending it to the service?

It's important to remember that blockchains are just public-key cryptography where you have a private key that can sign things and, importantly, everyone knows everyone else's verified public keys. That's it. It solves the key distribution and verification problem that PGP and TLS etc have and this enables a lot of use cases such as universal private communication channels and authentication.

Signing the message is key for this yes but knowing that a certain key is connected to a specific user and that user having the ability to use it to sign verified messages everyone in the world can trust is the real utility here and what makes this universal SSO system work well.

But it doesn't solve that at all since there's no way to tie something on the block chain to the real world. All the same problems of knowing whether some particular PGP key belongs to the person you want apply the same to a wallet address.

  • I probably should have worded it differently to avoid that connotation. There are a lot of identity protocols but that's not what I was focusing on.

    On HN I am Sargos. You know this because I am replying to you and only I can do that with this account. I can also tell you that I'm @JamesCarnley on Twitter but there's no way for you to verify that. If I were using my public key to log into HN and Twitter you would know those are both my accounts and thus my persona is verified across multiple applications. If I were to link my public key to my government's identity database then you'd also be able to verify I am really James in real life as well.

How does everyone know everyone's verified public keys? How are they verified? Who does the verification? How do you trust the verifiers? How do you know that person x in the real world has pubkey x?

  • Verified probably isn't the right word here. Authentic would probably work better.

    I as a person have accounts on lots of apps but no real way to prove I own all of them. When you use a public key as your identifier then everyone can verify that the entity that owns Sargos on HN also owns Blah on Reddit if I want them to. Essentially you can trust that the digital entity you are interacting with is the digital entity you knew and trusted on the rest of the web in the past.

    If you are using a web3 app and see vitalik.eth then you know for a fact that it's Vitalik Buterin. Unfortunately we only know this for sure because he said that is his address in public but there are many identity protocols trying to solve this problem and if you were to tie your public key to your government's identity database then you would be able to prove real world provenance.

  • 1. They can (theoretically) examine the whole ledger.

    2. Your possession of the private key “verifies” your public key, if someone takes it they are now you.

    3. Depends on the consensus mechanism but in the best case, “everyone” and in the worst case “coinbase.”

    4. You don’t trust them, the system is supposed to be trustworthy with untrustworthy participants, and when that’s not true you will just have to trust the architects of the hard fork.

    5. Magical off-chain oracle!

This description fits Keybase equally well, which never really took off into mainstream and then shot itself in the foot by being acquired by Zoom.

Also GPG doesn’t have a key distribution problem. You can spin up a keyserver or use a popular existing one.