Switch back to email addresses as usernames #35
Comments
Our plan for account recovery (after a user loses their long-term private key) was to allow a user to reset their account if they haven't extracted a key in 30 days. However, with first-come-first-serve usernames, there is no way to alert the user or verify their reset request. This could lead to usernames being stolen if a user goes offline for an extended period. With email addresses, there is a clearer recovery plan: we can verify that the user owns their email address (by sending a confirmation email) before resetting the account. The new flow for creating an account is as follows: 1. The user signs up with the registrar (https://vuvuzela.io). 2. The registrar sends a preregistration request to each PKG. This causes each PKG to send a verification email to the user. 3. Each email contains a token that the user must paste into the Vuvuzela client to complete the account registration. This step associates the long-term key of the Vuvuzela client with the user's email address. In the future we may use DKIM or a local webserver to avoid having to copy and paste from multiple emails. The PKGs send email through an SMTP relay that should be configured in the PKG's config file. This commit also tweaks the PKG's HTTP routes. See issue vuvuzela/vuvuzela#35.
|
I have updated vuvuzela-client today but can not register (tried with gmail and protonmail email accounts). Got the same error:
|
|
Sorry about that. New user registration is temporarily disabled while we transition to the new system. I've updated the website to reflect that. Everything should be up and running again in a week or so. |
|
So what's stopping you from impersonating users? |
|
The PKGs verify your email address when you create an account. |
That really doesn't make sense to me, as there's nothing secure about "verify [email]". If your servers have the ability to reset keys at will, it means the protocol is insecure. I'm skimming the Alpenhorn paper right now to get a better idea, and I noticed a section on "Worst-case security" that says:
OK, well:
That is in contradiction to what's implied by this issue: that servers can reset keys at will, meaning there is no TOFU.
If Alpenhorn did this, which it doesn't, there would be no need for "PKGs", and the protocol would be secure. Rebooting Web Of Trust has two relevant blockchain-agnostic concepts for this: Decentralized PKI (DPKI) and Decentralized Identifiers (search for DID here). Am I misunderstanding something? |
|
Like Vuvuzela, Alpenhorn is anytrust. There are several PKGs operated by independent parties and Alpenhorn's security guarantees hold if all but one are compromised. The honest PKG will not reset a user's key without verification or until the account becomes inactive. The "Worst-case security" section considers the case where our assumption doesn't hold. In that case, we could use public ledgers, Keybase, etc in addition to the PKGs, but I'd rather make the assumption hold by having more people contribute PKGs. |
I don't understand how that sentence is compatible with this sentence you wrote earlier:
Who is the "we" that is resetting the account? If they are independent, how are they able to reset it? Is there a conference call that is held for each request to reset the keys with the independent operators who all vote on whether or not the account should be reset? If not, how can you claim they are independent? |
|
We haven't implemented account recovery, but I'm thinking it will work as follows:
The user can ensure that their key/account wont be reset by staying active (i.e., extracting a key from each PKG at least once every 30 days). |
So I don't know whether users will find that workable. You might find some of the social-recovery stuff we've worked on as part of RWOT potentially useful (example). There are some projects lifting off the ground that actually implement these identity systems, and what's cool about them is that users have real ownership over their identity, and social-recovery can work with multiple devices that the user owns as well (2-of-3 multisig etc.). |
Our plan for account recovery (after a user loses their long-term private key) was to allow a user to reset their account if they haven't extracted a key in 30 days. However, with first-come-first-serve usernames, there is no way to alert the user or verify their reset request. This could lead to usernames being stolen if a user goes offline for an extended period. With email addresses, there is a clearer recovery plan: we can verify that the user owns their email address (by sending a confirmation email) before resetting the account. The new flow for creating an account is as follows: 1. The user signs up with the registrar (https://vuvuzela.io). 2. The registrar sends a preregistration request to each PKG. This causes each PKG to send a verification email to the user. 3. Each email contains a token that the user must paste into the Vuvuzela client to complete the account registration. This step associates the long-term key of the Vuvuzela client with the user's email address. In the future we may use DKIM or a local webserver to avoid having to copy and paste from multiple emails. The PKGs send email through an SMTP relay that should be configured in the PKG's config file. This commit also tweaks the PKG's HTTP routes. See issue vuvuzela/vuvuzela#35.
Our plan for account recovery (after a user loses their long-term private key) was to allow a user to reset their account if they haven't extracted a key in 30 days. However, with first-come-first-serve usernames, there is no way to alert the user or verify their reset request. This could lead to usernames being stolen if a user goes offline for an extended period. With email addresses, there is a clearer recovery plan: we can verify that the user owns their email address (by sending a confirmation email) before resetting the account. The new flow for creating an account is as follows: 1. The user signs up with the registrar (https://vuvuzela.io). 2. The registrar sends a preregistration request to each PKG. This causes each PKG to send a verification email to the user. 3. Each email contains a token that the user must paste into the Vuvuzela client to complete the account registration. This step associates the long-term key of the Vuvuzela client with the user's email address. In the future we may use DKIM or a local webserver to avoid having to copy and paste from multiple emails. The PKGs send email through an SMTP relay that should be configured in the PKG's config file. This commit also tweaks the PKG's HTTP routes. See issue vuvuzela/vuvuzela#35.
This simply tweaks how usernames are validated. Email addresses will be verified by the registrar (the vuvuzela.io website). See issue vuvuzela/vuvuzela#35.
|
PKG2 appears to be an issue. Can't connect due to inconsistent PKG status Has this been resolved? PKG pkg1.vuvuzela.io:8443: OK |
Currently, with usernames, there isn't a good recovery mechanism for users that lose their keys. Originally we were thinking to let a user reset their account if they haven't extracted a key in 30 days (with no further verification), but this would lead to users losing their usernames if they go offline for an extended period.
With email addresses, we could at least verify that the user owns their email address before resetting the account. This would mean that users don't have to worry as much about losing their username, even if they go offline for a long time.
This is technically an issue with Alpenhorn, but I'm posting it here for wider visibility.
The text was updated successfully, but these errors were encountered: