The thing that is telling to me about DMs is that we *have* federated direct message protocols like XMPP which have been around for ages; if Bluesky wanted to they could have tacked that on pretty quickly, E2EE or not.
-
Christine Lemmer-Webberreplied to Christine Lemmer-Webber last edited by
I was kind of exiting that particular area of standards when this happened but colleagues will tell you that I, and some others, were deeply upset and troubled by this
"Sure having a nearly no-op DID to pass the test suite is helpful but it shouldn't be labeled as a DID, people will get confused!"
-
Christine Lemmer-Webberreplied to Christine Lemmer-Webber last edited by
Confusion, on its own, is one thing. But the problem is when confusion turns into decentralization-washing.
"This is going to turn into decentralization-washing!"
"It's just to pass the test suite!"
[... time passes ...]
"Actually we like did:web now, it's a DID method everyone can implement!"
-
Christine Lemmer-Webberreplied to Christine Lemmer-Webber last edited by
And of course once the door was open to did:web, the door was open to everything! Decentralization is now no longer a requirement for DIDs. You can make a centralized DID method and call it a "Decentralized Identifier" and you're right because it implements a spec named "Decentralized identifiers"
-
Christine Lemmer-Webberreplied to Christine Lemmer-Webber last edited by
But it's ONLY EXPERTS IN DIDs WHO UNDERSTOOD THIS
Most users hear "Decentralized Identifiers" and they think they know what's being delivered, the distinction between the *spec* being called that and the *mechanism used* being centralized... you have to go digging to find that out
-
Christine Lemmer-Webberreplied to Christine Lemmer-Webber last edited by
So did:web is not only useless, it misleads people about the problem domain entirely, but hey it's now the most broadly deployed DID method in the world, congrats everyone!
Speaking of centralized Decentralized Identifiers, did I mention that did:plc is centralized?
-
Christine Lemmer-Webberreplied to Christine Lemmer-Webber last edited by
For that matter, where did the term did:plc come from? Early versions of "did:plc" documentation called it the "Placeholder" DID method, that's what it stands for, to motivate changing it later
Well the docs no longer say that, it now says "Public Ledger of Credentials"
Good backronymn, but...
-
Christine Lemmer-Webberreplied to Christine Lemmer-Webber last edited by
did:plc is centralized, and that bothers me because once again, users think something is more decentralized than it is, because they're being *told* it's decentralized
The particular way in which did:plc is centralized doesn't bug me too much but once again, few users have read into this
-
Christine Lemmer-Webberreplied to Christine Lemmer-Webber last edited by
If you read the documentation of did:plc, they're actually quite upfront about did:plc's centralization being non-ideal. That's good, I appreciate that. Again, you gotta dig though, and the name misleads (which is, to be fair, the original sin of the DID Working Group)
-
Christine Lemmer-Webberreplied to Christine Lemmer-Webber last edited by
(aside: wow my eyes are getting tired from staring at my monitor while I recap of what was a 24 page blogpost, why do I do this to myself)
-
Christine Lemmer-Webberreplied to Christine Lemmer-Webber last edited by
Aside from being irritated about the name misleading, I don't mind the centralization of did:plc too much (other things, I am more concerned about, we'll get there)
There's one organization that can be queried via their API that keeps a definitive list of certificate and their updates
-
Christine Lemmer-Webberreplied to Christine Lemmer-Webber last edited by
In theory, once a DID is registered with Bluesky, it cannot be altered by Bluesky, because a cryptographic update from the original key is necessary; it's a certificate chain, a good design
Bluesky can refuse to share did:plc documents or their updates, but it can't manufacture updates
-
Christine Lemmer-Webberreplied to Christine Lemmer-Webber last edited by
This is pretty good tbh, it lowers the stakes a lot to have certificate chains
I love certificate chains, certificate chains are great
Honestly, having a centralized registry for them, it's not the best but it's not the worst (aside from that damn naming thing)
However...
-
Christine Lemmer-Webberreplied to Christine Lemmer-Webber last edited by
There are some strange, strange things about did:plc that heightens the centralization concerns and, well
I'm not a cryptographer, but some of my good friends are cryptographers, etc etc. I got some... reactions to what is to follow
-
Christine Lemmer-Webberreplied to Christine Lemmer-Webber last edited by
The first strange thing to me is that did:plc uses sha256 and, AFAICT, not sha256d (which is really just running sha256 again over the hash). Unless I am missing something? Am I wrong?
Maybe it's not a concern because of doc parsing but it's best practice to protect against length extension attacks
-
Christine Lemmer-Webberreplied to Christine Lemmer-Webber last edited by
The next concerning thing is that did:plc truncates the hash to just *15 bytes* of entropy.
I'm... again I'm not a cryptographer, but why throw away all that delicious entropy? So the did fits in 32 characters? Weird choice, and it means collisions are cheaper
-
Christine Lemmer-Webberreplied to Christine Lemmer-Webber last edited by
This is public information, I don't need to file a CVE to tell you about the truncation of entropy. I am, again, not a cryptographer. Maybe it's fine?
I do remember the Debian short IDs fiasco tho https://gwolf.org/2016/06/stop-it-with-those-short-pgp-key-ids.html
Why not hold onto all the entropy you can get?
-
Christine Lemmer-Webberreplied to Christine Lemmer-Webber last edited by
DIDs weren't meant to be seen by the user; cryptographic identifiers in general *shouldn't be*, they should be encapsulated in the UI.
We'll get to UI stuff in a bit.
I just don't understand this decision though, it just seems weird to me but maybe a cryptographer will tell me it's fine, actually
-
Christine Lemmer-Webberreplied to Christine Lemmer-Webber last edited by
At any rate, I continue to not understand it, maybe it's fine, but it did play a part in that "Hijacking Bluesky Identities with a Malleable Deputy" blogpost, which is fascinating and, unlike me, is written by a Real Cryptographer (TM) https://www.da.vidbuchanan.co.uk/blog/hacking-bluesky.html
Good post btw
-
Christine Lemmer-Webberreplied to Christine Lemmer-Webber last edited by
One way in which the truncation shows up in that blogpost which I thought was curious is that the attack involved generating a *longer* truncated hash
The fix ended up resulting in codifying the hash length: 24 characters, and no longer https://github.com/did-method-plc/did-method-plc/pull/31
-
Christine Lemmer-Webberreplied to Christine Lemmer-Webber last edited by
There's another thing about that blogpost that caught my attention. I will just quote it:
> However, there's one other factor that raises this from "a curiosity" to "a big problem": bsky.social uses the same rotationKeys for every account.