Gregory's ServerThe other requirement you would expect, based on the name, is that Decentralized Identifiers are *actually decentralized*.
When I got involved in DID work, that was actually the expectation of everyone. Then it was loosened. What? Why on earth?!
|
227 comments
 "Now wait Christine, didn't you say earlier that the web is decentralized and open? So therefore, did:web is decentralized and open" Yeah but the naming system of the web is CENTRALIZED We use DNS and ICANN (and then we add another centralization layer with TLS/SSL CAs)! Everyone in the DID standards space KNEW that did:web was centralized, so why on earth was a centralized identifier permitted for something named "Decentralized Identifiers"? The answer is easy. did:web is easy to implement, many DID methods were not. did:web existed for test suites. I was kind of exiting that particular area of standards when this happened but colleagues will tell you that I, and some others, were deeply upset and troubled by this "Sure having a nearly no-op DID to pass the test suite is helpful but it shouldn't be labeled as a DID, people will get confused!" Confusion, on its own, is one thing. But the problem is when confusion turns into decentralization-washing. "This is going to turn into decentralization-washing!" "It's just to pass the test suite!" [... time passes ...] "Actually we like did:web now, it's a DID method everyone can implement!" And of course once the door was open to did:web, the door was open to everything! Decentralization is now no longer a requirement for DIDs. You can make a centralized DID method and call it a "Decentralized Identifier" and you're right because it implements a spec named "Decentralized identifiers" But it's ONLY EXPERTS IN DIDs WHO UNDERSTOOD THIS Most users hear "Decentralized Identifiers" and they think they know what's being delivered, the distinction between the *spec* being called that and the *mechanism used* being centralized... you have to go digging to find that out So did:web is not only useless, it misleads people about the problem domain entirely, but hey it's now the most broadly deployed DID method in the world, congrats everyone! Speaking of centralized Decentralized Identifiers, did I mention that did:plc is centralized? For that matter, where did the term did:plc come from? Early versions of "did:plc" documentation called it the "Placeholder" DID method, that's what it stands for, to motivate changing it later Well the docs no longer say that, it now says "Public Ledger of Credentials" Good backronymn, but... did:plc is centralized, and that bothers me because once again, users think something is more decentralized than it is, because they're being *told* it's decentralized The particular way in which did:plc is centralized doesn't bug me too much but once again, few users have read into this If you read the documentation of did:plc, they're actually quite upfront about did:plc's centralization being non-ideal. That's good, I appreciate that. Again, you gotta dig though, and the name misleads (which is, to be fair, the original sin of the DID Working Group) (aside: wow my eyes are getting tired from staring at my monitor while I recap of what was a 24 page blogpost, why do I do this to myself) Aside from being irritated about the name misleading, I don't mind the centralization of did:plc too much (other things, I am more concerned about, we'll get there) There's one organization that can be queried via their API that keeps a definitive list of certificate and their updates In theory, once a DID is registered with Bluesky, it cannot be altered by Bluesky, because a cryptographic update from the original key is necessary; it's a certificate chain, a good design Bluesky can refuse to share did:plc documents or their updates, but it can't manufacture updates This is pretty good tbh, it lowers the stakes a lot to have certificate chains I love certificate chains, certificate chains are great Honestly, having a centralized registry for them, it's not the best but it's not the worst (aside from that damn naming thing) However... There are some strange, strange things about did:plc that heightens the centralization concerns and, well I'm not a cryptographer, but some of my good friends are cryptographers, etc etc. I got some... reactions to what is to follow The first strange thing to me is that did:plc uses sha256 and, AFAICT, not sha256d (which is really just running sha256 again over the hash). Unless I am missing something? Am I wrong? Maybe it's not a concern because of doc parsing but it's best practice to protect against length extension attacks The next concerning thing is that did:plc truncates the hash to just *15 bytes* of entropy. I'm... again I'm not a cryptographer, but why throw away all that delicious entropy? So the did fits in 32 characters? Weird choice, and it means collisions are cheaper  @cwebber is trashing some entropy useful to provide some of the properties @soatok mentions in his post from yesterday? https://soatok.blog/2024/11/21/key-transparency-and-the-right-to-be-forgotten/  This is public information, I don't need to file a CVE to tell you about the truncation of entropy. I am, again, not a cryptographer. Maybe it's fine? I do remember the Debian short IDs fiasco tho https://gwolf.org/2016/06/stop-it-with-those-short-pgp-key-ids.html Why not hold onto all the entropy you can get? DIDs weren't meant to be seen by the user; cryptographic identifiers in general *shouldn't be*, they should be encapsulated in the UI. We'll get to UI stuff in a bit. I just don't understand this decision though, it just seems weird to me but maybe a cryptographer will tell me it's fine, actually At any rate, I continue to not understand it, maybe it's fine, but it did play a part in that "Hijacking Bluesky Identities with a Malleable Deputy" blogpost, which is fascinating and, unlike me, is written by a Real Cryptographer (TM) https://www.da.vidbuchanan.co.uk/blog/hacking-bluesky.html Good post btw One way in which the truncation shows up in that blogpost which I thought was curious is that the attack involved generating a *longer* truncated hash The fix ended up resulting in codifying the hash length: 24 characters, and no longer https://github.com/did-method-plc/did-method-plc/pull/31 There's another thing about that blogpost that caught my attention. I will just quote it: > However, there's one other factor that raises this from "a curiosity" to "a big problem": bsky.social uses the same rotationKeys for every account. > This is an eyebrow-raising decision on its own; apparently the cloud HSM product they use does billing per key, so it would be prohibitively expensive to give each user their own. (I hear they're planning on transitioning from "cloud" to on-premise hosting, so maybe they'll get the chance to give each user their own keypair then?)  Anyway that's the quote and presumably this must be changed. I haven't looked, but I can't imagine they're still doing this today (are they?) but the fact that only one key was ever used in production for expense purposes is a strange decision At any rate, that decision was used to create a kinda confused deputy-ish attack, which is why it came up in the blogpost, and anyway, hi, I'm not a cryptographer, momentary reminder that I am not a cryptographer, but I have designed cryptographic certificate chains and I was pretty shocked by that At any rate, one way or another, you can presumably use did:plc to move yourself from one server to another so in the interest of "credible exit" this is a good choice Though, one might take a moment to ask: who controls the keys if you *do* want to move? Bluesky has identified, I'd say correctly even, that key management for users is an *incredibly* hard thing to do. But the solution, once again, ends up pretty centralized: for all users on Bluesky's main servers at least, Bluesky generates and manages the keys for them. I am, once again, kinda sympathetic and kinda unsettled simultaneously. - Sympathetic: key management *is* hard and we just don't have the UX answers to solve that, and Bluesky is once again trying to deliver to Twitter refugees The big promise here, the "credible exit" side of things is that for most users, the vision they have is that if Bluesky gets bought by a big evil company, no problem, move somewhere else But for those same users, Bluesky still *controls their keys* and thus *controls their destiny* Regardless, Bluesky has this "your domain is your id!" thing, and that's pretty cool, the domain maps to your DID and your DID maps to your domain Well, I'm not gonna get into this in detail here, I do on the blogpost if you wanna read it but, the cyclic dependency might be an actual cycle tl;dr on that UX part: - users only know domains, they don't know the DIDs in addition to this long-ass thread there is a long-ass article and if you care about things like "zooko's triangle" maybe read that version, the rest of y'all can move on we've got other stuff to cover here It is time for TEA BREAK 2: THE REHEATENING I will also go to the bathroom TMI? If you've read this far into this weird thread I am already giving you too much info === TEA BREAK 2 === @cwebber I'mo reply-guy you here: "Well, actually, tho I didn't understand everything, I got new bits and pieces I hadn't understood before, and I'm glad you wrote it." Enjoy "The Reheatening". I heard the special effects were *wild*.  @cwebber Enjoying this thread, although afterwards it would be amazing if you'd roll it into a blog post.   @cwebber I think it's great that you're modeling for people that they should take breaks and take care of their bodies. I have returned, with tea I am still not reading notifications. Well, I have seen a few fly by on the fediverse which is blipping and blooping nonstop in the Mastodon UI so people are clearly reading it there Bluesky says "30+". How big is the +?? I will resist temptation to look and assume "31"  Shouldn't this be 20 bytes? There are 32 characters, and each character is base32, or 5 bits. So 160 bits? Edit: nope, wrong. I don't *think* there's a huge concern over this, because while maybe you could do a birthday collision attack in 80 bits, this wouldn't really get you much and wouldn't let you take over someone else's account. For that you'd need a pre-image attack on the whole 160 bits. Edit: 120 bits pre-image, but I think the point stands? *Also not a cryptographer!!* @fontenot no because the 32 characters includes the "did:plc:"  @cwebber Good heavens, why is my brain misreading “did:plc” as “dick pic”? Wait, on second thought, don’t tell me. @cwebber Hey Christine, big fan of your work, but holy yapfest. World record for longest fedi thread?? |
The reason actually stems from the first centralized DID method that Bluesky supports: did:web.
did:web is centralized, and kinda useless. It just works by a regex rewrite of the DID's name to an https URI and then it's retrieved. Anywhere you use did:web, you could have just used an https: URI