1/ Universal Avatar on Bitcoin & Paymail.
The thread attempts to elucidate the nuances involved regarding on-chain identity, self-sovereignty, security & privacy.
The thread attempts to elucidate the nuances involved regarding on-chain identity, self-sovereignty, security & privacy.
2/ I have great respect for @_unwriter for his significant contributions. This is a focused critique on Bitpic-Paymail solution.
Building a decentralized avatar on Paymail, is building on shaky ground.
Building a decentralized avatar on Paymail, is building on shaky ground.
@_unwriter 3/
The user’s (Paymail PKI) public key is not stored on-chain (cannot as well) and is issued/authorized by the Paymail service provider, while the bitpic provider stores the mapping of paymailID 🡘 publickey 🡘 signed_avatar.
The user’s (Paymail PKI) public key is not stored on-chain (cannot as well) and is issued/authorized by the Paymail service provider, while the bitpic provider stores the mapping of paymailID 🡘 publickey 🡘 signed_avatar.
@_unwriter 4/
The bitpic (indexing) nodes are at the mercy of (needs Trust) the Paymail provider (federated) to issue genuine Public-key in the first place, and does not prevent a compromised paymail provider from overriding the true avatar.
The bitpic (indexing) nodes are at the mercy of (needs Trust) the Paymail provider (federated) to issue genuine Public-key in the first place, and does not prevent a compromised paymail provider from overriding the true avatar.
@_unwriter 5/ The bitpic nodes will not be able to detect fraud, this is true even if they have pre-indexed the paymailID, as the public key associated with paymail handle can change under genuine circumstances too (per spec).
Also it requires trusting the bitpic provider (bitpic
Also it requires trusting the bitpic provider (bitpic
@_unwriter 6/ network,etc.), but you cant rule out vulnerabilities/compromises at a 3rd party. Yes you can host your own bitpic node, but in practice other such federated protocols are seldom self-hosted.
@_unwriter 7/
Besides, 3rd parties cant be relied upon as they may shut shop for whatever reason . @_unwriter
has stated this himself and infact pitches bitpic feature as an avatar archival service.
Besides, 3rd parties cant be relied upon as they may shut shop for whatever reason . @_unwriter
has stated this himself and infact pitches bitpic feature as an avatar archival service.
@_unwriter 8/ Trusting a website, should be out of question, whether it is paymail domain or a block-explorer for that matter.
In essence bitpic is an onchain “reference” to an identity that actually lives/authorized by a 3rd party, and hence not immutable or trustless.
In essence bitpic is an onchain “reference” to an identity that actually lives/authorized by a 3rd party, and hence not immutable or trustless.
@_unwriter 9/
Merely loading up the appropriate avatar does not enhance the security/ privacy (although not claimed) of the paymail payment protocol, but on the contrary it can mislead users into thinking that the identity is on-chain, and could lead to false sense of trust.
Merely loading up the appropriate avatar does not enhance the security/ privacy (although not claimed) of the paymail payment protocol, but on the contrary it can mislead users into thinking that the identity is on-chain, and could lead to false sense of trust.
@_unwriter 10/ e.g. the paymail providers’ API issues a wrong (malicious) destination address (hack, etc.). Not to mention the privacy concerns of a 3rd party (paymail provider) being privy to all your transactions.
@_unwriter 11/
Also I think this tweet is embellishment (if not disingenuous), as the true identity is authorized/held/issued by the Paymail provider. As the user does not register the paymail handle with Pubkey on-chain by own authority.
Also I think this tweet is embellishment (if not disingenuous), as the true identity is authorized/held/issued by the Paymail provider. As the user does not register the paymail handle with Pubkey on-chain by own authority.
@_unwriter 12/ A true self-sovereign solution would not require trusting any 3rd party whatsoever. The on-chain identity would be something you truly own & customize, not something provided to you as a service needing 3rd party authorization.
@_unwriter 13/ Also, a true self-sovereign payment system will trustlessly provide payment destination addresses (+ more) without any security or privacy compromises. All these would have to work completely on-chain.
@_unwriter 14/ And the nodes would serve light-clients (SPV with proofs) for both payments & names(ID/avatar/etc.)
You would also never have to interact with a website again, (websites are 3rd parties). A single sophisticated user friendly light client for all your needs.
You would also never have to interact with a website again, (websites are 3rd parties). A single sophisticated user friendly light client for all your needs.
@_unwriter 15/ (wallet/ full-explorer-SPVish-proofs/ media-uploads / (w̵e̵b̵)site hosting, browsing & more).
And for the dapp/app developers the nodes will come replete with comprehensive API suite, without the overhead and restrictions of the old Web , and you can rest-assured there…
And for the dapp/app developers the nodes will come replete with comprehensive API suite, without the overhead and restrictions of the old Web , and you can rest-assured there…
@_unwriter 16/ …is a distributed utility node operating over a secure P2P overlay network that tirelessly satisfies growing demands, without ever needing downtime too. The old web - HTTP /HTTPS/ REST/TLS/SSL/Websockets/DNS/DNSSEC – will be abandoned.
@_unwriter 17/
The primary concern of typical SPV wallets is ‘privacy’, as the serving nodes can trivially map Bitcoin addresses to IP addresses.
The primary concern of typical SPV wallets is ‘privacy’, as the serving nodes can trivially map Bitcoin addresses to IP addresses.
@_unwriter 18/ The new overlay network will route transactions privately & securely across multiple hops using the DHT similar to the Onion protocol so the true source of wallet lookups and transactions are not traceable. Thus you wont need to worry about Tor / VPN.
@_unwriter 19/ The usefulness of this system extends well beyond payment applications.
Paymail at scale undermines Bitcoin, by introducing an essentially “trusted-3rd-party” system (stating usability) over an inherently trustless protocol.
Paymail at scale undermines Bitcoin, by introducing an essentially “trusted-3rd-party” system (stating usability) over an inherently trustless protocol.
@_unwriter 20/ Other protocols that build around Paymail, unwittingly or not, will aid in corroding Bitcoin’s true power.
A self-sovereign on-chain protocol can provide uncompromising security, privacy, transparency & user liberty.
A self-sovereign on-chain protocol can provide uncompromising security, privacy, transparency & user liberty.
@_unwriter 21/ Also BSV at scale places special scalability demands & will render many generic solutions useless (typically forks of wallets /explorers/ API from other Bitcoin chains).
@_unwriter 22/
We are building an open protocol (#Allegory/#Allpay) based ecosystem, that satisfies the above requirements, & comes with a user friendly wallet that works with ‘names’(goodbye to unwieldy addresses) & will be released in phases in 2020.
We are building an open protocol (#Allegory/#Allpay) based ecosystem, that satisfies the above requirements, & comes with a user friendly wallet that works with ‘names’(goodbye to unwieldy addresses) & will be released in phases in 2020.
