NIP-41: simple account migration #829
Conversation
Important noteI still think we should have social recovery, pubkey nuking and other stuff that was discussed in other PRs but I want to get a first building block merged before we open other cans of worms. |
|
Is relying on bitcoin existence good for such important protocol feature? I mean, who knows what will happen to bitcoin after CBDCs or after some new fancy future crypto coin launch? Related draft PR using relay clocks instead of OTS: #782 But if people think OTS is the way to go, consider using "z" (#539 authorized deletion pubkey tag) set to the backup pubkey to prevent hacker from deleting previous |
Yes, trying to avoid depending on bitcoin is important. But let's not make that be the line in the sand. We depend on the internet. We depend on electricity. We don't exist in a technology vacuum. Out of all the proposals thus far this is by far the simplest and most straightforward. |
41.md
Outdated
| * `kind:1776` whitelists a pubkey. | ||
| * `kind:1777` migrates to a previously whitelisted pubkey. | ||
| * `kind:1776` and `kind:1777` MUST be opentimestamped [NIP-03](https://github.com/nostr-protocol/nips/blob/master/03.md). | ||
| * When a migration event is published, a 30-day period starts in which a user can publish a competing migration event pointing to an earlier `kind:1776` event. After this period, clients SHOULD automatically update the user's follow list to the new pubkey. |
There was a problem hiding this comment.
So does this mean events published with the new key aren't considered valid for 30 days? It seems like clients could eagerly respect the migration event and switch immediately to the new key, revoking that trust if a competing migration event gets published.
There was a problem hiding this comment.
Perhaps 30-days is too long a time-window, but I think some delay is needed, otherwise an attacker publishing a revoking event would get exclusive control of the user's key and make things really difficult.
Adding the ability to have to rollback a migration opens a lot more complexity in my opinion, I think once a migration event is effective it should not be possible to roll it back.
But maybe 30-days is too long and this should be more like 2 weeks. Users can also use watchtowers to timestamp+publish kind:1777.
There was a problem hiding this comment.
30 days is not a long time window, in fact it is a short time window.
Clients that want to get fancy about it can follow both keys during that timeframe and add warnings to the users or something like that, as long as the result after 30 days is the same -- but these tricks don't have to be specified in the NIP.
|
On Wed, Oct 18, 2023 at 11:29:49AM -0700, nvk wrote:
> Is relying on bitcoin existence good for such important protocol feature? I mean, who knows what will happen to bitcoin after CBDCs or after some new fancy future crypto coin launch? Related draft PR using relay clocks instead of OTS: #782
>
> But if people think OTS is the way to go, consider using "z" (#539 authorized deletion pubkey tag) set to the backup pubkey to prevent hacker from deleting previous `kind:1776` event.
Yes, trying to avoid depending on bitcoin is important. But let's not make that be the line in the sand. We depend on the internet. We depend on electricity. We don't exist in a technology vacuum.
Out of all the proposals thus far this is by far the simplest and most straightforward.
As much as I like OTS & bitcoin, I think tying a core protocol feature to it would be a mistake. Especially if we want mass adoption of this NIP for future keys.
|
|
Although reading through this I don't see a better way than OTS... 🤷♂️ |
Yeah, me too; we need to anchor to something that we can trust keeps order of events. The important thing is that I think we should have multiple mechanisms to do this (e.g. social recovery), and I think this is a simple one that would work. Every time we've discussed this topic we've let perfect+complete be the enemy of having a working building block. How about we merge this and we add other mechanisms to it later? |
|
I like this – it's simple and a great start. Obviously, it would be better to not anchor to specific external services, like Bitcoin, but I think we're all aware that this is just a first step and we'll continue working on more complete solutions in the future. |
|
I don't think this should be seem as a "core protocol" thing or a mandatory change. This is just one method, very fallible, to try to rescue people who have lost their keys. I think the NIP should be phrased as such and the expression "key rotation" should be removed and replaced with "identity recovery" or something like that. Given that, I don't understand the pushback against Bitcoin here while NIP-57 depends much more deeply on Bitcoin and it's a much more widespread feature and entangled with the idea of Nostr. Also, the Bitcoin dependency here can be completely hidden from end-users very easily, it's not as if clients will stop working if you don't have a full node running on your phone because of this. |
Co-authored-by: fiatjaf_ <[email protected]>
Co-authored-by: fiatjaf_ <[email protected]>
|
So, If I am an attacker and my target doesn't have a white-listed key to migrate to, I can get my target's nsec, migrate my target's posts to a new key that only I control, and shut my target away from his/her own posts? If this is true, then we better force all keys to white-list their next one asap. |
|
We need a "nuke account" option for when someone is doing that and you don't have a whitelisted account prepared. "someone is trying to steal your account, nuke it?" The nuke only works after 30 days too, to prevent people from stealing others' accounts and nuking them. I also think we should increase this interval. 30 days is not enough. |
Yes. Agreed. I think the onboarding process of new users should have some kind of disaster preparation (which is standard in other systems where information has some kind of value ("e.g. store this 2fa backup codes"). Probably not at first but after a user has used a new account "enough". |
|
Please consider the With that, there is no need for the 30-days delay. Client just picks the oldest one, which the attacker won't be able to delete. Edit: also add |
The 30-day window is needed regardless of the 1776 deletion; you need a time window because the attacker can publish a migration event before you do (they would publish a delete before you do and you need multiple
|
@staab posted here some use cases for delegating deletion. With the "z" tag we don't need to update relay code every time a new use case comes up.
Hmm got it. This is because of the |
41.md
Outdated
| [ "proof", "<kind:1040-event-id>" ], | ||
| [ "alt", "pubkey migration event" ], | ||
| [ "relays", "relay1", "relay2" ], | ||
| [ "mute" ] |
There was a problem hiding this comment.
do we need this? I feel like this should be a client preference. or clients prompting the user when performing the migration: "also mute the old key?"
it doesn't hurt to have this here, of course, I'm just thinking that every line we can eliminate from the NIP makes is more likely to be read.
There was a problem hiding this comment.
hahhaa, yeah, I debated whether to add it or not.
I'll take it out.
|
@jb55 @arthurfranca #158 is a way to do this without relying on Bitcoin or OpenTimestamps. As the PR says this just one option, we can have many, and this can be one of them we can investigate in the future. |
Do we have a couple implementers to make sure things are good? |
|
Good point, I had forgotten about that. Let's wait for the implementations. |
|
I'll write a micro-app for it 👍 |
|
This is really just another delegation spec and the knocks on NIP-26 apply, so it would make more sense to improve delegation overall than contrive a new pre-delegation spec. |
there is no delegation token, no relay tracking of pubkeys, there is no execution of conditionals nor make-believe scenario where executing this is a happy-path. Getting your key compromised is still a very bad thing and not part of a regular user's flow. NIP-26 and this are absolutely different in implementation and goal |
|
I can't think of a better way to do this, but I really don't like the waiting period. If the new key is not yet considered valid and may be an attack, but the old key is lost or compromised, that means the user is effectively temporarily banned from nostr, doesn't it? If so, I don't think this is an MVP, it would be an awful UX (not as bad as losing your key permanently, but still). I still think social recovery of some kind, or a name registry could improve this, but I'm not sure how. |
I don't see how whitelisting a key is any different than signing a delegation event. I would argue too that 26 should be done in middleware or client side as well. Provisioning a user with forward compromise in mind is good conceptually, but that could also be a nip26 a cold key similarly... Timestamping is a nice add and it's a good usecase, but it's unconvincing that this isn't part of a larger delegation discussion. |
The main difference is that, until a migration even is signed, the new key has no special attributes or significance, in fact, the new key does never really have any special significance, the migration event is just a hint to clients that they should follow a different pubkey, whereas in NIP-26, relays and clients must to a lot of heavy lifting to validate the conditionals of the token (and, more importantly, an increasing amount of heavy lifting). NIP-26 imposes a burden on relays to track these different delegation tokens, which, if it would have been widely adopted, it could have crippled relays significantly. Keep in mind that NIP-26 is meant to be used as a way to use multiple keys to signify the same identity concurrently |
I concede that this proposal is better for the stated usecase, and others. That being the case, I think it should be generalized for usecases that include following multiple keys, not just replacing a revoked one. |
Keep in mind that the waiting period is an absolute last resort; I don't want to muddy the waters further in this simple PR, but in the flow I have in mind I imagine clients allowing users to verify out of band that the migration event is not an attack, the verifying user could sign a kind:1 where the migration event is referenced and leverage a WoT in this way. The social migration in this sense leaks into this scheme organically. |
You're right I just didn't understand it like I thought I did! |
|
I am reading this again with a different perspective: Do we really need all these steps to simply notify followers that the author (or an attacker) of the key is migrating to a new key? This NIP is clear: Clients should present a message to the user and it's the user's responsibility, after evaluating the veracity of it, to decide to migrate or not. How would a user decide? I am assuming the person will look at other people's follows that might be closer to the person to see if they migrated first. It's a pure social trust decision tree. The rest of the NIP is not adding that much. Maybe that is what we must codify. A person publishes a key migration at any time, no need to sign/verify with OTS. Then the person reaches out to close friends he/she is following to update their follow list to the new key. When showing the key migration popup to non-so-close users, the popup should also bring folks who already shifted over to the new key that are close to the user. The bigger the movement, the more accurate it gets. There is no need to publish keys beforehand and there is no automatic migration. There is only a popup. If an attacker is successful in sending a key migration, neither the original key, nor the new key are safe. The user will have to create a third key and convince his friends to migrate to the third one. There is not much a cryptographic scheme can do in this case. Again, the secret for a successful migration is on the social graph, not on the cryptographic layers of a migration scheme. |
|
@vitorpamplona I agree with you that the client-side flow should leverage WoT and show users some evidence that the move is legit. That said, I still think it's important to have the OTS and pre-defined keys to help mitigate social engineering attacks. Otherwise, it's far too easy to trick a few of the person's followers into migrating over and then the weight of those few would likely cause everyone to migrate to the new key without doing much out of band verification. At least with OTS and pre-defined keys you're adding an extra line of defense for the owner of the key that an attacker would have to get through. |
The point of the NIP is not that message, that is to appease the "X days is too long of a time-window" argument (which I understand) -- the point of the NIP is the automatic migration when the migration event is not disputed. A lot of people who have leaked their keys already have an "OLD ACCOUNT, MIGRATED TO XXXX" on their kind:0, and yet they still have people following it. This manual action is not enough, particularly if the person stops writing from their old account, which they should if they key has been compromised and they want their followers to not be exposed to scams.
From an UX point-of-view, the key to a successful migration is that there is a migration; requesting a manual action from each individual user to update their follow lists is not enough imo, and this is a very simple, no-crazy cryptography involved way of having a fallback system to accomplish such thing. Like I said before, we'll probably end up with a few different approaches to accomplish this way of protecting your account and there is a place for social recovery, this scheme doesn't depend on that, it just mentions the feasibility of reducing the X-day time window. |
I am not sure if we should ever do automatic migration of a person's contact list. Especially when so many things can go wrong: like if the user doesn't have a previous key migration event, or if he/she doesn't act quickly enough, or if the user doesn't even notice somebody else is taking over their account because their client doesn't implement this NIP.
Yep, but only because we have not had a structured way to describe that in Nostr Events that can be parsed and displayed to the user. If that is all we want, we don't need the extra stuff.
Only for users that have a client that instructs them to create the I am specifically concerned about users who just leave Nostr and come back 6mo to a year later. They won't be using any client to watch out and react in the 30-day period. |
I think this is the crux of where we don't agree, I don't think that's a sensible tradeoff.
I asked around on nostr and pretty much everybody that responded said they would publish such a whitelisting event.
If they don't come to nostr for such a long time and their key is compromised and they didn't even find out about it then that key was probably worthless and they should start fresh 🤷♂️ |
What's the new line of attack? If you don't have control of the private key you can't publish any valid events, including 1776. If you do have control, then why bother? |
I saw it. My point is that people who didn't see your message wouldn't have created such a whitelisting event which would open them up for a separate attack that didn't exist until this PR arrived. If this was part of the Nostr protocol and EVERY client had to whitelist as soon as the user creates an account, that would be better. But that's not how Nostr works.
I would probably code this only until line 65. White-list and migration events are fine. The automated migration seems to create more problems the solutions right now. I would just ask the user if they want to migrate or not and just provide trust via social graph and the OTS verifications. But it would be the user's decision. Nothing changes without it. |
This would assume that their nsec is currently compromised, in which case they are already rekt. Say a user who hasn't used nostr in the past year but doesn't have their key compromised, they open a nostr app in one year and the app asks them if they want to setup a recovery key. In a way, is slightly similar to those "download backup 2fa codes" flows people are used to.
Not really, I think until there is something to protect, this backup key shouldn't be part of the onboard, but of course, that's up to apps to choose how they design this. I'm mainly thinking about how apps like Duolingo do it where they don't ask you to do any "progress saving flow" (like creating an account) until there is enough investment for the user to warrant jumping through any hoop. Again, this will probably be different on a per application basis.
At the end of the day, that's up to the user since it's their signature going on the kind:3 or 30000 and up to the application they're using to choose how to handle this. |
Correct. But one thing is to just be compromised. A very different thing is the attacker pretending to be the user, migrating all followers to a new profile, and shutting off the user from the new account. The first is bad ("just" impersonation), but the second is worse (stealing the account w/ followers). And users that didn't know this COULD happen will be really mad when it does happen.
But that's not what this PR is saying. The PR advocates automatically migrating after 60 days, with or without the knowledge of the user. |
|
We can change the PR to say the behavior is implementation-specific. A natural flow to me would be for clients to display a warning every now and then, or a fixed label somewhere on the screen, for the entire duration of the 60-day period. Having such a thing would force users to look before they are automatically migrated -- or force them to decide to migrate or not to the new key. This UX wouldn't be very different from the one we have today, in which an attacker can steal someone's key and start publishing notes every day saying: "this key is compromised, switch to my new account npub1..." -- pointing to an account controlled by the attacker. |
|
If there even is a solution to this problem, I don't know if this is the one. I see two potential issues here, both based around the idea of someone stealing a recovery kit: ComplexityThe first, and least, problem is unnecessary complexity. If a "recovery kit" includes the original timestamped I don't really know what value the GriefingThe second and more serious concern is that of griefing. If your recovery kit escapes containment, they can grief your entire set of followers and future followers forever by publishing If relays decide to expire individual Losing your recovery kit means you (and all of your followers) will always potentially be hounded by this for all time. New follower will get hassled, and you will always worry whether you're losing your social graph to scammers. This means if you lose your recovery kit to a scammer or griefer, you will eventually still have to move to a new key the old fashioned way. Now you have to keep two keys safe, not just one: You're main key and recovery kit. So you think, okay, I'll have a second, even more cold-stored recovery kit which is timestamped even earlier. Now you have three keys you have to keep secret and safe:
After all of this trouble and complexity and extra care, what you get is a system that still relies on social recovery: Someone messaging you to ask if a recovery is actually real. |
|
Couple of ideas. Recovery key recovery Social recovery |
|
What's the status of this one @pablof7z? Feel like we should merge some version of this to have it out there.... |
This NIP introduces a simple way in which a pubkey can migrate to by whitelisting a new pubkey ahead of time.
TL;DR:
Viewable here