Oddbean new post about | logout
Vitor Pamplona | 9 months ago (raw) | root | parent | reply | flag 
 DIDs allow you to remove the key from the host which invalidates all your past signed documents because no one can verify them anymore. 

So, it's not really a key rotation, but a key expiration. You lose all your data regardless. It's similar to moveing to a new key in Nostr.
frphank | 9 months ago (raw) | root | parent | reply | flag +1 
 Hm really. Are you sure you're talking about the did:plc variant not did:web variant?? A quick read of this https://github.com/did-method-plc/did-method-plc?tab=readme-ov-file doesn't reveal how it's tied to a host.
Vitor Pamplona | 9 months ago (raw) | root | parent | reply | flag +3 
 The difference is that they keep the last 5 keys in the rotationKeys property of the did document instead of deleting them. Which means people can still validate the past, but only the last 5 keys. 

In any case, they don't resign the past with a new key. So, at somepoint your old data disappears. If your past key has leaked, you should not keep it in the rotation set otherwise other people can create valid events under your key's name.
frphank | 9 months ago (raw) | root | parent | reply | flag 
 Right.

You might not want events from the past to have valid signatures in the first place. This relates to the whole "deletion" debate and the "boosting/reposting" debate.

I think the logical thing is for events to have an expiry date attached to them, set by the user when signing. Viewing how short-lived conversations are defacto right now since they just "scroll off the edge off the scren" anyways and 3 days later no one remembers what you said anyways that's just making it official. If you want your note to keep living, you'll have to repost/boost it and it gets a new expiry date. Client will have to provide UIs to maybe automate this client side for the author and provide the reader with clues as to what's reposted vs. genuinely new.

If you regret writing something well just don't renew it and it'll lapse and there's your deletion.
frphank | 9 months ago (raw) | root | parent | reply | flag +1 
 I call this whole idea "social media for grown-ups". You can't have sophisticated, long-term discussions if stuff just scrolls off the edge of the screen. The presentation encourages LOL WTF FOO BAR!! type posts, spur of the moment outbursts of emotion and nothing else.

GitHub issues are a reasonably good example of "social media for grown-ups". That. Can you do that but decentralized.
Vitor Pamplona | 9 months ago (raw) | root | parent | reply | flag 
 That's all fine. We can't do that in Nostr, but you can with DIDs. I don't think it solves much, but it is better than what we have today for sure. 

In Nostr, because the key is always present at the event, there is no way to disallow somebody to verify. But you can say that your key has leaked. And from that moment, no one can have any assurances if past posts were signed by the author or by an attacker. It's kinda what you do with DIDs, since people can also store the keys behind the DIDs in their own computers. 

So, in a way, with DIDs or not, people can always verify. DIDs have a way to do it in the spec. Nostr doesnt yet. But in the end, the tech stack can only go so far.