@dalias @erincandescent @mcc Do you have a more detailed write up somewhere I can read? If it’s impossible to sell identities, isn’t it also impossible for me to prove that I successfully regained control of my account after a potential compromise (which is effectively a transfer)?
More importantly, what if I initially signed up using an easy hosted service. Let's say it's managed by Bluesky PBC. A few months later, I become more knowledgeable and decide to manage my own keys. Unfortunately, I have no way to prove that Bluesky PBC actually transferred my account to me. They could have secret unpublished recovery policies just like any potential seller could. Call me an idiot for ever trusting them, but now I have to start over with a new account just because I was ignorant about key management (average person) when I first created it.
Even if I manage my own keys from the start, if I ever decide my device may have been compromised at the time of creation, my account is useless because an attacker may have created a secret policy before I created one of my own. In this case, I'm effectively an account buyer, and the attacker can steal it "back" from me whenever.
I'm not remotely knowledgeable about this subject, but it seems to me that an important (the important?) part of a rotation mechanism is that I can move forward with peace of mind no matter how much I screwed up security in the past. Correct me if I'm wrong.
I think the above is better explained, but I also tried to make up two scenarios in case I was unclear.
Scenario 1:
1. I have reason to suspect that all my secrets have been exposed. Out of caution, my assumption is full compromise including keys and any unpublished earlier-notarized records I may have stashed. (If I could keep the pre-notarized records secure, I could just as well have kept a special recovery key secure). No worries, though. This is why we’ve built a rotation mechanism
2. The idea here is that I will rotate keys before the attacker does anything and go on my merry way confident in my security. Let’s say I succeed at this. I have new keys, and several years pass.
3. Unbeknownst to me, the attacker actually got there first before I completed step 2. Several years later, they publish their secret earlier notarized rotation. Suddenly and unexpectedly, I lose the account I spent several years confidently using.
It seems like preventing ownership transfer necessarily means I can’t prove that I’ve regained control over my own account (which is sort of a transfer back to me). I need some way to lock out someone who I assume may have stolen all my secrets. If I can do that, what stops me from transferring control of my account to a buyer? (See below for a scenario where an attack forces me to give up my ability to steal back control, but I still can't prove it to a potential buyer)
Or is the idea is that the recovery policy would specify that the "earliest *published* rotation" wins rather than the "earliest *notarized* rotation"? But doesn't that kinda violate the no-ledger goal?
Scenario 2:
1. I create an account. I create two recovery policies, both of which specify the "earliest published" policy for future key rotations. I keep the earlier-notarized one private because I want to be able to fraudulently sell my account and steal it back.
2. An attacker steals all my secrets and notarizes a rotation. They use the private, earliest-notarized policy. At this point, they don't publish.
3. I rotate my keys. Since the attacker may have both policies, I'm forced to publish and exercise the earliest policy in my possession.
4. The attacker tries to steal my account. By notarization date, they would win. However, because I published first, I win. The takeover fails.
5. I try to sell my account. In reality, I don't have any way to steal it back. (If I did, so would the attacker. I'm assuming they stole everything.). However, I have no way to prove this to a buyer. For all the buyer knows, I could have a secret third policy.