Working on protocol v0.2, I was thinking about identities management and realized that the replayability rule was not really interesting, and maybe we should just remove it for two reasons:
- it can be easily circumvented
- the distance rule already have non-replayability properties
The current rule
What is this rule exactly? It’s rather simple:
A certifier X who certified an individual Y cannot make a similar certification before waiting at least [sigDelay] seconds for that.
Understand: if I certify X today, I won’t be able to certify him again before 5 years, for example.
The rule is here to avoid a same member to always be certified by the same people, continuously. It could lead to create fake accounts which could live without being worried about justifying their existence to other people.
But thinking about it, it’s easy to bypass this rule: if we create another account, then the rule won’t apply on it. We can ask the same people to certify us again. Easy.
Really so easy?
You might already have thought how this representation is incomplete: we miss the distance rule. So what was wrong in our example?
Say we created I1 at $t$. We were certified by a set of people: let’s call them P1. These certifications were enough to match all the rules, including the distance rule.
What happens at $t+1$ when we create the other identity I2? We make the same certifications, bypass the non-replayability rule. Is it enough? That’s not sure.
The Web of Trust probably changed
Depending on the time elapsed between $t$ and $t+1$, the WoT might have changed a lot. Because some people are gone, some people joined. Maybe the distance rule won’t be fitted anymore at that moment.
So maybe our certifications at $t$ are no more enough to become a member. Also, we are not sure people of P1 will agree to certify our new account, given they signed the first.
Web of Trust is a wheel
If we consider this property of the WoT to be like a wheel where people are constantly changing (deaths, births), then we already have our rotation in the required certifications.
So that in the end, the non-replayability rule can be simply removed.
What’s your opinion about this?