planetary-ios
planetary-ios copied to clipboard
Design for Private Key Backup: Revive options for backup of identity keys and make backup on by default
See also #285
I did some research today and here's what I've found:
- I can't find any code or commits that actually back up a user's secret key to iCloud. There is an onboarding step that asks the user about backing up to iCloud and records their preference, but the preference doesn't appear to be read.
- It looks like we are saving the user's secret key in the keychain with the
accessibleAfterFirstUnlock
. This means it will be saved in encrypted backups (backups to a Mac) but not iCloud backups.
We have to decide what sort of user experience we want here. Here are some options that I see:
- We could follow the lead of other cypher/crypto apps and put the responsibility on the user to back up their key. This is usually in the form of an onboarding step that forces the user to copy the key (or a recovery phrase) before moving on. Manyverse does this.
- We could change the keychain attributes so that the secret is stored in iCloud Keychain. This has two problems: 1) we can't tell if the user has iCloud Keychain toggled on or not, and 2) we would need to build UI to warn about forks. Because iCloud Keychain is synced across all devices a fork could occur if the user set up Planetary on a new device and then posted from the old device. There is no foolproof way to verify that the user has deleted Planetary on the old device.
- We could offer to store the user's private key on a Planetary server. This gives Planetary full control over the user's identity and breaks a lot of the promises SSB makes to users 👎 . Moreover to recover their key from our servers we would need to authenticate them somehow, which makes this no better than the first option.
- The pie in the sky option: someday we should allow the user to back up their key to their friends' devices using Shamir's Secret Sharing.
I lean towards #1 for the short term. #4 would be great to do someday. Thoughts? @rabble @martindsq @Chardot
(Looks like we already have a ticket for mnemonic keys aka recovery phrases to match Manyverse here: #224)
It seems that the easiest approach for now is to implement option 1, and anything else we could do in the future will be in addition to this. I'll start wireframing a UI for it 👍
My understanding is that we did build some features around forked feeds where if you install an app and have no content but an existing feed then it looks at pubs for sequence numbers and won't let you write until you've got it synced. That code might have broken or been disabled but i'm pretty sure it existed.
Manyverse has a private key to words system which we need to investigate and support.
@boreq wrote: https://github.com/boreq/friendlyhash