Known Issue?


#1

OK to start with, I am really impressed with what I see here. After finally getting my username squared away, I am looking over the transactions in Blockstack, which looks amazing, BTW:
https://explorer.blockstack.org/nameops/530363

But then also on a non-Blockstack explorer:
https://www.blocktrail.com/BTC/tx/8616462dd337f49a6702acd9147a4a6e00f1b28432b5084389c5465315ff866b

It appears that my username is in full view, which seems to be a bit of a surprise. Is this a known issue?

Also, is this ID under my control? Or is this in Blockstack’s custody? Any resources around this would be greatly appreciated.

Keep up the amazing work here!


Cannot Register Username
#2

Hi @Mike-EEE,

It appears that my username is in full view, which seems to be a bit of a surprise. Is this a known issue?

This is intentional. The name should be visible in the Bitcoin blockchain, so anyone can use a vanilla block explorer to verify the ownership of your name. Your name is a pointer to your public key; it needs to be public to be useful :wink:

Also, is this ID under my control? Or is this in Blockstack’s custody? Any resources around this would be greatly appreciated.

The ID is definitely under your control. Only the owner of the private key that registered the name can update or transfer the name. The private key is generated in your Browser, and is never exposed to the outside world (however, the onboarding step will email you an encrypted copy so you can recover it with your password if need be).

Details on the design of the naming system can be found here.


Cannot Register Username
#3

Great… thank you @jude for the information! It is much appreciated.

Going back to my email, I do see that I was sent the private key with the 12 keywords? If that is the case, that removes one of the questions.

However, I am still a little confused on what you mean by pointer to my public key. In that transaction, the public key is already public isn’t it? Or do you mean the public key to my identity? I guess I should read that article FIRST and then pester you with questions. :wink: I will study it and then follow up with any additional questions I might have. Thanks again for your assistance!


#4

Alright @jude I have taken a look at that document. Thank you again for your time in sharing your knowledge and providing me this resource. It is very informative, well-written, and impressive. I am not saying this in regards to the scope and structure, but in vision. Hats off to everyone there for putting this together.

Also, I have to say that as someone who has a bit of a historical addiction to domain name registrations (seriously, it’s a problem LOL), this is especially appealing to me. :wink:

So if I understand correctly, it would seem that the reason my username is publicly exposed is to adhere to the DID?

EDIT: Turns out my concern here is in the wire format.

This does make sense and I understand this aspect, but (:slight_smile:) I want to be clear in my concern here. It might be due to my newfound interest in the technical workings of blockchains and I could be suffering from ill-conceived notions as I have not entirely groked this subject yet, so I appreciate any further patience you can lend in this regard.

It would seem to me that some information is not readily available to the user from a “vanilla” explorer, as you called it, but the user name is. Even if this is to adhere to a standard, it seems incongruent with the nature of blockchain which is intended (from what I understand) to be anonymous. That’s the primary concern.

The secondary concerns stem from the primary, of course. If someone can see the id, they know without much work that:

  1. This is a blockstack message (or at least, a message used by blockstack).
  2. This is a blockstack message about a blockstack user.
  3. This message can be used to build an intelligence profile around this information, for whatever purpose (and it’s usually not for a good thing).

Further, this party knows that since blockstack exposes this information in a public manner for this aspect of their system, that there must be other aspects of the blockstack system that also provides additional, exposed information that could in turn lead to other vectors of interest, intelligence gathering, and possible attack.

Additionally, I would tend to think that if another service could build a similar offering that does not expose such information in a publicly accessible way, it would gain more interest and subsequent traction in the marketplace in comparison to blockstack’s offering, as it would protect the customer information that is enrolled in it (and therefore circumvent the concerns outlined above and more).

I hope that helps clarify my concern here and makes sense to you. Again, my (mis)understanding here could be completely due to my newb status, but my concern was the same as before when I mentioned it. Reading the very commendable document you provided seems to explain the use of it, but does not seem to explain away the concern I have on why it is used in a way that offers exposure to potential nefarious tracers and parties.

Please feel free to let me know what I have fundamentally misunderstood here and/or to correct what I have misunderstood, which, incidentally, has been the story of my life lately. :joy:


#5

Even if this is to adhere to a standard, it seems incongruent with the nature of blockchain which is intended (from what I understand) to be anonymous.

Just the opposite. Blockchains are designed from the get-go to be completely, 100% public. This is because each peer needs to be able to process and replay its transaction history. Even systems like zcash do not provide “true” anonymity—your peer still has to validate and process each private transaction ever sent, even if the zk-SNARK construction ensures you can’t determine the sender, recipient, or content.

Additionally, I would tend to think that if another service could build a similar offering that does not expose such information in a publicly accessible way, it would gain more interest and subsequent traction in the marketplace in comparison to blockstack’s offering, as it would protect the customer information that is enrolled in it (and therefore circumvent the concerns outlined above and more).

The data you store with Blockstack applications is encrypted and authenticated end-to-end, so only you and the intended recipients can authenticate and decrypt it. But in order to do this, the intended recipient(s) need your public key (which by definition must be publicly available in order to be useful). The blockchain makes everyone’s keys available for this purpose.

but does not seem to explain away the concern I have on why it is used in a way that offers exposure to potential nefarious tracers and parties.

Blockstack can’t stop your ISP from watching what you do online :wink: That’s just the nature of the beast when it comes to interacting with computer networks.


#6

Indeed, perhaps I was not specific enough in what I was stating. BTC/blockchain’s intent was to be a public channel for anonymous peer-to-peer payments. As a nice side product via the OP_RETURN mechanism, the same can be accomplished with communication and/or association with data that could be stored and retrieved from that chain. blockstack does a fantastic job accomplishing all of this IMO except for this one wrinkle that I am trying to elucidate here.

To start, I think there is a miscommunication here on my side and certainly a misunderstanding between us in what we’re discussing. You are consistently referencing a “public key” which I understand to be 03fd377dd989276a7304bed0b652429ce1cd3a7f3d1e7e3e964478305d4dec996b from the transaction above. I am in complete agreement and understanding with you here in regards to the requirement of this being “public” (hence the name, as you indeed stated :laughing:) and in full view.

What I am referencing in my topic of concern is, instead, within the OP_RETURN. Specifically, my concern is in the id:mike_eee.idÞÿ|ûO®ÛʼnƒÓ¶ùô/? that is in this payload which places my nickname in full view of anyone reading transactions that are being placed on this public, BTC blockchain. To me, you might as well put my street address as it is approximately the same infraction from a security concern.

From my perspective, this is PII and at the very least should be scrambled with the other data that is in this payload. Not only would it protect my name from plain view, it would also reduce the total size of the payload if I am not mistaken.

It is one thing to store this in a publicly available and accessible way on blockstack’s system, as this is what I as a customer expect in regards to loading (or even viewing) my profile, etc. But here on the public BTC blockchain you have exposed both myself and your system to unnecessary attention and potential subsequent, previously-listed repercussions.

I hope that helps provide a little more context and information from my perspective. Please continue to let me know what you feel I have misunderstood here. I appreciate the dialogue, @jude!