> If you think about it, this is also true for web3 — true enough that it's broken.
You absolutely cannot fake a message being cryptographically signed without providing a broken verification function.
> We don't live in a world where you can't take things from people, etc.
The half glass empty approach is one method. The other method is to review the primitives we have in place today and explore different permutations that allow us to route around our adversities. That's the Hacker way. Of course, we do it with code.
> Ultimately, society works because we don't really need ironclad guarantees like that.
The society you live in is very different from mine. Fraud and impersonation are real. [1]
Pretty much all of security relies on the user not giving out their passwords or secret keys. Imho it's an implicit assumption when talking about identity and security. If we break that assumption, nothing in the world is secure, and any discussion about security becomes pointless.
Between "there's no guarantee that the message viewed by a user was actually written by the poster" and "You absolutely cannot fake a message being cryptographically signed without providing a broken verification function" you moved the goalposts so hard it gave me whiplash and I'm afraid I can't continue this discussion due to my concussion.
> Between "there's no guarantee that the message viewed by a user was actually written by the poster" and "You absolutely cannot fake a message being cryptographically signed without providing a broken verification function" you moved the goalposts so hard it gave me whiplash and I'm afraid I can't continue this discussion due to my concussion.
I think it might be wise to review what signing means to understand that I didn't "move the goalposts" at all [1], but thanks for the discussion, as I merit it will help a lot of people to better understand the power of cryptography as I'm guessing it's a new field here as of yet.
No, they're absolutely right. You can steal a person's computer. You can get them drunk and ask them to hand over their keys. There are a dozen ways off the top of my head that you can have a message that's not written by the supposed poster without a broken cryptographic function.
This is solved with key management and security as opposed to with the fact on whether or not the technology has merit. Now, we're really moving goalposts. ;)
Sure, but you're ignoring flaws in the security to make a stronger marketing message for your site. Yes, there is nothing you can do about this, it's not under your purview. But nevertheless you can't make so strong a claim as to say that a message can't be faked without a broken verification function. It simply can't be faked in one particular way.
If Person B published a message under Person A's name, that is, to the non-crypto world, a faked post. They're not going to be impressed by your argument that actually it isn't faked, it's real, Person B just had access to Person A's computer.
Again, this is a security issue and doesn't in any way reduce the proven efficacy of cryptography. It's pedantic at best, and I am going to stop replying to your comments.
That's fine, I'm not looking to debate, I'm trying to help. You're here presumably looking for input on your new project, but you're not taking any of it, and getting very defensive whenever anyone offers anything other than praise.
I'm not making a comment out of pedantry, I'm telling you how I expect this is going to be seen by regular users. People on the whole are not interested in whether or not some particular security system is theoretically perfect, they're interested in whether or not it actually provides the security that they interpret it to promise. And they will interpret your claims as meaning that messages cannot come from anyone other than the signed user, which is going to be a problem the first time that assumption fails. And it will fail, because people aren't good at keeping secrets secret.
I don't see goalposts being moved. It seems like your base assumptions are just different from most people. Most discussions about security assume that users are taking care of their passwords and private keys, and talk about how secure a system is _given_ that assumption. If start assuming that stealing computers and getting people drunk to steal passwords is reasonable, then there would be no point to any of the security measures on the web
You absolutely cannot fake a message being cryptographically signed without providing a broken verification function.
> We don't live in a world where you can't take things from people, etc.
The half glass empty approach is one method. The other method is to review the primitives we have in place today and explore different permutations that allow us to route around our adversities. That's the Hacker way. Of course, we do it with code.
> Ultimately, society works because we don't really need ironclad guarantees like that.
The society you live in is very different from mine. Fraud and impersonation are real. [1]
[1] https://www.theverge.com/2016/11/23/13739026/reddit-ceo-stev...