Great question!
So if a user web account has been compromised, an attacker can tie the account to their Master Key by updating the corresponding identity commitment in the Credential Registry and use it generate proofs to bypass sybil checks.
To be honest, revocation scheme is something we still need to iron out, here’s our initial thoughts:
First, the registry should allow updates of a commitment for the same web account only on periodic basis (e.g. monthly), otherwise we will end up with two distinct nullifiers for the same web account or double use of the identity commitment in the same scope. (e.g. vote being counted twice in the same voting contract). As there’s no way to map nullifier to originating identity commitment, there’s also no way to prevent this double use if the identity commitment has been updated.
On the other hand, we think that web account verifications should have an expiration age similar to how identity docs (passports, driving licences) have an expiration date.
Now with that in mind, we have two scenarios:
-
Web account had NOT been added to the credential registry before it was compromised. In this case, the attacker can verify the web account and add it to the registry and use the credential to prove that they’re human in this period. The real user if he’s able to get access back to the account will have to wait until the verification expires to re-verify the account and add the identity commitment with the correct key.
-
Web account had been added to the credential registry before it was compromised. The attacker will not be able to update the identity commitment until it expires and user has the time to get the access to web account back until the verification expires.
By the way, the exact same logic applies if the user loses their Master Key and need to update it with a new one.
What do you think?