inkan's avatar
inkan dv@www.inkan.cc 1 month ago
Inkan enables you to revoke and replace key pairs when your private key has been lost or stolen. You can also perform periodic key rotations preemptively. You can do all this in a decentralized manner. That way Inkan gives you a permanent online identity that only you control, and that you can be confident you can keep over the long-term. For example 50 years. Inkan is open for testing and comment. Let me know if you'd like to try it out.
image image image image image image image image image

Replies (16)

inkan's avatar
inkan dv@www.inkan.cc 1 month ago
No, your existing keys won't become rotatable. Creating a rotatable identity involves a bit of ceremony. You'd have to use the "Inkan Management Utility" to create a master key pair and a chain of delegation. This should be done on an airgapped system to keep the identity secure. I personally like using Tails (
Tails - Home
 ) with networking and persistent storage disabled. Creating the identity also requires a bit of Ether. Before creating your own identity, it's a good idea to get a sense of how Inkan works. The best way to do this is to get on the allow list for accessing the identity features of the client. This will allow you to observe the existing permanent identities and the delegation / timestamp backup data that supports these identies. It's a prototype, but I've been using it for several months and it works ok for me so far. If you're interested in taking a look at the identity features, let me know and I can put your pubkey on the allow list.
1 replies ↓
inkan's avatar
inkan dv@www.inkan.cc 1 month ago
Thanks, I put your pubkey on the allow list. Here's a quick initial tour: 1. Log in with NIP-7 (e.g. nos2x etc.). 2. Do a quick check that you are connected to the backend. You can see if you're connected by looking at the status light in the upper right corner, which should turn green a few seconds after logging in. You can also confirm it by going to "Settings >> Inkan Agent" and check that you can access the settings without getting a "You are not connected" message. 3. Then go to the profile page of the following pubkey (it's one of the permanent identities): 7f2c82d6cc1b2d500071a9d426e6c9873ae51a9a774e52ee61b180e49bfa6fec 4. Look at the notes appearing on that pubkey's profile page. You'll see green "D"s on the avatars. Click on these green "D"s and read the explanations. Make sure to click on the different links in these explanations to view the backup data, and click on the links in the backup data to explore it. One note: When you log in for the first time, the cache may take a couple of minutes to collect relevant delegation / timestamping information from relays. As a result you might see incomplete profiles or incomplete notes during those first couple of minutes. Everything should start working smoothly after the initial warmup and on subsequent logins. See if you get a sense of what's going on. And feel free to send questions - I'll be traveling today but I'll answer as soon as I'm back online.
1 replies ↓
inkan's avatar
inkan dv@www.inkan.cc 1 month ago
It should also start displaying a full completed profile with avatar and banner pictures shortly after the initial login. I've only tested it logging in with nip-7 browser extensions using Chrome (nos2x) and Firefox (nos2fox) on my laptop. I don't know whether / how it works with other signers - I'd probably stick with browser extensions and a laptop or desktop. You can also find downloads for the management utility under Settings >> Inkan Management Utility when you are logged in. Let me know any questions ...
1 replies ↓
BaleNorge's avatar
BaleNorge BaleNorge@BitcoinNostr.com 1 month ago
I don’t know what the purpose of management utility has but I have already downloaded it so will be looking at it tomorrow. Maybe spend around 45 minutes if I don’t get into the rabbit hole of it still trying to comprehend what actually I’m going to achieve by doing this, I am not a highly immersive in cryptography. But very enthusiastic about learning .
1 replies ↓
inkan's avatar
inkan dv@www.inkan.cc 1 month ago
The management utility allows users to create (x) key pairs and (y) Ethereum transactions. The Ethereum transactions fall into three types, namely declarations of (i) delegation of signing authority, (ii) revocation of signing authority, and (iii) permanent invalidation of a key pair. The first type of transaction records in an Ethereum block a declaration in which key pair X says that it delegates signing authority to another key pair Y. The second type records in an Ethereum block a declaration in which key pair X says that it revokes signing authority from another key pair Y. The third type records in an Ethereum block a declaration in which key pair X says that it should from now on be treated as invalid, i.e. unable to enter into any further transactions in the future. After declarations of this kind have been recorded on Ethereum, the Inkan client then has the ability to fetch these declarations from Ethereum for key pairs the user has chosen to track. The client then uses the fetched declarations as a basis for calculating time periods during which a key pair delegated signing authority to another key pair. These delegation relationships can be both direct or indirect through chains of delegation (i.e. if key pair X directly delegates to key pair Y and key pair Y directly delegates to key pair Z, this will be interpreted by the client as key pair X indirectly delegating to key pair Z). You can see these calculated delegation relationships in the tables / backup data that is displayed by the client when you click on the green "D"s on the avatars. I'll leave it at this for now. There is more to be explained, but it may be better to do so in smaller chunks as one gets used to it. Please feel free to ask questions and I can further explain any part of Inkan that you're looking at.
inkan's avatar
inkan dv@www.inkan.cc 3 weeks ago
There is no official spec, but see below for some previous discussion and explanation of how it works. I think the best way to understand it is to log in and access the identity features of the client. This allows you to observe the existing permanent identities and click through the delegation / timestamp backup data that supports these identities. I think these backup data are sort of self-documenting. I've put your pubkey on the allow list for accessing the identity features of the client at
Inkan
A user-friendly Nostr client for exploring relay feeds
 The third note below includes an initial "tour guide" that helps one get started / oriented. If you're interested, please log in and take a look, or please feel free to comment or ask questions. I'm happy to explain or talk about any aspect of it. View quoted note → View quoted note →
inkan's avatar inkan
As to your questions: (1) Inkan is an identity layer that sits on top of Nostr. It's accurate to describe it as Nostr + Delegation. (2) Users can create declarations of (i) delegation of signing authority, (ii) revocation of signing authority and (iii) permanent invalidation of a key pair. These declarations are then recorded by the user on Ethereum. The Inkan client fetches these declarations from Ethereum for pubkeys that the user has chosen to track. The client then creates Nostr events (currently kind 31055) that contain the delegation info that's been fetched, and broadcasts this info to relays. Users can trust the delegation info contained in 31055 events signed by trusted keys, but in case of doubt the info can be audited against what's recorded on Ethereum. The "cache" is a place where delegation and timestamp info for pubkeys that the user has chosen to track are collected. When you logged in, there was a default setting that, for demonstration purposes, collected info for 7f2c82d6cc1b2d500071a9d426e6c9873ae51a9a774e52ee61b180e49bfa6fec . (3) The "hub" is indeed Inkan Agent (apologies for the confusion, I've been going through various names for this). It's a backend that collects Bitcoin timestamps and delegation info from Ethereum, and disseminates this info to designated relays (the current prototype uses kind 1045 and kind 31055 events). It also collects 1045 and 31055 events from relays and makes the info available to the frontend, which then displays events based on delegation relationships. (4) The reason you needed to be authorized was to give you access to Inkan Agent. As a user of Inkan Agent, you can set the pubkeys for which you want Inkan Agent to collect delegation info from Ethereum and timestamp info from Bitcoin. Inkan Agent then broadcasts this info to relays. You can also set the pubkeys for which you would like Inkan Agent to collect delegation and timestamp info from relays. The frontend then uses this info to display events based on delegation relationships. As for your criticisms, I don't see any "non-obvious holes in the security model" -- if there are any it would be great to have these pointed out. I suppose people might not like the use of Ethereum. It may be possible to use other blockchains. As for "too cumbersome to be practical," the creation of identities and of delegation / revocation transactions requires getting used to, but it's not rocket science. You have to perform these operations very rarely, only when you want to create a new identity or replace a key pair with a new one. It's kind of fun once you are used to it. There is complexity. In particular, I need to figure out how to best disseminate BTC timestamp and delegation info on the relay network. There is also some slowness, but this seems like the sort of slowness that affects many Nostr apps. I will need to address it. Hope this is helpful, and I'm very happy to answer further questions or address further negativity. Thanks for taking a look!
View quoted note →
inkan's avatar
inkan dv@www.inkan.cc 3 weeks ago
If the above explanations aren't sufficiently helpful, please feel free to let me know. If the product gets misunderstood due to my not explaining it properly, I'm not doing my job.
inkan's avatar
inkan dv@www.inkan.cc 3 weeks ago
You need some sort of blockchain. It doesn't have to be Ethereum, but it seemed easiest to implement it through a smart contract. In other words, I'm not especially wedded to Ethereum at all, I just needed a blockchain to implement a proof of concept. The reason you need a blockchain is that there has to be a decentralized and objective way of recording the *time* at which a pubkey delegates signing authority to another pubkey / revokes signing authority from another pubkey. That's what allows you to then create an objective historical record of the periods during which a pubkey delegated signing authority to other keys. So Ethereum is basically just being used as a timestamping system. Incidentally, Inkan also timetamps individual events on Bitcoin using OpenTimestamps. But the recording of delegation / revocation declarations is a little more complicated than the recording of regular events - it may be possible to do it on Bitcoin, but I haven't figured out how. Once you have both (i) timestamped delegation and revocation declarations and (ii) timestamps for individual events recorded on blockchains, that gives you all the raw materials to implement the following basic idea: If an event was signed by key pair Y at a time at which key pair X delegated signing authority to key pair Y, then the event is attributed to key pair X. That's what Inkan does.
inkan's avatar
inkan dv@www.inkan.cc 3 weeks ago
Yes, you may be thinking of OpenTimestamps. And Inkan does in fact use OpenTimestamps to timestamp individual Nostr events on Bitcoin. Inkan only works when there is proof that a signed version of an event existed as of some particular time, and this proof is provided through BTC timestamping using OpenTimestamps. However, the declarations of "delegation of signing authority" and "revocation of signing authority" that I mentioned also need to be timestamped. Unlike in the case of regular Nostr events, this timestamping needs to be done in a manner that allows you to later retrieve the substantive content of the declaration by querying the blockchain. Bitcoin timestamping does not allow for this, at least not in any straightforward way, because what's actually recorded on Bitcoin is a *hash* that is the root of a Merkle tree. And you can't extract the content of the timestamped items from that hash. Ethereum, on the other hand, has easy mechanisms for recording these "delegations of signing authority" and "revocations of signing authority" in a manner that makes their content queriable / retrievable. So in both cases, the ultimate purpose of using blockchains is to provide timestamps. The reason Ethereum is used for delegation and revocation declarations is that Ethereum provides straightforward methods for retrieving the content of these declarations from the chain.
inkan's avatar
inkan dv@www.inkan.cc 3 weeks ago
Also if you'd ever like to take a closer look, please feel free to log in and poke around. I've put your pubkey on the allow list for the identity features, so you should be able to access these. For an initial "tour guide" please see below:
inkan's avatar inkan
Thanks, I put your pubkey on the allow list. Here's a quick initial tour: 1. Log in with NIP-7 (e.g. nos2x etc.). 2. Do a quick check that you are connected to the backend. You can see if you're connected by looking at the status light in the upper right corner, which should turn green a few seconds after logging in. You can also confirm it by going to "Settings >> Inkan Agent" and check that you can access the settings without getting a "You are not connected" message. 3. Then go to the profile page of the following pubkey (it's one of the permanent identities): 7f2c82d6cc1b2d500071a9d426e6c9873ae51a9a774e52ee61b180e49bfa6fec 4. Look at the notes appearing on that pubkey's profile page. You'll see green "D"s on the avatars. Click on these green "D"s and read the explanations. Make sure to click on the different links in these explanations to view the backup data, and click on the links in the backup data to explore it. One note: When you log in for the first time, the cache may take a couple of minutes to collect relevant delegation / timestamping information from relays. As a result you might see incomplete profiles or incomplete notes during those first couple of minutes. Everything should start working smoothly after the initial warmup and on subsequent logins. See if you get a sense of what's going on. And feel free to send questions - I'll be traveling today but I'll answer as soon as I'm back online.
View quoted note →
inkan's avatar
inkan dv@www.inkan.cc 3 weeks ago
Yes, I had a terrible time trying to get ETH for testing. I actually don't have any especially good way of getting BTC either. Other people seem to have better channels for acquiring cryptocurrency. When they talk about it, I always sort of wonder where they are getting it from.
1 replies ↓
inkan's avatar
inkan dv@www.inkan.cc 3 weeks ago
Same here. There are minimum holding periods before I can move crypto I have purchased to self-custody. It's not really a problem in principle with the small amounts I'm transacting in, but there are counterparty / clearing risks that would bug me with larger amounts. Also it's annoying that I can't just buy it and use it right away. I guess I should just make sure to always keep some at hand for everyday use. Just a matter of getting organized.
1 replies ↓