#183 [Feature] Add Keybase Integration to Harmony protocol
Problem: The existing method for uploading a validator image to the Staking Dashboard is cumbersome. (Github repo + pull requests)
Proposed Solution: Use Keybase PGP keys & the CLI to verify uploaded pictures.
Impersonation of other validators.
Anyone can upload an image to the Github repo without proving ownership of the validator address, maliciously changing someone else's validator image or using someone else's image to impersonate them.
Validators set their "identity" field to their Keybase public key fingerprint. The Staking Dashboard can query for their Keybase user & by default use their uploaded Keybase profile picture as their validator icon on the Staking Dashboard.
This solves the cumbersome validator logo upload process. Additionally, the Staking Dashboard can also display the link to the Keybase profile, which delegators & other uses can use to check the identity of the validator. The Keybase account can also be used to provide contact between the validator & their delegators.
Since the "identity" field of each validator must be unique, no one else will be able to use the same Keybase PGP key to impersonate a validator. However, if a validator's PGP key was "stolen" by another validator in the "identity" field, they will have to replace their existing Keybase public key, if they wish to use Keybase for their validator.
This is already being used by developers for Cosmos block explorers. Keybase-associated validators can be helpful for other developers/partners as well for external dashboards images & other integrations.
Implementation of this should be simple using the Keybase user lookup API. The returned data includes a link to the profile picture of the account.
This could be a bounty, but this is a fairly small task.
In researching the simple solution for Keybase integration, there are some other ways we can utilize Keybase for identity proofs.
Keybase allows custom websites to integrate with their account proofs, which we can use to allows users to connect their Keybase profile with their ONE address.
Deploy a smart contract where users can send a transaction with their Keybase proof message & integrate the smart contract data on a hmny.io domain or even our main harmony.one webpage.
The Staking Dashboard can also hook into this Keybase verification & display "green verification check marks" for Keybase users with valid identity proofs.
This could be proposed as a bounty, but if we want to use this as "Harmony verified"; it would be better to be handled by the internal team.
Keybase allows users to set a Bitcoin & ZCash address on their profile. The business team should reach out to them & try to get them to list ONE addresses as well.
This does not necessary provide any security, as the address is not a proof, but would be good exposure. This is also not really a solution, but would be something nice to have. Also, not sure if we have already tried to reach out to Keybase.
- Are there additional concerns with security with either idea?
- Is it worth putting either of these two solutions as a bounty?
Good analysis!
I don't see major security concerns, since our protocol ensures the uniqueness of identity field, it should be secure to integrate with keybase id.
Depending on the estimated workload, if it's just a small tasks of a few days. Better just do it ourselves. The communication cost for doing a bounty maybe too high in that case. If Pops is interested to take the bounty, the communication cost can be minimum tho.