Validators validation


#1

Hello,

First of all congrats on the quick pre-sale.

Secondly, I haven’t introduced myself in the “Validators Intro” group yet, due to currently working on obtaining the notary public license. I have been watching Oracles progress for a while now and very much interested in the technical aspect of it and the huge potential of the PoA in general.

Last, but not least. While choosing licensed notaries as the validators is a very smart approach, the legal/security/bug question is, how do/would you verify those individuals and confirm they are who they say they are? With a very minimal effort one can collect public info, create a profile with someone’s identity and become a rogue validator(s).

Sincerely,

Alexey


#2

Alexey,

Good question. My understanding is that Oracles Network will eventually use both social mechanisms ( Governance and the role/responsibilities of Validators) as well as “hard/rigorous” mechanisms ( well defined systems/processes ) in the form of Identity DApps.

Social Mechanisms:
In Governance, an existing Validator has to propose to add a new Validator and then must be voted in by other Validators. So, it would be prudent for existing Validator to know/trust the Validator they are proposing to add. Further, other Validators are obligated to do some “due diligence” before approving proposal to add new Validator. Here that “due diligence” might include, validating the Notary commission status and identity details with issuing Secretary of State or even mean requesting a Notarial Act in person with proposed Validator.

“Hard/rigorous” Mechanisms
There are a collection of Identity DApps being developed that can be leveraged to validate the identity of a proposed Validator or anyone for that matter in a rigorous way:

  • Proof of Physical Address
  • Proof of Phone
  • Proof of Bank Account
  • Proof of Github

see: https://oracles.org/apps

Think these (2) mechanism complement each other and provide powerful way to validate a Validator and ensure integrity/security of the network.


#3

Thank you for the great answer. I believe I saw a post from Igor about activation postcards. Could be a solid physical verification layer, which is also hackable, but with way much effort now.

Alexey


#4

Alexey,

Potentially as things mature on the Network, I can imagine leveraging the (4) Identity DApps so that all the following Hackable Events would have to occur for a successful “rogue validator” event to occur:

  1. Steal a valid Notaries Identity
  2. Have access to stolen Identity’s physical address
  3. Have access to stolen Identity’s bank account
  4. Have access to stolen Identity’s phone
  5. Have access to stolen Identity’s github
  6. Get nominated and approved by current set of Validators

So the probability of all these things occurring becomes either very very small or very very difficult or both.


#5

What I think would be good, but in a more centralized way. Have yearly meetups, first one to start when validator list is full. This way everyone is verified to be who they say and as long as everyone stays active and in good standing, the list shouldn’t change as much except for additional validators. Once a year everyone can make an effort to get to the same place to meet new members and socialize with past members.


#6

As part of due diligence for new validators onboarding, we may use a combination of verifications of identity

Proof of physical address + proof of email + proof of LinkedIn for example.

And also require to present a copy of government issued ID. This part could be verified in person by one of the validators or as a selfie with photo ID.

Let’s assume that somebody (who wants to become new validator, but not even a US resident) went to Public Notary website, selected one of the names, somehow was able to steal mail and get hold of secret code that was provided during “Proof of physical address” verification. On top of that got hold of LinkedIn account or another public account. Or just created a new one with target’s name. Same with email. Even if all these steps were done, ID verification will most likely reveal fake identity.

If NONE of current validators EVER met new candidate in person and doon’t have any people in common that could verify identity, meeting in person with at least one current validator might be be a good idea…


#7

Also, let’s say one or more of current validators have several “contacts in common” on one of the social media sites. And it is known that the same person holds a Notary License

It doesn’t proof that person who tries to become a new validator is the same person mentioned above and not just using the same name and stolen email.

To avoid this case, current validators may choose to randomly / secretly contact Notary License holder (either thought somebody they know or some other way) to verify that indeed Notary License holder wants to become POA validator and not somebody else who is trying to use the same name.


#8

I agree with Stephen. There is no better way to build proof of identity and proof of trust than through face to face physical meetups. It doesn’t even necessarily have to be every single validator at one meet up since that could pose a potential security threat, but at least building relationships with other validators either by phone contact, video conference and actual meetings. This will in turn give an extra layer of security through trust and detection.

John also has a good point, after leveraging the 4 Identity Dapps to vet a potential validator, the chances of which a nefarious individual could potentially get voted in becomes very difficult at best. I would guess the weakest point of attack will a compromised server and/or compromised keys especially if proper steps aren’t taken to secure them.


#9

I also had a thought that “all in one place” could be a security threat…


#10

This physical address validation check seems like a great idea to prevent people from assuming the identities of other notaries.


#11

Proof of physical address dapp will certainly help but by no means will prove the identity. Many states don’t display notaries full address.


#12

Good question — I agree with the above. Validators fulfill a key function to verify identity and determine the suitability of validator candidates. Due diligence should include proof of LinkedIn and other social media, as well as the hard mechanisms @jlegassic described. No system is ever completely foolproof but we can make the validation process rigorous enough that it deters malicious behavior.