FIP-19: Social Attestations #199
Replies: 9 comments 14 replies
-
Some initial thoughts.
Also, who keeps track of the attestation validity? I linked my company's twitter account to my FID, now the company changed owner and they claim the twitter handle using their FID. Who will keep track of the changes and invalidate my old attestation? Also: I can change my twitter handle. What happens then? |
Beta Was this translation helpful? Give feedback.
-
Would have expected social attestations to make use of the verification message type. Is there a reason why this isn’t the case? |
Beta Was this translation helpful? Give feedback.
-
Am I understanding this right Farcaster social attestations will work by clients posting unproven social attestation claims to the network, and clients will choose the other clients that they trust these attestations from. Seems reasonable and simple as a v1, but potentially a mess long term if Farcaster is to become truly multi client. But I suppose additional actual verifications can follow in the protocol later |
Beta Was this translation helpful? Give feedback.
-
Why not link some external service like https://passport.gitcoin.co that does this for a while, and it also publishes the proofs, I guess in the long term the only issue is that a service like this might disappear. But from UX perspective, it would be much better to use a service like this that has existed for a while. |
Beta Was this translation helpful? Give feedback.
-
This would be more powerful using EAS and likely would be adopted by the Optimism Collective, even if it was off chain EAS and the user had the option to put it onchain using a 3rd party tool at their own expense. That said I’m OK with this approach and think 3rd party tools that convert to EAS are possible anyway. I would be excited to see this version in production sooner rather than later. |
Beta Was this translation helpful? Give feedback.
-
Attestations with EAS don't have to be onchain. They can be made completely offchain with no gas |
Beta Was this translation helpful? Give feedback.
-
I would like to use LinkedIn data, and do these attestations include verified company badges from X |
Beta Was this translation helpful? Give feedback.
-
From a business owner: can this potentially expand to attesting ownership of an @acme.com email with a flow similar to sign-in with email? |
Beta Was this translation helpful? Give feedback.
-
Username for both GitHub and X can changed by the user or by the platform itself in case of trademark issues or internal policy. Platform-specific identifier ( |
Beta Was this translation helpful? Give feedback.
-
Abstract
Allow users to verify Github and Twitter/X accounts on Farcaster, with a standard that can be extended to support other platforms in the future.
Problem
A defining feature of Farcaster is that anyone can make an account permissionlessly. While important for sufficient decentralization, it does means that you can’t tell if a new account belongs to a well-intentioned user or a spammer. App developers often prevent new accounts from getting access to the best features (e.g. limit access to older fids).
If a new account can prove ownership of a hard to forge identity, that could help them break through these boundaries. For example, a user with an X account that is over 5 years old with 20k+ followers requires proof of work on X to create.
Specification
We propose a social attestation system where an fid can attest that another fid owns a particular account on a platform like X.
A new UserDataType is added is added for each platform that we want to support. We propose starting with X and Github because they are commonly used by our users and have an verification system (OAuth). We may add other systems in the future based on adoption and feedback from users and developers.
The string content of the data should omit the
@
, and lengths of usernames limited to app-specific limits:If Alice is using Warpcast, the flow would look like this:
UserDataAdd
delta of the Github type signed with the app key it has for Alice’s account.An observer can prove that Warpcast is attesting to Alice’s account by inspecting the delta’s signatures and doing some lookups on the KeyRegistry contract. The delta should be signed by an app key that Alice has authorized from her account but which is registered to Warpcast’s fid. See [decoding key metadata](https://docs.farcaster.xyz/developers/guides/advanced/decode-key-metadata) for details on how to do this.
Rationale
There are some important tradeoffs we are making here that are worth calling out:
Attestations are not verified — the attesting fid claims that it has verified that the receiving fid owns the account. it is up the observer to decide whether the attesting fid is trustworthy. the reason for this restriction is that most social platforms use OAuth, and there is no practical way to generate a proof (yet).
Attestations are not unique — the hubs do not guarantee a 1:1 mapping between an fid and an external social account. apps can solve this by ingesting the data, identifying duplicates and choosing a conflict strategy such as last write wins. the reason for this is that we plan to implement [sharding with snapchain](FIP: Introducing Ordering #193) which makes global uniquness impossible to guarantee.
Attestations are strongly typed — we considered a weakly typed approach where anyone could attest to any domain without requiring an explicit protocol change. While this adds more flexibility, we prefer a [worse is better](https://en.wikipedia.org/wiki/Worse_is_better) approach because the feature is simpler to implement, easier for apps to integrate and the majority of reputation lives in a small handful of services. there also exist alternate onchain attestations services like EAS which can be used for the long tail of attestations.
FAQ
Why not use onchain attestations like EAS?
Onchain actions are expensive, slow and often fail on mobile devices due to poor connectivity with wallets.
Why not make attestations verifiable with public signatures?
Posting a gist or tweet with a signature would create a verifiable chain of trust without needing to trust the attestor. The reason we moved away from this is that 1) the user experience is worse and 2) this does not work on all social networks that we may want to support.
Why not make attestations verifiable with zkTLS or some other zero knowledge system?
We haven’t found an easy to implement system with a good user experience (yet).
Release
Warpcast Plans
Warpcast has started verifying Twitter/X accounts and will publish them to the protocol after this feature is released. We ensure that every user has performed an OAuth to the Twitter account before publishing UserDataAdd messages with the username. We may support Github in the future but have no timeline yet.
We only plan to display attestations from Warpcast on user profiles since they can be spoofed. If you are building an app that does verified attestations reach out to @dwr.eth or @v. We are open to supporting attestations from other apps that meet some security and authentication bar.
Farcaster Plans
The release following 1.16.0 will include support for this type. After the supporting release has been shipped, Warpcast will begin publishing these messages to and consuming these messages from hubs for supported attestations from other applications.
Update
Attached a reference PR of the supporting implementation for hubs: farcasterxyz/hub-monorepo#2370
Beta Was this translation helpful? Give feedback.
All reactions