How Discoverable is a Person With Just Their App-Specific Public Key

I’m curious about the app public key. If I know someone’s public key, it seems to me that the other person can still remain pretty much (or not entirely) anonymous. I wanted to get people’s thoughts on whether or not this was accurate.

Can you discover a user’s Blockstack ID from an app-specific public key alone?

Yes, if an app discloses the public key in a discoverable way or if Blockstack is extended to allow discovery of a user’s app public key.

// Psuedocode:
const appUrl = 'https://someAppOfInterest.com'
const appPublicKeyUrl = 'pk.txt'
const keyOfInterest = 'someAppPublicKey'
let userId = undefined
for (const profile of allUserProfiles) {
  const appGaiaBucket = getAppGaiaBucketFromProfile(profile, appUrl)
  if (keyOfInterest = getPublicKeyFromUrl(`${appGaiaBucket}/${appPublicKeyUrl`)) {
    userId = getUserIdFromProfile(profile)
    break
  }
> ...
1 Like

Thanks, AC! I had a feeling there were functions I wasn’t aware of that would expose info based on the public key alone. Super helpful.

1 Like

In looking at this, though, am I mistaken in understanding that it requires both knowledge of the app used and the naming convention for the key file?

For apps where the public key is discoverable, you are correct–you need to know which app to dig up the GAIA buckets and what files are present for disclosing. Given the ability to do an inspection of files, it wouldn’t be hard to discover the key data if it’s not encrypted.

For the proposed API, you could just hit the endpoint with requests for the public keys of every app, probably slightly faster than indexing profiles.

Edit:
To be clear, the proposed API doesn’t exist yet and is just being discussed on the forum.

1 Like

If they have signed into the app before, then yes. To do the reverse lookup, you would crawl the set of profiles, and find the Blockstack ID whose profile has the app-specific public key address in the apps list.

We’re interested in making at least part of the apps list anonymous at some point, so as to avoid this.

I’m curious about the app public key. If I know someone’s public key, it seems to me that the other person can still remain pretty much (or not entirely) anonymous. I wanted to get people’s thoughts on whether or not this was accurate.

If you could prevent the user from using Gaia’s multi-reader storage, then the user would remain anonymous (since there would be no profile to crawl).

1 Like