Although the bitcoin-cli program uses local private key to sign a registration transaction for ID “foo” and, for instance a pgp key K, namely foo.id: { "pgp": K }, a rogue bitcoin-core server may create a new private key to sign a different transaction with a rogue pgp key K2: foo.id: { "pgp": K2 }

Since the whole point of Blockstack is to register IDs without trusting a server, the core server and the client must be owned by the same user.

Or, after the registration, the registering user must verify that the data is correct, and was registerted with the original transaction. How can I do that with blockstack-cli ? (Let’s say that the lookup data is trusted 100%, and it is only the registration part that I didn’t trust 100%).

Hey Boris, keep in mind that data a user attests to in their profile is not necessarily correct. It is provided as is and should not be given any weight.

Applications give context to the data by verifying it, and users can provide proofs in order to back up their claims.

As an example, here’s the data for Muneeb’s profile: https://onename.com/muneeb.json. He claims that he has a certain Twitter account but then it only shows up as having a green verification sign on onename.com once the interface checks the verification tweet.

We are working on adding a spec for verifications of PGP keys. Happy to discuss that here.