at://did:plc:44ybard66vv44zksje25o7dz/com.whtwnd.blog.entry/3lj7jmt2ct72r

Back to Collection

Record JSON

{
  "$type": "com.whtwnd.blog.entry",
  "content": "One of the big design goals for atproto is for users to \"own their network identity\". If something goes wrong with a hosting provider, it should be possible recover accounts by independently updating their identity to point at a new home.\n\nEvery account in the network has both a handle and a DID. The handle is a user-friendly hostname, like `@atproto.com` or `@dril.bsky.social`, and can change over time. DIDs are permanent identifiers, like `did:plc:ewvi7nxzyoun6zhxrhs64oiz`, and can *not* change: in some sense the DID is the account itself. The most popular DID method is \"DID PLC\", which is a novel system that Bluesky came up with that is \"self-certifying\" and controlled by cryptographic keys: whoever controls the keys controls the identity. Each DID PLC can have multiple \"rotation keys\" registered at any time, and any of the keys can submit updates to add and remove keys. The keys are in a sorted list, with the earlier keys having precedence over later keys in the event of a dispute.\n\nA minimal first step for users to \"own\" their identity is to register additional cryptographic keys that they control in their PLC identity. These keys don't need to be used unless there is a crisis with their PDS host. It is important to keep the secret part of any keypairs private and secure: if somebody got hold of the secret part, they might be able to hijack the account permanently. I recommend using a regular password manager to hold on keys.\n\nThis blog post describes the basic steps for adding a key, using the `goat` command line tool:\n\n1. Generate a new cryptographic keypair\n2. Have the current PDS sign and submit a PLC operation to register the key\n\nIn this example, the PDS handles all the PLC operations, signing, and submission. `goat` itself does not implement the PLC specification itself (yet).\n\nThe PDS reference implementation maintained by Bluesky has has some basic safety checks as part of this process, which reduces the chance of breaking an account. Nonetheless, this process does have some small risk of everything going wrong and the identity being lost. On the other hand, it leaves users in more autonomous control of their identities, and guards against operational mistakes made by the PDS. I recommend this process for more technical users for now, but over time do encourage more and more users to take control of their network identities, especially if they have invested significant time in their social persona.\n\n\n## Getting Ready and Generating a Key\n\nFirst, you'll need a personal password manager set up, with backups.\n\nThen, you need to get an updated version of the `goat` command line tool installed. This still currently requires having the Go programming language toolchain installed, then following the [Install instructions](https://github.com/bluesky-social/indigo/tree/main/cmd/goat#install).\n\nYou login to your account with `goat` like:\n\n```sh\ngoat account login -u $HANDLE -p $PASSWORD\n```\n\nYou can generate a new cryptographic keypair with the command:\n\n```sh\ngoat key generate\n```\n\nThe output will look like:\n\n```text\nKey Type: P-256 / secp256r1 / ES256 private key\nSecret Key (Multibase Syntax): save this securely (eg, add to password manager)\n\tz42tvTBNY5sWSBY2RiCScVLR8ZpBzhLnakUg2S1nNzSfmSct\nPublic Key (DID Key Syntax): share or publish this (eg, in DID document)\n\tdid:key:zDnaeVWBBrvpS1TxawWmNCkFrXyYWL4SPjFyNy6HkmQdRP4SC\n```\n\nNote that this output is the only copy of the key: it isn't saved to disk, registered with your account, or backed up anywhere. Until you back it up! I recommend you copy the whole text body, plus some notes about what the key is for (eg, account name, and DID) as a secure note in your password manager.\n\nAs a last preparation step, PLC updates are a sensitive operation, and your PDS will require a 2FA token. You'll need your account email verified, and then you can request one with:\n\n```sh\ngoat account plc request-token\n```\n\nYou'll get a token emailed to your registered email. Hold on to it for later (`$PLCTOKEN`).\n\n*If you are using a self-hosted PDS, you might need to jump through some hoops to get email sending working, or find another way to get the 2FA token. Not going to get in to that here.*\n\n## Simple Key Registration\n\nThe easy way to register the key is with the `add-rotation-key` command. Use the public part of the keypair (which starts with `did:key:`) as the `$PUBKEY`.\n\n```sh\ngoat account plc add-rotation-key --token $PLCTOKEN $PUBKEY\n```\n\nOptionally, you could add an argument `--first`, which would put the new key at the highest priority in the rotation key list, instead of lowest priority. This would resolve conflicts in favor of this privately held key; but that also means a hacker who gets the key would have high priority.\n\n```sh\ngoat account plc add-rotation-key --first --token $PLCTOKEN $PUBKEY\n```\n\nThat's it! If the command succeeded, the PLC identity should be updated. You can print the current PLC state to confirm it went as expected:\n\n```sh\ngoat account plc current\n```\n\n## Manual PLC Update\n\nIt is also possible to edit the PLC operation data directly, and still have the PDS sign and submit the update. This allows more sophisticated updates, like removing keys, adding additional service endpoints and verification methods, etc. You do need to be careful not to remove any information which would break the atproto functionality of the identity!\n\nStart by dumping the current PLC data to disk, as JSON:\n\n```sh\ngoat account plc current \u003e plc_unsigned.json\n```\n\nIt will look something like:\n\n```json\n{\n  \"did\": \"did:plc:swdagwbckvxc7qaxvswdagwb\",\n  \"verificationMethods\": {\n    \"atproto\": \"did:key:zQ3shsDXbrA7WQRKP79cPSKHRZDmKZuzZdnEdGQg5UatyzGFq\"\n  },\n  \"rotationKeys\": [\n    \"did:key:zQ3shhCGUqDKjStzuDxPkTxN6ujddP4RkEKJJouJGRRkaLGbg\",\n    \"did:key:zQ3shpKnbdPx3g3CmPf5cRVTPe1HtSwVn5ish3wSnDPQCbLJK\"\n  ],\n  \"alsoKnownAs\": [\n    \"at://handle.example.com\"\n  ],\n  \"services\": {\n    \"atproto_pds\": {\n      \"type\": \"AtprotoPersonalDataServer\",\n      \"endpoint\": \"https://blewit.us-west.host.bsky.network\"\n    }\n  }\n}\n```\n\nYou can also print out the data your current PDS recommends to be included, such as the rotation keys and repo signing key currently held by the PDS:\n\n```sh\ngoat account plc recommended\n```\n\nOnce you have edited the `plc_unsigned.json` file and it looks good, can submit it to your PDS to be signed with one of the current PLC rotation keys the PDS holds. Note that this step doesn't actually update the PLC directory! It just returns a signed PLC operation (as JSON):\n\n```sh\ngoat account plc sign --token $PLCTOKEN  ./plc_unsigned.json \u003e plc_signed.json\n```\n\nIn theory this signed operation could now be submitted directly to a PLC directory. But that might confuse the PDS, which wouldn't know about the update. Instead, it is best to have your PDS submit it for you:\n\n```sh\ngoat account plc submit ./plc_signed.json\n```\n\nAnd that is it! You can check that the update actually went through with:\n\n```sh\ngoat account plc current\n```",
  "createdAt": "2025-02-28T22:20:49.891Z",
  "theme": "github-light",
  "title": "Registering Identity Recovery Keys via PDS, using goat",
  "visibility": "public"
}