Stronger recommendation for public keys in persistent identity pattern #26
Description
Having employed the Persistent Indentity pattern myself with a UUIDv4 as the identifier, I recently noticed that this exposes users to an increased risk of impersonation attacks. Consider I learn about my victim's unique identifier and, since there is no central authority blocking that identifier as taken, I create a new account with that identifier and the goal of connecting with others or otherwise impersonating my victim. The pattern already mentions using public keys as one option, and I'd like to propose a stronger recommendation to use public keys because they are less susceptible to impersonation attacks because when combined with a signature, they are backed by private key ownership and thus harder to forge.