Thank you for this excellent question. It might have been a bit much to talk about all the details of the protocol on stage.
Yes, I'm one of the developers of the Android application. I did the prototype, and probably most of the work, but I have great help with some contributors.
Revocation is very similar to a username and password revocation. If you have the original login, you can regain your access and trust without any email chain.
What we do, built into the protocol, is that you rekey your identity, so you have a new identity. This operation could only be done with your super-secret rescue code. Then you visit the sites that you want to revoke your identity. The applications will then give the site both the old identity and the new one so it will change your identity to the new one. This can only be done if you are the owner of the rescue code, which makes it safe.
Another scenario that Steve might not have mentioned. You travel abroad with your identity, and you need to give the officials your phone. They might have copied your identity and you don't want them to access a specific site.
Then you can visit that site with your identity and just by supplying your regular identity and a lock command. This will lock access to that site until you are safe at home with your rescue code, and can unlock access to the site again.
Similar, is there a provision that you may not remove your key from a site without supplying your rescue code.
So this rescue code is very useful for the cases where your identity is stolen.
I hope this clears up some confusion, and if you have any questions, then don't hesitate to ask.
Hi Ryan.
Thank you for this excellent question. It might have been a bit much to talk about all the details of the protocol on stage.
Yes, I'm one of the developers of the Android application. I did the prototype, and probably most of the work, but I have great help with some contributors.
Revocation is very similar to a username and password revocation. If you have the original login, you can regain your access and trust without any email chain.
What we do, built into the protocol, is that you rekey your identity, so you have a new identity. This operation could only be done with your super-secret rescue code. Then you visit the sites that you want to revoke your identity. The applications will then give the site both the old identity and the new one so it will change your identity to the new one. This can only be done if you are the owner of the rescue code, which makes it safe.
Another scenario that Steve might not have mentioned. You travel abroad with your identity, and you need to give the officials your phone. They might have copied your identity and you don't want them to access a specific site.
Then you can visit that site with your identity and just by supplying your regular identity and a lock command. This will lock access to that site until you are safe at home with your rescue code, and can unlock access to the site again.
Similar, is there a provision that you may not remove your key from a site without supplying your rescue code.
So this rescue code is very useful for the cases where your identity is stolen.
I hope this clears up some confusion, and if you have any questions, then don't hesitate to ask.
For even more information everything should be documented at grc.com/sqrl/sqrl.htm
Best regards
Daniel