- Feb 16, 2019
This isn't necessarily correct. Yes, you rekey your identity, but sites only know about this event when you visit them. If you were really worried about that, you could space out the delays between logging in to various sites and space out the re-keying. Given the vast number of users who visit sites, and depending on how frequently re-keying events happen, it might be lost in the noise. Plus, you're assuming the attacker has access to all the sites' traffic. If they have this level of access, they hardly need to figure out your SQRL public key to know who you are.When you rekey, it rekeys you for ALL sites... So if you were frequently using your SQRL identity then the timing of your rekey event(s) is another possible correlation if I am monitoring the sites you visit.
And besides this whole argument is moot anyway considering there are much easier and more exploitable ways of tracking an individual across sites. If you are the target of a nation state, it's pretty safe to assume anything you do online can be monitored.