The Key Server correctly enforcing rate-limit of fetch requests is the most critical component of the Recoverbull protocol. A Recoverbull server could decide whatever rate-limiting parameters it wants. Our recommendation is a limit of 3 attempts per day per identifier. While other methods of rate-limiting may be useful (for example to prevent ddos attacks) they are not strictly required. The reason the rate-limit is so critical is that we expect the password chosen by the user to be very weak.

User anonymity is also a critical component of the security model. The key server should neither collect nor store any information that may be able to identify the user. In case the key server database is compromised, or in case the key server is malicious, any personal information could lead to targeted attacks against the user. Emails and phone numbers can be traced to the legal identity of an end-user, revealing that the end-user is a Bitcoin holder.

The key server does not have any method of identifying where the encrypted backup may be stored. This is why the protocol specifies that the key server should wipe the identifier from memory on a daily basis. The identifier is used to enforce rate-limiting, but since rate-limiting is enforced on a daily basis, the key server does not need to have the identifier for longer than 1 day. The identifier is the only link between an encrypted backup key and a backup file. Without the identifier, even in the case of a legally binding request for information to obtain a backup key for a given backup file, the key server could not comply with that request, unless the user has performed a fetch request with the correct authentication key that same day.