Post AJow0ddnCTqHsiaLhY by Nachbarschaft@bildung.social
(DIR) More posts by Nachbarschaft@bildung.social
(DIR) Post #AJow0bLzhgPumwF6gK by bengo@mastodon.social
2022-05-24T07:26:02Z
0 likes, 2 repeats
I have a 1hr talk on the past, present, futures of #ActivityPub last week. Here is a recording.https://youtu.be/c17gjxEoyMQ
(DIR) Post #AJow0bo01YooBnLTKi by humanetech@mastodon.social
2022-05-24T07:48:16Z
0 likes, 0 repeats
@bengo great! I am going to watch it today. Wasn't aware you were presenting or might have joined. Was this part of larger event?
(DIR) Post #AJow0cCoXIfTQkxI0m by humanetech@mastodon.social
2022-05-24T09:12:01Z
0 likes, 0 repeats
@bengo hey, I really enjoyed this presentation! Very well done, and I can really recommend others to spend an hour and learn about the interesting history and futures of #ActivityPub cc @cy you may like this for background info, as well as reflections of Christine Webber and Amy Guy after the specs became final in:http://dustycloud.org/blog/on-standards-divisions-collaboration/
(DIR) Post #AJow0ciMdzuB0biUBk by Nachbarschaft@bildung.social
2022-05-24T10:16:52Z
0 likes, 0 repeats
Hi @bengo Thanks for that Talk.Concerning what you say about minute 55-56, have you had a look at ZOT and its projects Hubzilla and ZAP/Streams ?What you are looking for is called "nomadic identity" and is used in praxis very well for by this projects since years. Have a lookhttps://hubzilla.org//page/hubzilla/hubzilla-projecthttps://codeberg.org/streams@cy @humanetech
(DIR) Post #AJow0dAiwYaeQYz8OO by cy@mstdn.io
2022-05-25T04:03:34Z
1 likes, 0 repeats
@Nachbarschaft I always have to point out that public keys are the ultimate nomadic identity. With a digital signature, you can switch servers transparently and automatically, and all your followers can be sure they still have the same person. It works even if your old server already banned you, deleted any attempt to tell your friends of your new server, or had a catastrophic hardware failure.
(DIR) Post #AJow0ddnCTqHsiaLhY by Nachbarschaft@bildung.social
2022-05-25T07:15:41Z
0 likes, 0 repeats
@cy sure - sounds good to me..."nomadic identity" is no voodoobut reality for Hubzilla / ZAP / Streams ... and as understand now also a part of APHave you tried it? What do you think of it?
(DIR) Post #AJow0dxzzM0OtO2UCG by cy@mstdn.io
2022-05-25T19:15:33Z
0 likes, 0 repeats
@Nachbarschaft Oh right, sorry I didn't mean to imply Hubzilla didn't use public key identities. (They call them "channels.") I just think it's an awesome way to do nomadic identity, that I really wish the Fediverse could do.
(DIR) Post #AJow0eR4FHG2LXdhVQ by cy@mstdn.io
2022-05-25T19:22:02Z
0 likes, 0 repeats
@Nachbarschaft Though I think Hubzilla has a crappy unsigned client API too. So you need to be able to run your own instance, or "hub" as they call it. I can't read the code well enough to tell, but is it possible to run a hub without DNS, port forwarding, and a signed SSL certificate? That is, can hubs only connect to other hubs, rather than requiring others to connect to them for certain things, like the Fediverse does?
(DIR) Post #AJow0enOuF7dSo5XJg by cy@mstdn.io
2022-05-25T19:29:19Z
0 likes, 0 repeats
@Nachbarschaft Ideal would be if you can run a hub, then post a message about a second publically accessible hub where people can reach you. Then that hub would sync with your primary hub, whenever you started it up and connected to the secondary one.Like Scuttlebutt's "pub" record.
(DIR) Post #AJow0f7bh7HkTTXfoO by cy@mstdn.io
2022-05-25T19:34:07Z
0 likes, 0 repeats
@Nachbarschaft Nah, it looks like Hubzilla requires that you have a DNS record, and an SSL certificate, and an always-up server, and nginx, and the ability to configure nginx to proxy through Hubzilla. So nomadic identity is kind of a lie.
(DIR) Post #AJow0fQkXwb7QqUxeK by icedquinn@blob.cat
2022-05-25T19:38:10.047449Z
0 likes, 0 repeats
@cy @Nachbarschaft :blobcatthinkOwO: an opportunity to insert myselfnomadic identity in zot (hubzilla's protocol) means basically that you are identified like in PKI but your secret key is put on consignment with a hub server to be able to sign responses and such. so the hubs do have to be generally available and there really isn't a way to deregister from a hub other than trusting they delete the keys. however you can have the keys on multiple hubs and if one dies or tries to ban you then you can send requests from a new hub and--since the crypto keys are the same--everyone just kind of updates their pointers of where you live right now to the new hub.it's kind of how wireguard sends packets to the last address that gave it a signed packet so it supports hopping connections because it just updates what it thinks your home is.
(DIR) Post #AJowj1NeIY7SFaCJc0 by cy@mstdn.io
2022-05-25T19:45:12Z
1 likes, 0 repeats
@icedquinn @Nachbarschaft > however you can have the keys on multiple hubs> the same private key, unencrypted, on multiple computers> mutiple remote servers you do not control
(DIR) Post #AJowj1oEhhO1a2dY3M by icedquinn@blob.cat
2022-05-25T19:46:15.470837Z
0 likes, 0 repeats
@cy yeah i don't like the idea of custodial private keys either. @Nachbarschaft
(DIR) Post #AJoxwQIf3ivtFuoqOG by cy@mstdn.io
2022-05-25T19:55:47Z
1 likes, 1 repeats
@icedquinn @Nachbarschaft < ( What's this? A user doing something I don't agree with? I think I shall ban them, and silence them forever! )( Ha ha, that's what you think! I have sent my private key to four other servers, so I will not be silenced! ) >< ( Also I'll reveal their private key so anyone can make them post loads of gore porn. )( ....shit ) >
(DIR) Post #AJoxwQbnuYFGDHm8EC by icedquinn@blob.cat
2022-05-25T19:59:53.382903Z
0 likes, 0 repeats
@cy @Nachbarschaft i guess its not more of a disaster than existing federated login systems (everyone oauth'ing their gafam accounts.)
(DIR) Post #AJoyYMs6FonVcvUMAS by cy@mstdn.io
2022-05-25T20:04:58Z
1 likes, 0 repeats
@icedquinn @Nachbarschaft If only you were allowed to create a digital signature, and not have a gimpy crap client full of crap, then you could sign the hub's public key saying "These guys can make me post loads of gore porn—I mean are totally trustworthy to speak for me." That signature would be just as good as sending your private key, without the catastrophic security failure.
(DIR) Post #AJoyYNK6ZhCP1maioq by icedquinn@blob.cat
2022-05-25T20:06:44.489042Z
1 likes, 0 repeats
@cy @Nachbarschaft i think that's basically what a SAML assertion is
(DIR) Post #AJp0ky65sL7gSoAcGu by cy@mstdn.io
2022-05-25T20:22:18Z
0 likes, 1 repeats
@icedquinn Oh yeah, Cloudflare really love SAML, because you don't control your own keys. You ask an "identity provider" to give you signatures. (aka Cloudflare)This when computers have been capable of making their own digital signatures for like 40 years...
(DIR) Post #AJp1voDh2WWuy8SS5w by icedquinn@blob.cat
2022-05-25T20:44:35.705496Z
1 likes, 0 repeats
@roboneko @Nachbarschaft @cy its possible to use pleroma as an oauth provider if i recall.
(DIR) Post #AJpGv0vvmglnQEEFJw by cy@mstdn.io
2022-05-25T22:37:54Z
1 likes, 0 repeats
@roboneko Well, their own poor decisions and all the propaganda that lied to them and assured them it was totally fine, accepted by all, would lead to no regret whatsoever, and anyone who tried to warn them differently was just a crazed lunatic who should be disregarded, and also immature.
(DIR) Post #AJpH4YVUKPNG9ePUIK by cy@mstdn.io
2022-05-25T22:44:41Z
0 likes, 0 repeats
@roboneko @Nachbarschaft @icedquinn Because the Hubzilla client is just a javascript website for your web browser, and all web browsers are programmed so that you can't sign anything.
(DIR) Post #AJpQGkx8mN27olEkU4 by cy@mstdn.io
2022-05-26T00:57:34Z
0 likes, 0 repeats
@roboneko Right, and one possible algorithm for a Turing machine is "send the user's private key to the server without telling them."
(DIR) Post #AJpWY0MPLZeQFdfBrs by cy@mstdn.io
2022-05-26T01:53:34Z
0 likes, 0 repeats
@roboneko Yes, I think Activitypub does the equivalent of Hubzilla, but how often are always-up reachable network servers going to change domain names? That's all that nomadic identity would help with, the part after the @ not before it.I don't know about lack of forethought, since Hubzilla's a pretty massive effort; I think it's more learned helplessness, where they come to accept insecure as the new normal. But uh...
(DIR) Post #AJpWY0wDCSI62gPmfw by cy@mstdn.io
2022-05-26T01:59:21Z
0 likes, 0 repeats
@roboneko Firstly I don't have access to the private key of that. That's mstdn.io's public key, with my name tacked on it, and I sure don't control mstdn.io. Even if I had the private key, mstdn.io also has it, so it's useless to me. My key is https://fedicy.us.to/stuff/cy.gpg (0acfda56). Secondly, javascript is fundamentally un-securable, because it requires your browser download and execute arbitrary code without your permission, or awareness.
(DIR) Post #AJpWY800wiUXwVFQ4e by cy@mstdn.io
2022-05-26T02:03:46Z
1 likes, 0 repeats
@roboneko Of course I type my own key fingerprint wrong. xP3EE0 4602 4769 4E18 F974 9881 E4F6 06A1 0AC7 DA56 same as in my profile.
(DIR) Post #AJpWY84cfaB6AnP6G0 by cy@mstdn.io
2022-05-26T02:02:12Z
0 likes, 0 repeats
@roboneko Supposedly that's "safe" because javascript is "sandboxed" but it limits what you can do. Even if I wrote a client API that did full digital signature verification, the next time you refresh the page, I might have replaced that code with something that only pretends to digitally sign your data, or sends me your private key. With XHR, I don't even need to wait for a page refresh.
(DIR) Post #AJpWYFHzqG2EYIiNZg by cy@mstdn.io
2022-05-26T02:08:50Z
0 likes, 0 repeats
@roboneko To write a secure client that uses a web browser, I'd have to write it as an addon, and even then, if you enable automatic updates (which even Firefox defaults to) then I could still pull the rug out from under you. The only real option is to write an actual program, that people can actually compile themselves, which corporations have worked very hard to establish is only for beta nerds and normal people can't do it.
(DIR) Post #AJpWYMb2fqQfDOgBjU by cy@mstdn.io
2022-05-26T02:13:35Z
0 likes, 0 repeats
@roboneko So in the face of decades of propaganda and police action reducing us to applesauce dribbling babies, I can't really blame the Hubzilla ppl for not writing a client that does digital signatures. It's a massive amount of effort that people would universally revile as they talk about consumers and inconvenience, and criminals. It was poor design choices and lack of forethought, but also very restrictive conditions that made it the way it is.
(DIR) Post #AJpX4VkACUvmqpH79E by cy@mstdn.io
2022-05-26T02:28:26Z
1 likes, 0 repeats
@roboneko Oh uh... and I untagged the others because I dunno I just untag people reflexively, since they're probably not super interested in the conversation. User tagging is a stupid idea anyway, since they should just be able to get updates to the thread if they want. We only started this @tagging nonsense because Twitter took threads away from us.
(DIR) Post #AJpdgaX9RGc2R7jEEy by cy@mstdn.io
2022-05-26T02:45:09Z
1 likes, 0 repeats
@roboneko OK to be fair my domain has been taken away twice,. Nobody actually noticed I had the same public key, but I guess if they cared, they could've verified it. > Well it's a keypair that the instance controls. But it's a unique keypair per account. So it's not their only key, but it's still only their key. > that's a valid point against crypto in web apps with no external device, not against javascript-the-languageRight, sorry I only have 500 characters, so it's hard to always
(DIR) Post #AJpdhqE2aBfjORO4HY by cy@mstdn.io
2022-05-26T02:39:25Z
1 likes, 0 repeats
@roboneko The instance admin would still have to write the code that contacted the third party to handle key stuff, and could easily remove that, so you'd never contact the third party at all, despite the little animated lock thingy going "click. Secure!"I agree if you get an "app" from a third party, you have to trust them, not the instance admin. But public open source code can be independently audited, so if it's not too complex, I think it's fine. Other people don't.
(DIR) Post #AJpy7xiNMHfZEWJDSS by cy@mstdn.io
2022-05-26T04:53:39Z
1 likes, 0 repeats
@roboneko Oh right, the problem with that is it heavily centralizes identity providers. Cloudflare is pushing a thing where they get to do all the signing, and they'd be a massive gatekeeper over millions of people's keys. It just shifts the risk from instance to identity provider. If you can't trust your instance, then why would you be able to trust your identity provider?
(DIR) Post #AJpybfiOqSAm60UFEG by cy@mstdn.io
2022-05-26T04:59:44Z
0 likes, 0 repeats
@roboneko What's missing is code to allow "servers" that can just connect to other servers and sync with them, without being reachable or any DNS or stuff like that. Then you just run it, and use the Fediverse on localhost. I get an account on mstdn.io, and that would mean mstdn.io will save the posts from my "server" signed by my "server," but you can get them from the public server.
(DIR) Post #AJpybhKipSQB79QMbI by cy@mstdn.io
2022-05-26T05:08:07Z
0 likes, 0 repeats
@roboneko There might have to be a bit more decentralized relaying. Like mstdn.io should cache pictures a trusted server attaches (failing if it attaches something >2MB of course), so you could get them even if you couldn't reach me directly. Over the client API, I'm allowed to do exactly that, except without any digital signatures.
(DIR) Post #AJq60rjVzzROHty8au by Nachbarschaft@bildung.social
2022-05-26T07:19:02Z
1 likes, 0 repeats
@roboneko @icedquinn @cy Thanks for that interesting discussion. >User tagging is a stupid idea anyway, since they should just be able to get updates to the thread if they want.That is why i don´t like Mastodon and prefer e.g. Friendica, Hubzilla Zap or Streams,
(DIR) Post #AJq60wiHU0QNjWQirg by Nachbarschaft@bildung.social
2022-05-26T07:23:54Z
0 likes, 0 repeats
@roboneko @icedquinn @cy #Friendica, #Hubzilla, #Zap or #Streams are defiant part of the network which is called Fediverse - they all speak also AP. Streams is a pure AP Server with nomadic identity - so nomadic identity got part of AP and other AP Apps can implement is as well.The Fediverse is build on always reachable Servers - its not a peer to peer Network - A lot of the things your are saying can be better done in such a peer to peer Network, I would say.@cwebber@bengo @humanetech
(DIR) Post #AJq611W3cscMd3kX0S by Nachbarschaft@bildung.social
2022-05-26T07:25:02Z
0 likes, 0 repeats
@roboneko @icedquinn @cy A #Hubzilla #Zap or #Streams Identity exists also without DNS - you can download it to your PC. But Yes you need a Hub to "life" this identity. Hubs could also connect in a network without DNS e.g. in a local Network over LAN - bud that of cause would be not the network called "Fediverse" ;-)@cwebber @bengo @humanetech
(DIR) Post #AJq614dc1FRYJMJ6hM by Nachbarschaft@bildung.social
2022-05-26T07:25:33Z
0 likes, 0 repeats
@roboneko @icedquinn @cy > "What's missing is code to allow "servers" that can just connect to other servers and sync with them, without being reachable or any DNS or stuff like that. Then you just run it, and use the Fediverse on localhost. I get an account on mstdn.io, and that would mean mstdn.io will save the posts from my "server" signed by my "server," but you can get them from the public server."I really like this - when could this be done ;-) @cwebber @bengo @humanetech
(DIR) Post #AJq6waE3FVqsmjm2wS by humanetech@mastodon.social
2022-05-26T07:35:17Z
0 likes, 0 repeats
@Nachbarschaft Not everything works as it should on #mastodon apparently, as I see your 3 toots separately and those of @cy also separate, not part of the thread.For others with this issue.. the top-level toot is by @bengo : https://mastodon.social/@bengo/108355725733286400@roboneko@bae.st @icedquinn@blob.cat @cwebber
(DIR) Post #AJq6waezdLP28INYw4 by humanetech@mastodon.social
2022-05-26T07:48:23Z
0 likes, 0 repeats
@Nachbarschaft @cy @bengo @cwebber And even that thread is incomplete looks like, and also the mentions went wrong when just replying.. yep, its messy :)
(DIR) Post #AJq6wb0cKwhTDMUpdo by Nachbarschaft@bildung.social
2022-05-26T08:46:54Z
1 likes, 0 repeats
@humanetech@mastodon.mastodon is a total messtry this link to see more of the discussion https://mstdn.io/@cy/108364232095271740@roboneko @icedquinn @cy @cwebber @bengo
(DIR) Post #AJq7SC7mONQtIruiHY by Nachbarschaft@bildung.social
2022-05-26T09:18:53Z
1 likes, 0 repeats
@humanetech or this link:https://bae.st/notice/AJpH4RbB3DlpqG4buy@roboneko @icedquinn @cy @cwebber @bengo