hngopher.com

       [HN Gopher] Nomadic Identity Is Coming to ActivityPub
       ___________________________________________________________________
        
       Nomadic Identity Is Coming to ActivityPub
        
       Author : jalict
       Score  : 101 points
       Date   : 2024-03-18 14:30 UTC (8 hours ago)
        
 (HTM) web link (wedistribute.org)
 (TXT) w3m dump (wedistribute.org)
        
       | ndriscoll wrote:
       | Why does OWA use per-actor RSA signatures instead of e.g. OIDC
       | client auto-registration to exchange a shared secret between
       | severs? If the user identity is user@example.com and example.com
       | is authoritative on whether that identity is valid, why do you
       | need a proof that it possesses the user's key? And if the server
       | has the private key anyway, why have per-user private keys?
       | 
       | Unless you have key-based naming (userId@keyFingerprint), you
       | have to rely on a server running at the domain to be the ultimate
       | authority on legitimacy of identities anyway, right? Exchanging a
       | single shared secret between servers seems like a much more
       | lightweight way to do that.
       | 
       | For portability, couldn't userId@example.com publish a message
       | saying that it is now (only-or-also) known as
       | userId@othersite.com? If example.com had the private key at some
       | point and you were moving permanently, you'd need to generate a
       | new one anyway and need to publish a similar message, so why have
       | the keys at all vs. the server just saying "yeah that's my user"?
        
       | TaylorAlexander wrote:
       | Sounds like I will finally be able to move mastodon servers
       | without losing the last year of interactions I've had! I moved
       | once before and while my followers moved, my content did not. The
       | old account stayed there with all my content, with no direct link
       | to my new profile unless I added it as a link in my new profile.
       | 
       | My current server has been very slow and I've wanted to move.
       | I'll wait till this is fully deployed and then give it a shot!
        
         | mariusor wrote:
         | > Within the confines of Mastodon, it's a relatively unknown
         | concept.
         | 
         | Mastodon are not known for adding support for other ActivityPub
         | implementations extra features. I doubt they'll look into this
         | any time soon.
        
           | mdaniel wrote:
           | Do you happen to know if it's a bandwidth issue, and thus
           | they (would/do) engage in good faith with PRs for such
           | content, or it's a "our toy, our priority" type deal?
        
             | mariusor wrote:
             | I have no idea. They do have multiple developers at the
             | moment as far as I know, but maybe everyone focuses on the
             | user interactivity instead. Regarding third party PRs again
             | I don't know, I think they're open to it, but from previous
             | interactions I had on their tracker, the review process
             | might be quite stringent.
        
       | evbogue wrote:
       | This is a step in the right direction, but what about a giant
       | leap in the right direction? Imagine using signing key
       | cryptography to authenticate all of your messages on any computer
       | anywhere in the world. Then your identity doesn't need to be
       | nomadic, because it can exist everywhere all at once.
        
         | apitman wrote:
         | Sounds like you want Nostr, or I'm assuming Bogbook?
        
           | evbogue wrote:
           | And never forget about Secure Scuttlebot!
        
             | apitman wrote:
             | For better or for worse, UX trumps security every time. We
             | either give the people both, or they'll go with UX.
        
       | solarpunk wrote:
       | excited to see fediverse's answer to bluesky's DID
        
         | pfraze wrote:
         | I'm pretty curious to see more as well, though FYI at first
         | glance this looks like it's using DIDs
        
       | apitman wrote:
       | Relevant Fediverse Enhancement Proposal (FEP) here[0] and
       | discussion here[1].
       | 
       | Auth can be subtle and I'm likely missing some things, but the UX
       | appears to be essentially equivalent to OIDC, especially given
       | the caveat at the bottom which states users might want to consent
       | before exposing their identity to any random server.
       | 
       | So I'm assuming the benefit here is that the logins themselves
       | and any actions you take are tied to your public key and not the
       | domain you use to host your key at any given point in time? Do
       | they talk at all about the typical issues with PKI identity, ie
       | lost/compromised private keys?
       | 
       | [0]:
       | https://codeberg.org/fediverse/fep/src/branch/main/fep/61cf/...
       | 
       | [1]: https://socialhub.activitypub.rocks/t/fep-61cf-the-
       | openwebau...
        
       | KTibow wrote:
       | Is the site showing as a bunch of JSON for anyone else?
        
       ___________________________________________________________________
       (page generated 2024-03-18 23:01 UTC)