from Hacker News

Nomadic Identity Is Coming to ActivityPub

by jalict on 3/18/24, 2:30 PM with 14 comments

  • by apitman on 3/18/24, 8:29 PM

    Relevant Fediverse Enhancement Proposal (FEP) here[0] and discussion here[1].

    Auth can be subtle and I'm likely missing some things, but the UX appears to be essentially equivalent to OIDC, especially given the caveat at the bottom which states users might want to consent before exposing their identity to any random server.

    So I'm assuming the benefit here is that the logins themselves and any actions you take are tied to your public key and not the domain you use to host your key at any given point in time? Do they talk at all about the typical issues with PKI identity, ie lost/compromised private keys?

    [0]: https://codeberg.org/fediverse/fep/src/branch/main/fep/61cf/...

    [1]: https://socialhub.activitypub.rocks/t/fep-61cf-the-openwebau...

  • by TaylorAlexander on 3/18/24, 7:31 PM

    Sounds like I will finally be able to move mastodon servers without losing the last year of interactions I’ve had! I moved once before and while my followers moved, my content did not. The old account stayed there with all my content, with no direct link to my new profile unless I added it as a link in my new profile.

    My current server has been very slow and I’ve wanted to move. I’ll wait till this is fully deployed and then give it a shot!

  • by evbogue on 3/18/24, 7:40 PM

    This is a step in the right direction, but what about a giant leap in the right direction? Imagine using signing key cryptography to authenticate all of your messages on any computer anywhere in the world. Then your identity doesn't need to be nomadic, because it can exist everywhere all at once.

  • by ndriscoll on 3/18/24, 5:58 PM

    Why does OWA use per-actor RSA signatures instead of e.g. OIDC client auto-registration to exchange a shared secret between severs? If the user identity is user@example.com and example.com is authoritative on whether that identity is valid, why do you need a proof that it possesses the user's key? And if the server has the private key anyway, why have per-user private keys?

    Unless you have key-based naming (userId@keyFingerprint), you have to rely on a server running at the domain to be the ultimate authority on legitimacy of identities anyway, right? Exchanging a single shared secret between servers seems like a much more lightweight way to do that.

    For portability, couldn't userId@example.com publish a message saying that it is now (only-or-also) known as userId@othersite.com? If example.com had the private key at some point and you were moving permanently, you'd need to generate a new one anyway and need to publish a similar message, so why have the keys at all vs. the server just saying "yeah that's my user"?

  • by solarpunk on 3/18/24, 8:05 PM

    excited to see fediverse's answer to bluesky's DID

  • by KTibow on 3/18/24, 10:58 PM

    Is the site showing as a bunch of JSON for anyone else?