Thinking along here a bit, I get the impression that maybe the biggest challenge with migration is allowing pre-migration links to still work after migration - at least follows and profile links, if not all content links (which would be ideal.)
The problem with this method, of course, is that if mastohost.one goes down, so do all of the links.
We’re also assuming here that the instance Alice wants to leave (mastohost.one) actually supports this shiny new migration feature - and we actually don’t want to assume anything about that instance, at least if we want to help people migrate away from badly-maintained instances which haven’t been updated in a while.
Ideally I think the rerouting migrated content should be something that propagates through the network. If we could count on mastohost.one supporting migration, we could start propagating the updated routes by having it send out a notification to any instance with users who follow the migrating account, giving them the full set of re-mappings of old to new URIs/URLs. This way the moment you leave mastohost.one, you no longer depend on that server for anything anymore. (You do depend on your followers’ instances being up to date enough to handle your migration.)
But we can’t count on mastohost.one for anything, and if we allow mastohost.two to announce it’s now alice’s home, we’re also creating a way for rogue instances to hijack an identity, which would be disastrous.
Have other federated networks solved these problems somehow? The “clone” solution from Hubzilla as @zotlabs described it sounds like mastohost.one would have to stay alive - if one of the clones’ instance dies, would followers still have access to the remaining clones and their content?
Maybe there’s some cryptography-based solution to all this. My understanding of cryptography is kinda shaky but I suspect something like the following should be possible:
- When following Alice at mastohost.one, mastohost.foo get some kind of public secret, allowing Alice’s identity to be authenticated but not impersonated
- When migrating, mastohost.two gets Alice’s private secret from mastohost.one, allowing mastohost.two to prove that it’s Alice’s authentic home now
- Once migration is complete and confirmed, mastohost.two sends a migration notice out to all of Alice’s followers, signed using their private secret so that mastohost.foo and mastohost.baz know this is something Alice really chose to do, propagating a routing table for Alice’s migrated profile and all of her content
As a side effect, this kind of system would also allow an instance to change domain names safely without breaking all follows and links to it, and again without allowing impersonation.
I hope these thoughts are helpful.