Verify identity across accounts, permanently moving accounts

I’m posting this here rather than on the github because I think it first needs a more philosophical discussion, as in how it relates to the aims of the project before looking at the technical feasibility and the implementation.

I would also think this could be used to automatically transfer people following your account to another when you mark your original as permanently moved and verify the new one.

I would argue the answer is yes to all of the following:

Is this something that would make people safer here?

Does it help decentralise the fediverse?

Does it reduce the problem of new users struggling to choose and understand what it means to choose an instance?

What do you folks think

A public/private key combo would solve the problem of identity. A mastodon server could work as a key server for it’s users, basically keybase, but then on top of mastodon.

Every instance (mastodon / peertube etc) signed with my private key is “mine” and I can check all “your” instances with your public key.

Your private key would be your online identity

1 Like

Bear in mind:

This response is a bit over my head but on the implementation (the thread expands upon it)

The main problem with private keys is end users have a tendency of losing them! There would need to be some kind of fallback for when that happens.

Is it possible for it to be as simple as:

on instance 1, go to settings page, verification tab, enter the name of your second account/instance

Be provided with a link (magic happens behind scenes)

Click link, if logged in on instance 2, happy days, otherwise be prompted to log in

job done

It could. Although as you’re probably setting up a redirect on the old account anyway I’m not 100% what this adds in terms of identity verification. It could be I’m missing something :slight_smile:

Agreed, there needs to be way to recover your identity, although some people might rather loose an identity then compromise it.

You (in your previous reply) use a secondary location (a website, domain etc) as verifier, thus making that instance your primary identity. Who controls that entity controls you. That is an extra step. The “easiest” setup would be:

  • is my primary identity, here i download / generate my private key
  • person@peertube uses the private key to bless/sign this account, ergo, it is also me
  • uses the private key to bless/sign this account, ergo, it is also me
  • etc

Next, wonders if really uploaded that video to person@peertube he can use a private key to verify

Now what to do with me losing my private key?

  1. Backup
  2. Print it out and backup
  3. Some form of recovery, with codes etc (that need to be backed up)
  4. Cut the private key in pieces and give the pieces to friends, you would need at least x pieces to piece together your key (there is good math for this, it’s a solved problem)
1 Like

That seems eminently sensible and is more straightforward than ad-hoc external verification. :slight_smile:

The other base you’ve got covered (I think) is if the original server you created your identity with disappears for some reason you still (hopefully) have a means of blessing other servers.

Edit: For non-technical users, signing with keys would need to be very well documented. But I suppose it’s do-able.

Yes, the private key would be your identity. So as long as you have the key, you own that digital identity. If this would be implemented then a next step could be using your mastodon key to sign and/or encrypt stuff. The sky is the limit.

Basically it would be pgp done right. No central key-server, you own your data.

But if you really loose your (primary) key then you loose the complete identity.

Most of the key-stuff could be invisible, like an https website

Would it make sense for your primary instance to be able to generate fresh keys

I’m thinking it wouldn’t be a huge hassle to re-verify other accounts

Looking at scenarios such as you lose access to an account, an instance disappears or changes admin

1 Like