Re: Federation protocols from Jonas Smedegaard on 2013-06-01 (public-fedsocweb@w3.org from June 2013)

From: Jonas Smedegaard <dr@jones.dk>
Date: Sat, 01 Jun 2013 11:08:45 +0200
To: public-fedsocweb@w3.org
Message-ID: <20130601090845.32656.1676@bastian.jones.dk>

Hi all, Jonas from Debian here,

Quoting Mikael Nordfeldth (2013-06-01 08:47:59)
> 2013-06-01 07:57 skrev Michał 'rysiek' Woźniak:
> > Exactly. I think using URI (with an optional "username@" part) as 
> > UID makes sense and doe snot tie us to DNS. Think of the TOR network 
> > - nothing is stopping anybody from using 'user@example.onion' as an 
> > UID, and that is *completely* outside the DNS hierarchy. The "shape" 
> > of the UID doesn't mean it is anchored in the current DNS system.
> 
> I am curious here how one would verify - and correctly correlate to 
> others in a network - the identity of a federated user if they had a 
> purely human-assigned string such as blah@blaha.bla
> 
> I wish to argue (and Diaspora had somewhat the same idea I think?) 
> that the real identity should be a more definitive - more computery - 
> identifier string. Otherwise it will not be truly portable (avoiding 
> collisions in a global namespace). One tried and true solution for 
> this are GPG identities, which may be combined with WebFinger or 
> whatever other lookup process/service/protocol.
> 
> I.e. as long as I control the domain "hethane.se" I can setup an ID 
> pointer there for mmn@hethane.se to address GPG fingerprint AE68 9813 
> 0B7C FCE3 B2FA 727B C7CE 635B B52E 9B31 - and then something which 
> negotiates this with any feed subscribers in a cryptographically 
> verifiable way.
> 
> Then I could, say, have an "alias" for my account at a webfingerish 
> lookup at my account on "mmn@freesocial.org".

I would argue that only identifier need be interoperable - verification 
of identifier can happen differently on each subsystem.

Some want public recognition and therefore public verifiability, while 
others want the very opposite: resistence against tracking.


> This'd also give content privacy by encrypting to friends' public 
> keys. However it would not really address the identify-by-source 
> issues that may be of concern to some. (i.e. that the network may know 
> that two individuals are communicating, despite not knowing the 
> content)

Exactly! Let's settle on common identifier but leave verification to 
each implementation or to overlay systems like [Monekeusphere].


 - Jonas

[Monkeysphere]: http://web.monkeysphere.info/

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

Received on Saturday, 1 June 2013 09:07:26 UTC