improving key exchange over ActivityPub from Sean O'Brien on 2022-12-07 (public-swicg@w3.org from December 2022)

From: Sean O'Brien <sean.obrien@yale.edu>
Date: Tue, 6 Dec 2022 20:51:08 -0500
To: Bob Wyman <bob@wyman.us>, "public-swicg@w3.org" <public-swicg@w3.org>
Message-ID: <87f5e763-a270-4e9e-a2e4-08f0b16a7ea8@yale.edu>

Hi all,

I'm unfamiliar with the process at W3C, but I see a general trend on the 
messages to the list.

* Comments are extremely thoughtful and informative.
* Comments provide important context about the fediverse.
* Comments focus on the application layer.
* Comments span a wide area of social and ecological concerns in regard 
to the fediverse.
* Comments approach specific implementations of fediverse software such 
as Mastodon.
* Comments include valuable personal experience.

I personally would like to focus on ActivityPub, without regard to 
applications and specific social concerns, and how to improve the 
protocol to allow others to run with it on the social and application level.

To that end, I would like to suggest that concrete proposals be formed 
in regard to the protocol, to allow ActivityPub to be extended to 
improve the current social, ecological, and personal situation.

I'll repeat the goal I emailed a couple weeks ago with this in mind:

"For my take, I think a 'killer feature' [for ActivityPub] would be 
improving key exchange and verification, and potentially making public 
keys more easily available and more quickly distributed via ActivityPub 
for applications to build features on top of them (e.g. encrypted chat, 
verified user profiles, verified file sharing, maybe even software 
supply chain)."

A draft of this sort of thing has been done here by Ben McGinnes at 
gnupg.org and, though I reached out to him directly and have no response 
yet, I think this is very valuable groundwork.

Is anyone in this W3C group interested in this issue and collaborating 
with me on this concrete effort?


I cannot emphasize how vital this work is with millions flooding into 
the fediverse for the first time and, for example, DM-ing over 
unencrypted channels. Those users are exposed to legal and 
police/surveillance issues but, perhaps worse, the volunteers running 
fediverse instances are exposed to extreme liability and pressure from 
government and corporate surveillance and policing.


Cheers,
- Sean

Sean O'Brien
Fellow, Information Society Project at Yale Law School
Founder, Privacy Lab at Yale ISP, https://privacylab.yale.edu

Received on Wednesday, 7 December 2022 01:51:27 UTC