**Mauve 👁💜** @mauve@mastodon.mauve.moe · Sep 07, 2023, 03:16

**Mauve 👁💜** @mauve@mastodon.mauve.moe · Sep 07, 2023, 03:16

Mauve 👁💜 @mauve@mastodon.mauve.moe

Sep 07, 2023, 03:16

For real we should ditch wallets and password managers and OAuth and instead use public keys + ActivityPub Actors + HTTP Signing. Though I guess it puts a lot of trust into the DNS layer?

**Emelia 👸🏻** @thisismissem@hachyderm.io · Sep 07, 2023, 03:25

**Emelia 👸🏻** @thisismissem@hachyderm.io · Sep 07, 2023, 03:25

Sep 07, 2023, 03:25

Emelia 👸🏻 @thisismissem@hachyderm.io

@mauve problem with that is securely storing the private keys.

**Mauve 👁💜** @mauve@mastodon.mauve.moe · Sep 07, 2023, 03:27

**Mauve 👁💜** @mauve@mastodon.mauve.moe · Sep 07, 2023, 03:27

Sep 07, 2023, 03:27

Mauve 👁💜 @mauve@mastodon.mauve.moe

@thisismissem Yeah that too. In our case the answer to "what happens when I lose my keys or they are stolen" is "make a new keypair and add it to your actor object" which IMO is an improvement over "ha ha you lost your identity forever lol". Leaves a lot to be desired still though.

**Mauve 👁💜** @mauve@mastodon.mauve.moe · Sep 07, 2023, 03:30

**Mauve 👁💜** @mauve@mastodon.mauve.moe · Sep 07, 2023, 03:30

Sep 07, 2023, 03:30

Mauve 👁💜 @mauve@mastodon.mauve.moe

@thisismissem I think the dynamics become similar to a password in the end but it makes it just a little harder to spoof requests and it makes it just a little easier to not have to deal with JWTs/UCANs/Bearer tokens

**Emelia 👸🏻** @thisismissem@hachyderm.io · Sep 07, 2023, 03:33

**Emelia 👸🏻** @thisismissem@hachyderm.io · Sep 07, 2023, 03:33

Sep 07, 2023, 03:33

Emelia 👸🏻 @thisismissem@hachyderm.io

@mauve Mastodon & fedi software only deals with any of those fpr their webapps and extensibility use cases, not for federation

**Mauve 👁💜** @mauve@mastodon.mauve.moe · Sep 07, 2023, 03:36

**Mauve 👁💜** @mauve@mastodon.mauve.moe · Sep 07, 2023, 03:36

Sep 07, 2023, 03:36

Mauve 👁💜 @mauve@mastodon.mauve.moe

@thisismissem Yup! Exactly and so you have way more ways of making clients. IMO it'd be great if clients used signed requests to their inbox/outbox and if instances provided SPARQL or similar for querying data back out. Or better yet it'd be nice if clients loaded other peers' data directly.

**Emelia 👸🏻** @thisismissem@hachyderm.io · Sep 07, 2023, 03:38

**Emelia 👸🏻** @thisismissem@hachyderm.io · Sep 07, 2023, 03:38

Sep 07, 2023, 03:38

Emelia 👸🏻 @thisismissem@hachyderm.io

@mauve I think you may be searching for solid with solid-tls for auth

**Mauve 👁💜** @mauve@mastodon.mauve.moe · 2023-09-07T03:41:00Z

Mauve 👁💜 @mauve@mastodon.mauve.moe

@thisismissem Mind linking to a TLDR for how that works? Solid is defs something I'm interested in.
Is solid-tls the tls client certificate auth? I was ranting about how it sucks that isn't used more a few months ago :P

Sadly I couldn't get it working on Linux with chromium or firefox so I gave up on pursuing it further.

Sep 07, 2023, 03:41 · · Web · · ·

**Emelia 👸🏻** @thisismissem@hachyderm.io · Sep 07, 2023, 03:43

**Emelia 👸🏻** @thisismissem@hachyderm.io · Sep 07, 2023, 03:43

Sep 07, 2023, 03:43

Emelia 👸🏻 @thisismissem@hachyderm.io

@mauve it's all available via the solid project website, it's one of the official specs but got superseded by solid-oidc, but I know TimBL still believes in it because OIDC annoys him

**Mauve 👁💜** @mauve@mastodon.mauve.moe · Sep 07, 2023, 03:47

**Mauve 👁💜** @mauve@mastodon.mauve.moe · Sep 07, 2023, 03:47

Sep 07, 2023, 03:47

Mauve 👁💜 @mauve@mastodon.mauve.moe

@thisismissem Neat yeah. I like the use of linking to profiles with the SubjectAlternativeName field in the certificate. Still wishing we had the future where we used client certs for auth. 😩

OIDC makes sense given the larger "identity" industry. Agree it can be annoying though. So many little pieces to keep track of.

Resources

Developers

What is Mastodon?

mastodon.mauve.moe

More…