I need input on this suggested #Keybase integration in Mastodon. I have provided a summary of what I know here:
@Gargron Every time I look into keybase I get disappointed that it is not an open source project.
@Gargron i think you summed it up best here: "I am not quite sure why Keybase could not simply use the same method [using rel=me], thus allowing two-way verification without much extra work and without any cryptography."
@Gargron re: "without any cryptography":
Keybase is doing the "right thing" by designing their service so that users don't have to trust keybase servers at all -- they can verify cryptographically from another user's key(s) that a public "proof" was provided by that user.
They *could* do rel=me links, but that would mean that user('s client)s would have to trust that that link from keybase.io hadn't been tampered with.
(I'm not up to speed on the rest of their "proof integration" stuff, tho.)
I think there might also be threats in the check-for-a-rel=me-link in that someone might be able to insert such a link into your page (for example, if you boost someone else's toot) and posting this particular cryptographic attestation provides a specific assurance that contains the whole claim.
And for an idea of how hacky it is without proper integration, here's how I previously "verified" my Mastodon ID:
The proof is all manual, though, so `keybase id nfnitloop` can't automatically verify my keybase identity like it can the others.
@Gargron please don't integrate with silos.
They reaction to their extension problem shows that they don't care about security much either.
If we could add public keys to the profiles instead it would be cool and would allow all kind of e2e stuff.
@Gargron Would be really nice 👍
@Gargron I wouldn't claim I'm super up to speed with everything involved but I always feel wary writing one off special case methods instead of more generalised solutions.
However it sounds like there are advantages to this integration both socially and technically.
Is there a way of using this as an excuse to build a more generalised linking-plugin model in case other strange one-offs come up, then at least you can neatly slot future linking code in somewhere neat and feel it makes sense?
I like the idea of collaborating with Keybase to figure out an open standard that other services can integrate with as well. That could be really awesome for Mastadon, Keybase, FOSS, and security communities.
@Gargron I would really hate to see integration with a proprietary service like this. Please reconsider 🙁
Keybase is a much better system for actually getting people to use strong encryption than GPG itself, though. Keybase's adoption rate is obvious evidence here.
There was a fairly nuanced discussion of this feature and what kind of users want it on their issue tracker:
@gargron I think it's okay as long as this isnt a foot in the door for them to get unreasonable influence over mastodon
@Gargron Too bad that the integration is a lot of code that ties Mastodon to a proprietary protocol. This is exact opposite of stuff like ActivityPub that is open standard and has multiple implementations.
Moreover they could simply do the integration the same way they did it with other services (HN, Reddit, etc.) by writing the integration code on their side...
On the other hand Keybase is popular...
@wiktor Indeed, it cannot be discounted that Keybase has its own large userbase and the integration could give Mastodon good publicity
@Gargron Yep, a lot of people already hack together their proofs of Mastodon accounts.
If there would be a backlash from Mastodon community (because "proprietary") this proof integration could be extracted to a separate webservice that would bridge a Mastodon instance (via ActivityPub API or otherwise) and Keybase. Thus keeping Mastodon "pure" ;)
@Gargron please nooooooo
@mathias It's not like you any data or calls to Keybase will be made in any way whatsoever unless you use a specific function. I wrote the code in such a way as to minimize hardcoding anything, so identity proof providers could be swapped out. So what's the issue?
Invite-only Mastodon server run by the main developers of the project It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!