I need input on this suggested integration in Mastodon. I have provided a summary of what I know here:

@Gargron Every time I look into keybase I get disappointed that it is not an open source project.

@Gargron re: "without any cryptography":

Keybase is doing the "right thing" by designing their service so that users don't have to trust keybase servers at all -- they can verify cryptographically from another user's key(s) that a public "proof" was provided by that user.

They *could* do rel=me links, but that would mean that user('s client)s would have to trust that that link from hadn't been tampered with.

(I'm not up to speed on the rest of their "proof integration" stuff, tho.)

@Gargron I'm not a Keybase expert, but I'm a fan. I'm if you want to chat about it. Or, pop into the `keybasefriends` team on Keybase to find lots of folks (and some employees) to help talk through stuff. :)

@NfNitLoop @gargron not having to trust to verify is definitely an advantage.

I think there might also be threats in the check-for-a-rel=me-link in that someone might be able to insert such a link into your page (for example, if you boost someone else's toot) and posting this particular cryptographic attestation provides a specific assurance that contains the whole claim.

@npd @Gargron Exactly.

And for an idea of how hacky it is without proper integration, here's how I previously "verified" my Mastodon ID:

The proof is all manual, though, so `keybase id nfnitloop` can't automatically verify my keybase identity like it can the others.

@npd @Gargron Oops, I meant "verify my Mastodon identity like it can the others."

@Gargron please don't integrate with silos.
They reaction to their extension problem shows that they don't care about security much either.
If we could add public keys to the profiles instead it would be cool and would allow all kind of e2e stuff.

@Gargron I wouldn't claim I'm super up to speed with everything involved but I always feel wary writing one off special case methods instead of more generalised solutions.

However it sounds like there are advantages to this integration both socially and technically.

Is there a way of using this as an excuse to build a more generalised linking-plugin model in case other strange one-offs come up, then at least you can neatly slot future linking code in somewhere neat and feel it makes sense?

I like the idea of collaborating with Keybase to figure out an open standard that other services can integrate with as well. That could be really awesome for Mastadon, Keybase, FOSS, and security communities.

@Gargron I would really hate to see integration with a proprietary service like this. Please reconsider 🙁

@Gargron I don't think integration with keybase would be a good idea. Not only is it a silo system but it encourages people to upload their GPG private keys. A password is not a substitute for a private key.

@bob @Gargron

Keybase is a much better system for actually getting people to use strong encryption than GPG itself, though. Keybase's adoption rate is obvious evidence here.

There was a fairly nuanced discussion of this feature and what kind of users want it on their issue tracker:

@gargron I think it's okay as long as this isnt a foot in the door for them to get unreasonable influence over mastodon

@Gargron Too bad that the integration is a lot of code that ties Mastodon to a proprietary protocol. This is exact opposite of stuff like ActivityPub that is open standard and has multiple implementations.

Moreover they could simply do the integration the same way they did it with other services (HN, Reddit, etc.) by writing the integration code on their side...

On the other hand Keybase is popular...

@wiktor Indeed, it cannot be discounted that Keybase has its own large userbase and the integration could give Mastodon good publicity

@Gargron Yep, a lot of people already hack together their proofs of Mastodon accounts.

If there would be a backlash from Mastodon community (because "proprietary") this proof integration could be extracted to a separate webservice that would bridge a Mastodon instance (via ActivityPub API or otherwise) and Keybase. Thus keeping Mastodon "pure" ;)

@mathias It's not like you any data or calls to Keybase will be made in any way whatsoever unless you use a specific function. I wrote the code in such a way as to minimize hardcoding anything, so identity proof providers could be swapped out. So what's the issue?

@Gargron sorry Garg, nothing about your work on the implementation. It’s related to #Keybase itself, apart not doing the implementation not sure you can do something about it.

Sign in to participate in the conversation

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!