Mastodon's federation introduces UX challenges.
One that worries me a lot is about message forgery. Anyone can forge a twoot, even cross-server.
Whereas Twitter Inc might be trustworthy enough to not forge transcripts. Anyone can run a Mastodon server and might want to abuse it to influence people (see Russian troll campaigns).
Should Mastodon "home servers" cryptographically sign updates? Should there be end-to-end signatures? Anyone has thoughts on this?
@fj I just learned that there's nothing stopping me from registering https://mastodon.cloud/@fj and pretending to be you. That's not really a technical challenge (the domain is implicit part of the username) but sounds like usability hell.
@martijn_grooten next step for Mastodon is to put all the usernames in a distributed ledger run by all the Mastodon servers to have a unique blockchain of usernames. #BlockchainAllTheThings #WhenAllYouHaveIsABlockchainEverythingLooksLikeANail
@fj Yeah, I don't think mentions are going to be very confusing. But imposter accounts? But maybe Mastodon isn't meant to be widely used; for a geeks-only social network, it's probably fine, and the decentralisation is a neat idea.
@martijn_grooten @fj backgrounds from users you follow should be slightly different colors. backgrounds of users with the same name as a follow but are not that account should have a different different color too. The 'web of trust' is already handled by DNS, HTTPS, and the ability of Mastodon instance owners to unfederate with specific servers. It may come where the biggest servers are whitelist-only with an application process. or maybe 'local/trusted/federated'
@fj @martijn_grooten a plug-in for 'verified' could be made that individual mastodon servers could opt-in and add support for on their pages. a problem persists in mastodon servers that would give them out to everyone. but it would still be a baseline. 'that accounts not even verified, and practically everyone is verified on ___________'
@martijn_grooten Sure but it will still appear as "fj@mastodon.cloud" on people's clients. Domains just don't show up when you're on the same server as the other person, then they are implicitly assumed.