You know instance admins can read your direct messages in the fediverse? Twitter and Facebook also can - and sometimes do - read your private messages, and they have infrastructure to comply with law enforcement requests. I'd love to see some end-to-end encryption built into Mastodon clients.
@micahflee Is it anything you could help with on github?
#MastoDev
@micahflee I feel like PGP was made to solve exactly this kind of problem. Would we even need to change anything, except maybe relaxing the 500-character limit?
@Falkreon the hard problems would be key management, key verification, and multi-device support I think
@Falkreon it's not an easy problem to solve -- no one has solved it really well yet anywhere else either.
If it's addressed through OAuth, then do you trust your OAuth service to act as a CA and to not facilitate MITM attacks? Do you try to build in a web of trust like with PGP? Or do you do TOFU with fingerprint verification like Signal (I think this is the best option)?
@micahflee I guess. I feel like associating pubkeys with accounts really needs to be addressed in the scope of OAuth though. Sort of tangential to mastodon.