So an earlier post got me musing idly on the topic of integration between multiple federated services. Wouldn’t it be nice to be able to integrate video hosting, discussions, microblogs, image sharing, and so on in beautiful seamless glory! Post a pic in Lemmy, it’s automatically added to your Pixelfed album; upload a song to your NextCloud and people can see it in your funkwhale profile. That kind of thing.
One of the things that I figure will be useful reach that goal, I figure, is a form of federated identity management. Linking accounts can be done, but there would be a lot of advantages to having one account that knows where the different services you subscribe to are located, allowing the integration to happen seamlessly in the background.
And looking around, I see that it already exists as a concept, but I can’t seem to find anyone discussing or implementing it in the Fediverse. For something that would solve a lot of problems, including decentralized (and self-controlled) identification, SSO, and account migration, it seems like something that everyone would be jumping on.
Am I missing something?
It can be done with cryptographic signatures, like MetaMask login. But currently only crypto universe is doing that.
That way you wouldn’t store login details on any server and the posts could be signed with your key, so editing them by instance admin would be practically impossible.
I think there already is such a social media website, but it’s probably less popular than Mastodon/Lemmy.
I guess it is probably hard to expect users to be able to maintain their own keys. Idk, maybe there can be external identity services that helps users to store their keys, but mature users can just maintain their keys on their own? To avoid single point of failure, the key can be split into multiple parts so single compromised authority will not lead to account compromise… idk, just daydreaming.
Data signing is something I hadn’t thought of. I was envisioning something simpler, like individual authentication servers. It would then be up to each content server to appropriately tag each entry. Each organization (or individual if they want) would have an authentication server that verifies identity. Throw in some OAuth so each organization can control how the user is identified, and I think it could work.
I can see the advantages of signing, though. Instance admins could pull a Spez, nor create posts in your name, and you can verify content ownership. There’s nothing that says a public key can’t be part of the authentication package. Drop in a LetsEncrypt integration and we have a solution.
That just seems like another reason to adopt it, to me.
MetaMask crypto signatures are actually easier to implement than federated OAuth. Only downside I see is necessity of installing crypto wallet.
I think OpenID is what you want. But at the moment it’s yet more difficult than the previous solution.
deleted by creator
That’s true. If you have one identity for everything, then it’s trivial to collate your data. Maybe we can have a Do Not Track flag! That always works!
But seriously, that does open up an interesting topic on privacy in the fediverse in general. As it stands, it wouldn’t be hard for an advertiser to open up a federated Lemmy instance and gather all kinds of data on every Lemmy instance, which could then be used for advertising on… what, Lemmy servers? I did read about some server reputation services people are working on to ban bot farms, so that might help there, but it’s not a whole solution. Could something like that be extended to the ecosystem as a whole? But then how much responsibility for a person’s privacy falls on the server operators versus themselves? Or in the end, would the benefits simply outweigh the risks, and we’d have to take the good with the bad, and people would just have to follow the usual rule of not putting anything on the Internet that you don’t want the world to know? A lot of gray area there.
(Sorry for the train-of-thought posting style. I’m kinda imagining things as I go.)
Not very feasible I think. Our messages are basically broadcasts, so unless every server respect the privacy of their users and implement some kind of rate limiting, otherwise the data will still be public. I think privacy issue will require regulation instead of a technical solution.