Just a random thought experiment. Let’s say I have my account on a lemmy instance: userA@mylemmy.com. One day I decide to stop paying for the domain and move to userA@mynewlemmy.com, and someone else gains it and also starts up a lemmy instance.

If they make their own userA@mylemmy.com, how do federated instances distinguish who’s who?

Have I misunderstood the role of domain names in this?

  • 𝘋𝘪𝘳𝘬@lemmy.ml
    link
    fedilink
    English
    arrow-up
    0
    ·
    1 year ago

    You can have lemmy.ml@publickey1 and then lemmy.ml@publickey2 and then lemmy.ml@publickey3 and so on.

    The key should OF COURSE not be a part of the URL. It should also not be instance specific or specific to a certain federated server. It should be in the protocol itself. A field in the Actor object where a public key can be placed and then whenever an action is done, it gets signed. The private key stays with the user.

    All of your other considerations would automatically become non-issues, since the key pair stays with the user and not on the instance. As long as the public key field is intact it can be verified that the action was performed by a specific actor. And if not, it can be seen as unverified.

    You could also bind administrative activities to key-based authentication.

    • Vlyn@lemmy.ml
      link
      fedilink
      English
      arrow-up
      0
      ·
      1 year ago

      This was an example, not an identifier.

      lemmy.ml is the domain. And the instance on that domain has a private and a public key.

      If you nuke your first instance and recreate it the keys will be different, which means you suddenly have two different instances for lemmy.ml when the new instance starts to federate. Which basically is lemmy.ml-1, lemmy.ml-2, …

      So what should other servers do? Only accept the first public key they ever saw for a domain as an instance? Then block new instances from the same domain? Or is there a way to differentiate the instances? Or do you nuke all content of an old instance when a new one pops up with a different public key?

      If someone creates a second instance for the same domain all hell breaks loose either way. Because the new instance can have myuser@lemmy.ml that already existed with the old public key. Should federation just crash at that point? Throw an error? Block this user because it existed in the past? Treat it as a new user, but with the same name (which would be horrible UI wise)?

      • 𝘋𝘪𝘳𝘬@lemmy.ml
        link
        fedilink
        English
        arrow-up
        0
        ·
        1 year ago

        I still don’t get what you complain about.

        In an alternative timeline the keys are in no way related to any instance or domain or whatever. Not even to identically named Person objects on a recreated instance. All Activity objects are signed with a specific key. The Actor is also signed with the specific key. The private key is not stored anywhere except on the machine the user using the actor from.

        All activities performed by an actor and the actor are signed. If you copy over the activities to another instance the sign is still valid. If you rename the instance it is still valid. If you modify the action or the actor it becomes invalid. (Somewhat similar to how mail signing works.)

        If you reuse a hacked/stolen/whatever actor, all actions you perform with this actor are unverified because the person misusing the actor cannot sign the actions. If you change the public key stored in the Actor object all previous actions cannot be verified to be done by the actor. This could be solved to make the public key store in the Actor a list. So you can add multiple keys with validity start and end date (all signed with the next key).

        • Vlyn@lemmy.ml
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          You still don’t seem to grasp the issue I’m pointing to.

          You have instance 1, lemmy.whatever, this instance federated content to lemmy.ml. So now lemmy.ml holds content from lemmy.whatever.

          Instance 1 gets nuked. Either because someone stole the domain, or the admin simply lost the private keys and had no backup. Or they had a backup but it’s old and half their users got lost. A new Lemmy instance gets set up on lemmy.whatever (with a new key obviously). This is Instance 2.

          Now lemmy.whatever starts federating content to lemmy.ml, but from instance 2.

          How do you differentiate content and users from instance 1 and instance 2? It’s the same domain, but different instances as the keys don’t match. Do you block instance 2? Do you delete everything from instance 1 and now instance 2 is the “true” instance for the domain lemmy.whatever? Do you mark all new content from instance 2 as “unverified”?

          Sure, with private keys in place a user test@lemmy.whatever from instance 2 can’t modify content from the instance 1 user test@lemmy.whatever. But the instance 2 user could create new content under the name of the old user. How is this federated? Do other instances show the guy as test(2)@lemmy.whatever because the keys don’t match?

          • 𝘋𝘪𝘳𝘬@lemmy.ml
            link
            fedilink
            English
            arrow-up
            0
            ·
            1 year ago

            You have instance

            Let’s stop it here. Instances are completely irrelevant in my idea.

            but different instances as the keys don’t match

            *sigh* The keys are in the Actor objects and in the Action objects and not in the instance. You cannot validate any instance, you cannot validate if an action was performed on a specific instance. You cannot prevent actors of the same name after the previous instance was wiped.

            All you can do is validating if an action was performed by an actor existing at the time the action was perfoed and that both were signed with a specific key.

            • Vlyn@lemmy.ml
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              1 year ago

              So the only things you secure are access to existing posts, comments and roles, but without any further checks if this is still the same user, correct?

              So if user@lemmy.whatever creates 10 posts, 100 comments and is the moderator of 5 communities (on other instances) then the public key would secure that only that user can interact with that data. Makes sense.

              But now the domain gets stolen, a new Lemmy instance is set up, a new user@lemmy.whatever is set up. This user is named user@lemmy.whatever, exactly the same as the original one. They just don’t have the right key to interact with their old content.

              Now that user wants to moderate one of those communities again, are they treated like a different user (because keys don’t match)? Or just locked out (because you can’t have two users with the same name as moderator for the community)? Your whole idea makes sense, but when it comes to enforcing those ideas you run into a dozen issues both for federation and when it comes to present the data in the UI.

              And you get phishing issues on top. If they are treated as separate users by other instances, they could just write another legitimate moderator “Hey, it’s me, user@lemmy.whatever. I got accidentally kicked out of the community, can you re-invite me as moderator please?” so all the work you put in for security is for naught.

              • 𝘋𝘪𝘳𝘬@lemmy.ml
                link
                fedilink
                English
                arrow-up
                1
                ·
                1 year ago

                So the only things you secure are access to existing posts,

                The only thing I secure is that for a given Action by a given Actor it can be validated that those were signed with a given key.

                So if user@lemmy.whatever creates 10 posts, 100 comments and is the moderator of 5 communities (on other instances) then the public key would secure that only that user can interact with that data.

                Everyone can interact with that data, but since those are signed with a specific key the sign would become invalidated.

                Now that user wants to moderate one of those communities again, are they treated like a different user (because keys don’t match)?

                Since the key and signature are just additional attributes of the Actor object they’ll be the same user federation-wise. An instance admin needs to manually validate why the Actor uses a different key now. If the Actor is used to perform malicious things it can be verified that those things are done with a different key. What’s done with this information is up to the instance admins.

                If they are treated as separate users by other instances, they could just write another legitimate moderator

                Exactly. Key signing does not prevent social engineering.