Just a random thought experiment. Let’s say I have my account on a lemmy instance: userA@mylemmy.com. One day I decide to stop paying for the domain and move to userA@mynewlemmy.com, and someone else gains it and also starts up a lemmy instance.

If they make their own userA@mylemmy.com, how do federated instances distinguish who’s who?

Have I misunderstood the role of domain names in this?

  • Vlyn@lemmy.mlEnglish
    1·
    1 year ago

    So the only things you secure are access to existing posts, comments and roles, but without any further checks if this is still the same user, correct?

    So if user@lemmy.whatever creates 10 posts, 100 comments and is the moderator of 5 communities (on other instances) then the public key would secure that only that user can interact with that data. Makes sense.

    But now the domain gets stolen, a new Lemmy instance is set up, a new user@lemmy.whatever is set up. This user is named user@lemmy.whatever, exactly the same as the original one. They just don’t have the right key to interact with their old content.

    Now that user wants to moderate one of those communities again, are they treated like a different user (because keys don’t match)? Or just locked out (because you can’t have two users with the same name as moderator for the community)? Your whole idea makes sense, but when it comes to enforcing those ideas you run into a dozen issues both for federation and when it comes to present the data in the UI.

    And you get phishing issues on top. If they are treated as separate users by other instances, they could just write another legitimate moderator “Hey, it’s me, user@lemmy.whatever. I got accidentally kicked out of the community, can you re-invite me as moderator please?” so all the work you put in for security is for naught.

    • 𝘋𝘪𝘳𝘬@lemmy.mlEnglish
      1·
      1 year ago

      So the only things you secure are access to existing posts,

      The only thing I secure is that for a given Action by a given Actor it can be validated that those were signed with a given key.

      So if user@lemmy.whatever creates 10 posts, 100 comments and is the moderator of 5 communities (on other instances) then the public key would secure that only that user can interact with that data.

      Everyone can interact with that data, but since those are signed with a specific key the sign would become invalidated.

      Now that user wants to moderate one of those communities again, are they treated like a different user (because keys don’t match)?

      Since the key and signature are just additional attributes of the Actor object they’ll be the same user federation-wise. An instance admin needs to manually validate why the Actor uses a different key now. If the Actor is used to perform malicious things it can be verified that those things are done with a different key. What’s done with this information is up to the instance admins.

      If they are treated as separate users by other instances, they could just write another legitimate moderator

      Exactly. Key signing does not prevent social engineering.