To open closed doors, I shall start with keys.
Many users here cram in fingerprints and post external links. Yet if one uses Fediverse daily, why send me to Keybase, why not encourage me to grab their public key directly from the social profile one uses most often? Uploading it would take a second.
@alex they are. But it is a server-side key, which only provides internal authentication.
What I mean is, 'your', client-side PGP key.
@alex yes, the private key should be stored client-side.
Uh... What exactly makes you think of this network being entertainment-oriented?
@alex that's the thing about options: if you don't want, you don't have to.
One of the most frequent criticisms to the Fediverse is that it lacks a proper identity verification process.
Relying on the established PGP process and infrastructure is THE way to solve it without having to resort to central authority, in my opinion.
My idea was much less ambitious - adding the ability to upload public key(s) and conveniently share them (keeping them up to date would be on the user). That way I could grab your pubkey any time (quickly, easily, no need to go anywhere) and perhaps be encouraged to send you a private direct message.
This looks cool!
One of the reasons people post fingerprints instead of full keys is that for non-trivial setups the key would have to be updated frequently. For example each change of expiration, adding or revoking subkeys would need to be propagated to the server manually. Unless they implement some kind of sync or have a keyserver endpoint (this is basic HTTP post) to update the key from the command line.
There is also some overlap with the Web Key Directory protocol that is now ubiquitous among OpenPGP software (e.g. GnuPG and ProtonMail support it). It maps e-mail to keys, e.g. gpg --locate-key firstname.lastname@example.org would fetch the key from the following URL: https://kernel.org/.well-known/openpgpkey/hu/pf113mfnx1f3eb1yiwhsipa91xfc7o4x?l=torvalds (WebFinger handles are similar to e-mail addresses).
(More details at https://metacode.biz/openpgp/web-key-directory ).
Oh, btw, I did an alternative to Keybase but decentralized: https://metacode.biz/openpgp/proofs demo: https://metacode.biz/openpgp/key#0x653909A2F0E37C106F5FAF546C8857E0D8E8F074
@wiktor What you're saying is true! Perhaps my layman's assumption that for many users frequent updates won't be needed... is wrong. Then again, people don't always update info on keyservers either. But people seem to take more care in updating their social network's profiles, somehow =) In fact, this very issue of a Fedi user linking to server which did not happen to have their key (was deleted, the user didn't realize it) is the reason why I thought of this interface addition.
@aspie4K Thanks! This idea came before Mastodon's main dev announced future plans to add E2EE to direct messages. If/when this happens, this idea will probably be outdated. Although, since some people continue using PGP, I still think it might be useful to have an input in Mastodon specifically for some public key or similar (long) information that doesn't fit nicely into the profile fields.
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!