💾 Archived View for bbs.geminispace.org › u › skyjake › 1499 captured on 2024-05-10 at 13:30:00. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2024-03-21)
-=-=-=-=-=-=-
Managing client certificates is one of the more thornier UX challenges in Gemini clients. Perhaps because there is no clear analogy in the mainstream browsers?
I do recommend a long expiration date and using the same certificate on many URLs when it makes sense from a shared/unified identity point of view.
2023-06-03 · 11 months ago
☕️ Morgan · 2023-06-03 at 19:19:
Certificates seem to work well in the end for account access. It seems like something is missing, though: a user of Bubble (used as an example, other sites seem to work the same) has no way to know that "Morgan" here is the same as "Morgan" anywhere else, because display names don't have any global meaning. I could imagine some site that forces unique display names--again, like Bubble, but only as an example--federating the names so displayable names can connect back across sites to identities. Doesn't seem important yet--it only matters if there are malicious users or enough for natural name clashes--but might be interesting at some point.
🕹️ skyjake [...] · 2023-06-03 at 19:45:
no way to know that "Morgan" here is the same as "Morgan" anywhere else
This is also a positive aspect for privacy. You are not supposed to be able to track who is who across different servers. I suppose if someone wants others to know that their identity is the same in different places, they'll have to provide some independent evidence of this. For example, links to each account/username on their capsule. A service like Bubble could have a Mastodon-style profile verification using such backlinks.
☕️ Morgan · 2023-06-03 at 20:05:
I think privacy is already well served by allowing free creation of identities and managing which sites they are used on; I was thinking more of impersonation and accidental clashes.
It feels like with identity based on certificates there might be some nice way of solving this.
For example if the browser knew the certificate behind the display name, it could notice that the "Morgan" you encounter is usually the same identity--and highlight visually when it's not. Or if I choose to use a different certificate on each site then the browser could let me know there's never a link and I can do with that what I like.
I don't see any way for that to be doable on Gemini, but maybe there's something that could achieve the same goal.
I was pondering whether you could decorate display names with hashes of the identity, like Lagrange does with site icons / colors; but that doesn't work, there's nothing to stop someone generating random certificates until the display happens to match someone else's.
🐐 satch · 2023-06-04 at 01:35:
@morgan what about simple backlink verification? I see the theoretical utility of your idea but wonder if backlinks aren’t already sufficient. If a bubble-like service wanted, it could display check emojis next to profile links with backlinks
🕹️ skyjake [...] · 2023-06-04 at 04:32:
I was pondering whether you could decorate display names with hashes of the identity
Well, technically it is possible to do the equivalent of PGP signatures but using the client certificate key pair. You would have your username followed by a signed hash, and anyone who has your public key could verify that the signature is valid.
However, you'd have to use quite low-level cryptography APIs to do that in practice, and while OpenSSL will let you do it, I'm not sure how many other TLS libraries would. Any client that wouldn't support this would show ugly hashes to the user.
This would be perhaps the only way to prove your identity, but I doubt anyone wants to implement it. Might as well make an actual PGP signed message saying that, "yes, this is my account."
☕️ Morgan · 2023-06-08 at 09:37:
@satch @skyjake
I tried some things, and wrote about them :)
Domain Changed — Please note the original "geminispace.org" domain has been changed to "bbs.geminispace.org". Update your client certificate activation accordingly if you haven't already.