💾 Archived View for bbs.geminispace.org › u › decant › 16342 captured on 2024-06-16 at 18:02:15. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2024-05-26)

➡️ Next capture (2024-07-09)

🚧 View Differences

-=-=-=-=-=-=-

Comment by 😎 decant

Re: "openid for gemini"

In: u/norayr

OpenID as in a centralized authority? Then No.

😎 decant

Apr 25 · 8 weeks ago

19 Later Comments ↓

🕹️ skyjake [...] · Apr 25 at 04:17:

— We've discussed identities before.

To rephrase what you seem to be saying: we could have a technical solution to attribute content to a certain provable identity, making it possible for involved parties to "know" who they are interacting with. Note that these identities could still be anonymous pseudonyms. What you're essentially adding is the ability to track the identity's content across multiple sites in a verifiable way.

Assuming this was the intention of the person who owns the identity, that's great. This would enable identities to be more nomadic, so for example if you change your capsule domain, you could prove that the new capsule is owned by the same person (identity).

However, as far the tech is concerned, I think we don't need to build something new for this. Existing solutions like PGP should get most of the way there.

☕️ Morgan · Apr 25 at 06:07:

Thanks Jake, that was a fun discussion.

Indeed there are ways to do it ... but not enough interest in doing it. Which is fine. A set of solutions without a problem, today at least, it seems :)

🐙 norayr [OP] · Apr 25 at 10:32:

Jake thank you, yes that's exactly what i had in mind. By saying 'openid' I didn't mean exactly that technology, and I also imagined that gemini way could involve private/public keys and/or certificates. It is a solvable problem to sign the git commit or gemini post, or reply.

But we need a standard way to sign and verify. As a Lagrange dev you can introduce yours, and maybe others will follow.

I think verifying should work by just opening a .gmi document. But .gmi document may contain different comments left by different people, so parts of gemtext can be signed too.

🐙 norayr [OP] · Apr 25 at 17:25:

A set of solutions without a problem

Morgan, the problem is the lack of decentralization. What if we have 2 BBSes, and those are different software. Why not to comment on one by having the account on the other. Or why do you even need an account on the other if you have your capsule. Why cannot you to present yoursef as the host of that capsule?

We have no gemini alternative to diaspora, activity pub. and they exist for a reason.

🚀 stack · Apr 25 at 21:41:

But then again, is it _really_ that important?

🐙 norayr [OP] · Apr 26 at 00:21:

isn't decentralization important? why do you have to have an account on bbs at all? or the opposite: why do you subscribe to atom feeds?

but then why do you have to be "registered" here and there, in all places, like the companies usually want. they want you to be on skype and on whatsupp and on viber and on al, and on yahoo messenger, and on icq. because of no interoperability.

in activity pub world you can just have one identity and use it to communicate with all other creatures on other servers.

so i think yes it is that important. i think it is the weakest point of gemini today, not fully supported decentralization. supported for feeds, not for feedbacks.

🚀 stack · Apr 26 at 01:07:

Given what Gemini is, if someone were to jack my identity and post as Stack, it would be mildly annoying. I don't see or want Gemini to be a major banking or crypto platform, and can't imagine why I would want guarantees of identity from anyone here.

Leaving a client certificate with forums I wish to be a part of is not a problem either.

As a minimalist I still fail to understand the reason to chase complexity for the sake of the fediverse way of decentralization (which also fails to excite me).

No disrespect intended.

💎 istvan · Apr 26 at 03:03:

If you make your real identity known and someone poses as you, oh well, this is the Internet. People pose as anyone they want here and always have. Don’t give out your personal info.

If you are anonymous and someone poses as you, what’s the problem? It’s not really defamation since it isn’t your real identity.

This all feels like trying to shoehorn solutions for Web 2.0 problems into a deliberately Old Internet space…

💀 requiem · Apr 26 at 09:23:

You can use "old internet" ways to get around impersonation, to some extent — e.g. use the same certificate on geminispace and publish your cert on your gem capsule / BBS profile / wherever; so that you are more verifiable, at least for server admins, so you can contact them and ask them to moderate impersonating posts, etc. "The Fediverse Way."

Ed: we could even introduce some "custom" of putting a /me.txt on your gemini pod, like how you have /robots.txt or increasingly /favicon.txt or /.wellknown/security.txt.

🕹️ skyjake [...] · Apr 26 at 16:46:

@norayr:

But we need a standard way to sign and verify. As a Lagrange dev you can introduce yours, and maybe others will follow.

I see it as antithetical to Gemini's principles to have a client impose de facto standard technical solutions for something like this. Instead, put forward your own companion spec akin to the feed subscriptions one, and if people find it useful and necessary, it will be taken into use.

IMO, one key aspect of such a proposal would be that it is accessible to both humans and machines, much like the very simple Gemini feed syntax. That way it does not depend on software support.

However, if we look at email and PGP, only a small fraction of people actually take advantage of this kind of technology voluntarily. And this is with s[cp]ammers routinely abusing email identities! Of course, this argues for keeping the solution purely technical to improve uptake, but when it comes to Gemini, I think there is an incredibly high barrier to adding any additional complexity, even if it were just a community convention that is optional for clients to support.

i think it is the weakest point of gemini today, not fully supported decentralization.

Be that as it may, it's okay for protocols to have weak points. Nothing is perfect for every purpose. Gemini intentionally rules many things as out-of-scope, but this gives it significant advantages, too, not just limitations.

When it comes to decentralization, the gemlogs & aggregators system is perfectly adequate for both feeds and feedback, as evidenced by gemlog activity over the past couple of years.

🐙 norayr [OP] · Apr 26 at 21:37:

i am sorry, i understand i need to wrap up this. i wouldn't even write this, just i noticed there was a draft, and i thought it is already posted, and i deleted it.

so in it i was basically saying that to me the old internet way is when the university had a server, and the user was represented by that server.

to me the old internet way is how the email or xmpp designed.

and then the evil greedy corps came to the internet, and they used xmpp but broke the federation. you want to talk to whatsapp user? you cannot from your server, bring them to whatsapp. whatsapp was, and maybe still is based on xmpp. same with many others.

aol tried to only allow emailing those who uses aol.

🐙 norayr [OP] · Apr 26 at 21:41:

so activity pub for me is nothing about 2.0, it's about old good internet, just implemented for some reason with http.

it had not be http, but well, that's their decision. the decentralized social media in our days was created by webdevs, and web is about http. so obviously they would use http.

there is an alternative, that's xmpp blogging. i am attracted to it, i'll try it.

well, even xmpp has problems. let's say http_upload widely used today for some reason exposes ip of the person who downloads the file to the server of the uploader.

if you hide behind vpn, then the server knows about your activity.

that problem was solved by mastodon to some extent, they cache images.

🐙 norayr [OP] · Apr 26 at 21:46:

what i am saying is that decentralization as i understand it makes it less possible/convenient to track user's behaviour and activity.

that's why we need it.

now i'll say 'bbs', but that's just an example. i have only warm feelings for bbs and its developer. what i am saying are theoretical speculations.

bbs knows lots of things about me. bbs would have known less if i was using it via my server. if my server would fetch the feeds i am subscribed to, if my server wouldn't let the bbs know when i am reading, and which posts interest me.

it is still possible to do, because bbs offers feeds - one way of decentralization.

it would be consistent if i was able to comment as my server's user

💎 istvan · Apr 26 at 22:56:

@norayr Can’t respond to that whole chain atm, but I can’t think of a time in the old internet that there wasn’t masquerading. Literally as soon as it left the universities you had servers making accounts for unverified users. Who the heck was verified on Geocities or Angelfire? And once anyone could get an email address you had random people on Usenet. IRC was always the Wild West. That was the culture at the time for everyone who wasn’t an academic.

☕️ Morgan · Apr 27 at 04:33:

I still quite like my suggestion of a convention for a per-user opt-in way for servers to show client certificate fingerprint <hashes> as identity verification--check my capsule and Skyjake's reply linked above--as an <idea>.

But it's not a fit for Gemini, there isn't a strong need and people simply don't want it. That's pretty conclusive ;)

🚀 blah_blah_blah · Apr 27 at 15:33:

A gemini-friendly solution to ID masquarading:

It's opt-in, doesn't follow you around, isn't a login-scheme, but addresses some of the security concerns we might have about verifying identities, and also serves, like linktree or finger, as a convenient place to present one's public-facing identity. Some care would be required by the owner so that skyjake@randopage.com didn't takeover the real @skyjake.

☕️ Morgan · Apr 27 at 20:00:

I experimented with something like that, id.gemlog.org, but people didn't want a service that stores data. Which is perfectly reasonable.

So now it doesn't store any data, but it does show a text representation of your client certificate hash.

Which is good for nothing as nobody else uses the same hash+rendering :)

🚀 stack · Apr 30 at 02:09:

@Morgan, am I missing something, or does your idea require that I must trust servers to create and not fake hashes?

☕️ Morgan · Apr 30 at 05:41:

@stack that's right, with that idea every "social" or "id" server owner would run the same algorithm to display the same hash, (opt in per user), so as to not leak the underlying certificate fingerprint.

A malicious or hacked server could lie, so it's not e2e identification proof, but "if you trust the server". I think a malicious or hacked server gets you enough other problems that them forging ids is not super important by itself.

Original Post

🐙 norayr

openid for gemini — i believe that activity pub is an overkill for the problem it is trying to solve. we have rss/atom/yyyy-mm-dd for fetching news. rss solves the problem of fetching new content, following someone. openid solves the problem of replying/commenting/reacting as someoe. in a sense, we don't need a social network because internet is already one. internet with rss and openid covers essential features of what we call a social network. so let's adapt or design something like...

💬 22 comments · Apr 25 · 8 weeks ago