💾 Archived View for bbs.geminispace.org › s › SmallWeb › 21678 captured on 2024-12-17 at 15:10:03. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
Is there a SmallWeb service for identity? What's the smallest viable protocol? I'm thinking if I use the same cert on two sites, and I voluntarily publish two triples (username/site/cert) to an identity service, then it should be possible. If someone knows me on Site1 and they log in to Site2 they could find out my user name on Site2. I can think of a couple of twists to keep people from just harvesting all the data willy nilly. Is there someone like that already? Or a decent proposal?
Nov 10 · 5 weeks ago
not to my knowledge
🕹️ skyjake [mod...] · Nov 10 at 04:06:
I am also not aware of such a service.
A core issue is who would you trust to run a service like that? In the context of the small web, it would need to be some sort of a distributed system where no single party is ultimately trusted.
We did discuss Gemini identities last year:
I think that it should not be centralized. One idea is to publish a URL that links to a file that lists the (username/site/cert) triples, and an identity service could make a copy of that file if desired. This URL can be optionally included in the X.509 certificate, but not required (since it can be specified somewhere else just as well). I also did some other X.509 stuff that may be helpful with it (although are not strictly required for this purpose).
👻 mediocregopher [...] · Nov 10 at 09:05:
I've been keeping an eye on the DANCE ietf workgroup for this topic. They are working out the basics of using DANE to identify client certs to a domain name in a way which would be agnostic to protocol and server, using only existing infrastructure.
The basic idea is that I have my client cert's SAN set to a domain name. On that domain, which must have DNSSEC enabled, I have a TLSA record which contains a hash of the cert. The server I connect to can then verify that the cert and the domain name match each other, and my domain name can be effectively used as a distributed identity.
I like the system because it uses only existing infrastructure, and doesn't require any changes on a Gemini client to use it. It's very elegant.
— https://datatracker.ietf.org/group/dance/about/
Once DANCE is formalized I think we can expect that other groups outside of the small web will create implementations for their own purposes (IoT, for example). But there's nothing stopping someone from using it with Gemini now, all the pieces are there.
🦋 CarloMonte · Nov 10 at 17:13:
Nice technical question, but more details about your requirements would help understand what exactly you want to achieve, why, and which risks you are ready to accept.
The one sentence about being followed from site A to site B at the risk of profiling/doxing please needs expansion and discussion.
Gemini is the way it is for good reasons...
Of course, it should be optional. That way, you can preserve privacy, as well avoiding to add complexity to implementations that do not want it. (Furthermore, you can have multiple shared profiles in case you do not want only one.)
Another note, is that sometimes a URL can be used to refer to a user ID on some service, but other times (e.g. MUD) a URL cannot be used.
finger protocol was basically invented for "identity" and similar things. try:
$ finger rqm@tilde.institue
to see my finger message.
There used to be a page called "about.me" which I liked -- basically a page where you could aggregate stuff about yourself. I'm thinking of launching something similar for Gemini. Just buying domains... :)