Relevant Fediverse Enhancement Proposal (FEP) here[0] and discussion here[1].
Auth can be subtle and I'm likely missing some things, but the UX appears to be essentially equivalent to OIDC, especially given the caveat at the bottom which states users might want to consent before exposing their identity to any random server.
So I'm assuming the benefit here is that the logins themselves and any actions you take are tied to your public key and not the domain you use to host your key at any given point in time? Do they talk at all about the typical issues with PKI identity, ie lost/compromised private keys?
Sounds like I will finally be able to move mastodon servers without losing the last year of interactions I’ve had! I moved once before and while my followers moved, my content did not. The old account stayed there with all my content, with no direct link to my new profile unless I added it as a link in my new profile.
My current server has been very slow and I’ve wanted to move. I’ll wait till this is fully deployed and then give it a shot!
Do you happen to know if it's a bandwidth issue, and thus they (would/do) engage in good faith with PRs for such content, or it's a "our toy, our priority" type deal?
I have no idea. They do have multiple developers at the moment as far as I know, but maybe everyone focuses on the user interactivity instead. Regarding third party PRs again I don't know, I think they're open to it, but from previous interactions I had on their tracker, the review process might be quite stringent.
I’m not sure that the implementation is the real issue. Mastodon posts can be exported already. Writing the import code wouldn’t be that hard. But why would a Mastodon server’s admins want to let a brand new login post a big pile of backdated posts all at once? It seems spammy and the moderation workload scales with the number of posts.
Maybe a dedicated archive would be better. It would be a matter of generating a static website from the export. Nobody else would need to moderate it, because it’s not their website.
This is a step in the right direction, but what about a giant leap in the right direction? Imagine using signing key cryptography to authenticate all of your messages on any computer anywhere in the world. Then your identity doesn't need to be nomadic, because it can exist everywhere all at once.
Why does OWA use per-actor RSA signatures instead of e.g. OIDC client auto-registration to exchange a shared secret between severs? If the user identity is user@example.com and example.com is authoritative on whether that identity is valid, why do you need a proof that it possesses the user's key? And if the server has the private key anyway, why have per-user private keys?
Unless you have key-based naming (userId@keyFingerprint), you have to rely on a server running at the domain to be the ultimate authority on legitimacy of identities anyway, right? Exchanging a single shared secret between servers seems like a much more lightweight way to do that.
For portability, couldn't userId@example.com publish a message saying that it is now (only-or-also) known as userId@othersite.com? If example.com had the private key at some point and you were moving permanently, you'd need to generate a new one anyway and need to publish a similar message, so why have the keys at all vs. the server just saying "yeah that's my user"?
Auth can be subtle and I'm likely missing some things, but the UX appears to be essentially equivalent to OIDC, especially given the caveat at the bottom which states users might want to consent before exposing their identity to any random server.
So I'm assuming the benefit here is that the logins themselves and any actions you take are tied to your public key and not the domain you use to host your key at any given point in time? Do they talk at all about the typical issues with PKI identity, ie lost/compromised private keys?
[0]: https://codeberg.org/fediverse/fep/src/branch/main/fep/61cf/...
[1]: https://socialhub.activitypub.rocks/t/fep-61cf-the-openwebau...