Follow

PGP-signed toots when?
We can sign our GIT-commits with PGP but not our toot?

Β· Β· Web Β· 2 Β· 7 Β· 7

@selea Who says you can't?

But the question is why would you further sign your Mastodon activity when your activity is already signed by the ActivityPub server?

@emacsen

Does'nt that require that you actually paste the signing in the toot?
I am pretty sure it would just take the already limited character limit.

I mean, it would be great with some native support for PGP-signing, like this picture from gitea for example:

@selea I think it's important go to back to first principles. What is the goal?

ActivityPub already supports validation of an activity through HTTP Signatures and by looking up the activity on the remote system.

That takes care of authenticating that an activity. So what are you authenticating, really?

This isn't a hyperbolic question- this is me asking you what the goal is.

@emacsen

Well, ActivityPub signatures is worthless if someone gets a hold of your account.
I am thinking about verification of the person that is actually writing the toot - not verification of the server.

@selea

What I hear you saying is that you have a different trust relationship with someone else's PGP key than you do with their account. Is that right? You trust someone else to have good key hygene even if their account hygene is bad?

The challenge I see is that PGP as PGP has been largely a failure. If it were going to have worked, it would have worked in the 80s, not 30 years later.

I want to move away from a solutions to the core problem we're looking to solve. What is the core issue?

@selea Just to show you clearly I'm not trolling, let me present you with a few thoughts:

1. Maybe you're using PGP as a way of linking accounts?

2. Maybe you really do think that PGP is better? (even if you don't know how/where someone stores their key?)

3. Maybe you want per activity validation?

I think all three are interesting and I think things that we can talk about. I don't even have an issue with PGP itself, other than I feel it's often the cart before the horse.

@selea @qbi Something like this would have much less overhead.
A PGP signature would be for most toots be larger than the toot itself.

Sign in to participate in the conversation
Linux.Pizza

A instance dedicated - but not limited - to people with an interest in the GNU+Linux ecosystem and/or general tech. Sysadmins to enthusiasts, creators to movielovers - Welcome!