ID Management is no small thing. Are there discussions somewhere in the larger Mastodon (or GNU Social) project on how to evolve this?

@ennenine A few of us infosec peeps have been chatting about it. Nothing earth-shattering has come up yet.

Do consider that the social guards we have against this sort of thing still work even we aren't completely unprotected. I still want to make it better, though.

@HedgeMage how can I participate and help? My vantage point was on usability. I hadn't thought of safeguards yet, but that is important too!

@ennenine If there's enough interest, I may put together a mailing list, BUT it should be clear I'm not looking at this from a Mastodon-only perspective...a generalized solution that is useful across myriad services and software would be more desirable.

@ennenine Quick addendum:

There ARE existing Identity Management solutions out there, and I'd rather leverage existing things as much as possible than re-invent the wheel. The hard thing right now is that there's nothing obvious and together enough to promote to users and newbie devs that isn't some kind of walled garden.

@HedgeMage @ennenine Finding users is also still a bit tricky. In principle, search engines could handle this, e.g. via embedded microdata.

@ennenine @rauschma That can help, as well as allowing tie in with things people have already invested in.

@HedgeMage absolutely, that's a great way to do it! Sometimes just docs or videos can help establish patterns, and the ability to help even broader? I love it!

@ennenine I wish that I just had one account for the whole internet and I could login with that one account everywhere and would never have to manage separate accounts again. There are many people who would tremble in fear at the privacy and security implications of that, but I think they are largely being paranoid. There are risks, of course, but think about how glorious it would be to have a central identity that you could easily manage.

@ennenine From an authentication point of view, if could actually be a lot more secure than your typical user account. Since you only have on ID to worry about, you could focus on "Fort Knoxing" it with whatever you like, certificates or biometrics or multi-factor authentication.... It would be a lot easier than needing a password manager to organize a million different accounts.

@cc @ennenine Biometrics for authentication are a security nightmare. Try getting a new retina installed, or your fingerprints re-issued, after a data compromise. This is a HUGE and stupid failure mode.

@HedgeMage @ennenine Well, I didn't say it had to be biometrics, I was just rhyming off all of the options that exist besides passwords. I was trying to make the argument that have 1000 accounts with weak passwords is not safer than 1 central account that is more fortified.

@cc Yes, but over-centralization can lead to tracking issues.

There are middle grounds, however.

@HedgeMage It is definitely easier to theorize than it is to implement, but I just expressing "my dream". It does exist to a certain extent, in the sense that some websites support logging in with your Google of Facebook credentials, but that is not a perfect solution and does include all the security features I mentioned.

@HedgeMage @cc probably all about choice, there are needs for both (central and distributed). I'm hoping to play with some ideas later today.

@HedgeMage @ennenine Biometrics: userids, not passwords.

I'm increasingly inclined toward some sort of worn, replaceable, identifier. A signet ring with a very-near-field chip which could be held to an ID sensor on devices and specifically triggered. Or something operating similarly. "Something you have", replaceable, a specific interaction. Not generally readable from a distance.

@ennenine @HedgeMage Also, critically: something /discardable/, preferably capable of being destroyed to the point it cannot be associated.

Replaceability means that you can /either/ choose not to use a specific ID, or have another one issued should the old one be lost / destroyed / compromised.

This means that any remote authenticators must recognise repudiation of devices.

If there's encryption involved, likely some form of escrow. Quora for various operations as well.

@HedgeMage There are circumstances in which I'm a fan of insertable devices. This isn't one of them. Yubikey works fairly well for the case of "authenticate to devices I control directly", but they're too fussy for instances of, say, building or transit entry, even ignoring other issues. Public USB port mortality rates alone would kill it. Even there the signet is fussy.

I also don't like One True ID concepts -- a universal card / phone / device. #1984

@ennenine "Who are you?" is the most expensive question in information technology. No matter how you get it wrong, you're screwed.

@ennenine There are also a few confounded questions:

* Who are you?
* Are you authorised to do this? Where? When? To what extent?
* Did you create this?
* Do you own this (and do I have to request your permission to do something with it)?
* Are you responsible for this?
* What is your reputation? According to whom? Why? When?

Not all of these revolve /strictly/ around /identity/, though most are closely related.

Sign in to participate in the conversation

Everyone is welcome as long as you follow our code of conduct! Thank you. is maintained by Sujitech, LLC.