Recent searches
Search options
Very happy to announce that @tomcoates and I have been given a #SummerOfProtocols grant to develop an end-to-end encryption (E2EE) protocol for #ActivityPub DMs, including a reference implementation and a report to submit to the W3C SocialCG.
https://forum.summerofprotocols.com/t/sop-2024-pig-and-pog-grantees/1270
@evan @tomcoates wow! This is amazing news. I hope you are successful, and it is adopted quickly.
Congratulations!
If you can fit it into your protocol, I'm hoping for a anonymous communication platform that doesn't require phone numbers, like Signal and Telegram.
@neptune22222 @tomcoates the idea is that you'd be communicating over the fediverse. Your fediverse handle would be how people message you.
@evan @neptune22222 @tomcoates But that identity is controlled by a third party (the instance). How do you intend to be able to use it in e2ee?
@dalias @evan @neptune22222 @tomcoates
Are we going to be able to register a additional public key to use for encrypted messages?
This way you can encrypt and send messages but we can decrypt on device?
Right now only the #activitypub server implementation holds your private key. So not really end to end.
@JsonCulverhouse @dalias @evan @neptune22222 we’re very conscious about the risks of instances holding keys rather than clients. But part of this project is checking into options and potential solutions, so I wouldn’t want to commit to a particular solution right now.
@tomcoates @dalias @evan @neptune22222
When you do your survey it would be good to see if there is some intersection between the identity proofs and keys and other forms of distributed identity. There is a lot of overlap in the underlying tech.
@tomcoates @JsonCulverhouse @dalias @neptune22222 I think E2EE by definition means keys in the client only.
Keys on the server are for HTTP Signature only.
@evan @tomcoates @dalias @neptune22222 good to hear. I think there is a lot in common with distributed identity.
@evan @tomcoates @JsonCulverhouse @neptune22222 Not just where they are, but whose custody. "In the client only" is meaningless if client executes code provided by the server in a context that has access to keys.
@evan @tomcoates oh wow, that’s incredible news! What a cool project to work on.
@evan @tomcoates Congratulations!
@evan @tomcoates hot damn! Congrats you two! I would LOVE to see real DMs in Mastodon, E2EE is like icing on the cake.
@evan @tomcoates OooooOoooOoo. Sing out if you need testers!
@evan @tomcoates amazing! Can’t wait for that. E2EE for DMs is something I was missing here a lot.
@evan @tomcoates This is incredible news! Congratulations 
@evan @tomcoates great news! Best of luck!
@evan @tomcoates good luck, have fun! 
@evan @tomcoates good luck! Hope it goes well..
@cwtch
@briar
نزار القرقني @evan @tomcoates
Good news. We won't have to read messages like "Be careful, the admin of your instance can read your DMs"...
@evan@cosocial.ca how would this work alongside posts that are addressed to specific people, would this be an opt-in replacement?
@julian yes, an opt-in in-stream upgrade for the current in-the-clear DM system.
@evan @tomcoates I can share some of our ideas with you!
@evan @tomcoates Will this be based on your proposal here?
https://evanp.me/2023/05/19/end-to-end-encrypted-messages-over-activitypub/
@FenTiger @tomcoates not sure yet. We're going to look over the landscape. I really like MLS, which provide encrypted messaging over an abstract transport layer (AP, in this case).
@evan no words except… this I like.
@evan @tomcoates Super cool! congrats!
@evan @tomcoates oh neat. Maybe looking at #MLS is relevant? https://en.wikipedia.org/wiki/Messaging_Layer_Security
@quitelost @tomcoates thanks! It's at the top of the list.
Have you decided yet if it'll be MLS-on-AP, AP-on-MLS, the mixed approach, or something else entirely?
@cdevroe @tomcoates don't clap until we're done!
@tomcoates @evan I was applauding your collective efforts and the grant. :)
@cdevroe @tomcoates oh! Then thank you.
@evan @tomcoates I was thinking about this initiative today and was wondering how it was going. I'm sure it's still early days, but I was wondering if there was a good place to keep checking for updates.