this post was submitted on 19 Jun 2023
24 points (100.0% liked)

Technology

59767 readers
2651 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 2 years ago
MODERATORS
L3s
[email protected]
[email protected]
L4s
enu
24
Would digital signatures be a useful feature in lemmy? (lemm.ee)
submitted 1 year ago by [email protected] to c/technology
13 comments fedilink hide all child comments
 

One of the things I'm cautious about when it comes to lemmy (and mastodon) is how easy it can be to lose control of your account.

For example, a server could shut down unexpectedly making hundreds of people lose their accounts. Or, a malicious administrator could take over a popular account to post scams or propaganda. I am not aware of these things having happened, but I don't think they're too far fetched.

Self-hosting a lemmy server solves some of these problems, but that takes a bit of time, effort and money.

I was thinking about email encryption, specifically the digital signature part. Could something like that be used in lemmy? So that if someone decides to "trust" me, they will be able to trust that it's me no matter which account I post from. They would be able to spot an impostor who had gained access to my account.

What do you think?

you are viewing a single comment's thread
view the rest of the comments
[–] Chobbes 2 points 1 year ago* (last edited 1 year ago)

I think it's technically possible to do it in a sane way. I don't know if it currently exists in any form (I guess it kind of does for U2F keys / client side certificates?) but your browser itself could manage encryption keys, or could interface with hardware keys to sign messages. Then the JavaScript never gets to see the keys and could just request that you sign something (and presumably you need UI to know what you're agreeing to sign in the browser so you don't have to trust the random JS about what it wants to sign). It sounds like a perfectly reasonable browser feature to me, especially in an era of passkeys and stuff.

Of course it wouldn't be worth implementing in the browser just for Lemmy, and there's other problems like syncing keys (maybe you'd just sign your other keys to establish trust)... But such an API would be useful for other situations too (e.g., signing commits on github). Cryptographic signatures seem really niche, but people use them all the time behind the scenes, and I think it's something that would actually be really useful to inform the general public of more... They kind of solve problems that I think most people would think are impossible to solve. I mean, obviously we're not going to throw normal people at GnuPG and call it a day, but with some communication and UI effort I think they could be a valuable asset for society.