Asklemmy

43989 readers

1567 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy 🔍

If your post meets the following criteria, it's welcome here!

Open-ended question
Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
Not ad nauseam inducing: please make sure it is a question that would be new to most members
An actual topic of discussion

Looking for support?

Looking for a community?

Lemmyverse: community search
sub.rehab: maps old subreddits to fediverse options, marks official as such
[email protected]: a community for finding communities

~Icon~ ~by~ ~@Double_[email protected]~

founded 5 years ago

MODERATORS

[email protected]

Can you steal a user's identity if you gain their old domain name? (self.asklemmy)

submitted 1 year ago by maggoats to c/[email protected]

28 comments fedilink hide all child comments

Just a random thought experiment. Let's say I have my account on a lemmy instance: [email protected]. One day I decide to stop paying for the domain and move to [email protected], and someone else gains it and also starts up a lemmy instance.

If they make their own [email protected], how do federated instances distinguish who's who?

Have I misunderstood the role of domain names in this?

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 1 points 1 year ago

So the only things you secure are access to existing posts,

The only thing I secure is that for a given Action by a given Actor it can be validated that those were signed with a given key.

So if [email protected] creates 10 posts, 100 comments and is the moderator of 5 communities (on other instances) then the public key would secure that only that user can interact with that data.

Everyone can interact with that data, but since those are signed with a specific key the sign would become invalidated.

Now that user wants to moderate one of those communities again, are they treated like a different user (because keys don’t match)?

Since the key and signature are just additional attributes of the Actor object they'll be the same user federation-wise. An instance admin needs to manually validate why the Actor uses a different key now. If the Actor is used to perform malicious things it can be verified that those things are done with a different key. What's done with this information is up to the instance admins.

If they are treated as separate users by other instances, they could just write another legitimate moderator

Exactly. Key signing does not prevent social engineering.