Another win for the decentralized Fediverse when a government domain takeback can’t shut it down!

ren 🏳️‍🌈 (a they/them)@mstdn.social · 1 year ago

Another win for the decentralized Fediverse when a government domain takeback can’t shut it down!

nintendiator@feddit.cl · 1 year ago

the URL is the id in the database

Who was the idiot that decided to use for a database ID an identifier that almost entirely depends on external (and, for fediverse purposes, usually antagonistic) entities?

Max-P@lemmy.max-p.me · 1 year ago

The W3C, apparently. It’s both the ID and the URL of the object if you want to refresh it. They seem to suggest doing it that way because the URL of a user profile is going to be guaranteed to be unique, and can only be owned by the owner of the domain.

Lemmy assigns it its own internal ID per instance but it’s only used internally for joins and stuff.

For example, your person ID is https://feddit.cl/u/nintendiator. If you curl it in ActivityPub format you’ll get your user:

~ % curl -H "Accept: application/activity+json" https://feddit.cl/u/nintendiator
{
  "@context": [.....]
  "type": "Person",
  "id": "https://feddit.cl/u/nintendiator",
  "preferredUsername": "nintendiator",
  "inbox": "https://feddit.cl/u/nintendiator/inbox",
  "outbox": "https://feddit.cl/u/nintendiator/outbox",
  ......
}

nintendiator@feddit.cl · 1 year ago

They seem to suggest doing it that way because the URL of a user profile is going to be guaranteed to be unique, and can only be owned by the owner of the domain.

Immediate design issue right there: the URL of a user profile is not guaranteed to be unique, and while it can “”“only”“” be owned by the owner of the domain, 1.- it’s not owned by the user of the profile and 2.- the ownership by the domain owner is revocable by a third party.

Design-wise, it feels to me like they decided that land / house deeds could be certified by municipal traffic signage.

Zetaphor@zemmy.cc · 1 year ago

Who was the idiot

The W3C, also known as the people who develop the web standards. It’s a reasonable expectation as you have to draw a line in the sand somewhere. Distributed identity is not a solved problem, so domains are the best solution we have right now.

What would you suggest they use as the identifier with which allows other entities uniquely identity you? There are no alternatives until you introduce a ton of cryptography, which is what DID hopes to address, but that’s still going to be bad UX.

nintendiator@feddit.cl · 1 year ago

The W3C, also known as the people who develop the web standards

Figures. The same people who added DRM to the web standards.

Now, I don’t know what other alternatives could have been used, but I know that URL was among the obvious ones to not use. Something that uniquely identifies you has to be non-transitive and non-revocable by a third party, of which URLs are neither (domain names are revocable, URLs don’t have addressing persistence let alone when you add query strings into the mix, etc). Among the few things that I can think are non-transitive and non-thirdparty-revocable are the good ol’ ssh-keygen keys, easy to generate and all that but I’ve never found a good mechanism or design to query about them.