@fediforum@mastodon.social

Who is working on / what are options for federated ID verification?

/2023-03/session/3-b/

Convener: David Slifka

Participants (add yourself here if you want to be listed, no obligation): Name and Fediverse handle

  • Jaz King (@jaz@toot.wales)
  • Jon Udell (@judell@mastodon.social)
  • @laurenshof@calckey.social
  • Johannes Ernst (@j12t@social.coop)
  • @identitywoman@mas.to
  • @cel@celehner.com

Key points:

Only people who are concerned about being “faked” have this problem. The people who do have this concern - it is solved - Taylor Swift creates social.taylorswift.com Using what you already have is how you solve this problem.

Challenge of disaggregation of people with the same name

Question if people are thinking about legally mandated minimum age for accessing user generated content that some jurisdictions have

Making the distinction between two different problems:

  1. creating, authenticating to, and linking various online identities (eg DNS/SSL, fediverse, DIDs, wallets, etc)
  2. figuring out if the person you’re searching for is the person you meant to find (especially with duplicate names) and the problem if the person you are finding is legit and not being impersonated

What if anything do we need to improve about fediverse identity.

owncast uses a system where identification is a way to confirm that you are connected to another fediverse account. Lots of feedback that this system was good, but that people actually wanted to surface even more personal information to others. The current system only shows that you are connected, but does not say who you are. Overwhelming feedback of users that they also wanted to show what their connected account is.

Quite similar in concept to Keybase. https://book.keybase.io/account#proofs

Taylor Swift’s official Mastodon account is https://infosec.exchange/@SwiftOnSecurity . Or is it?

Some of the Taylor Swifts on Mastodon: https://cloud.steampipe.io/user/judell/workspace/mastodon/snapshot/snap_cgi92u2pqmu093gc55h0_00fch6wayoiuq27ptvm5eb31pp

CHAT

Sorry.. I am having some issues with Xfinity.
Fellow Jitster says:Sorry.. having connection issue.
10:47
Fellow Jitster says:Could use SteamPipe to create 'boost networks' of who is boosting whom
10:48
Fellow Jitster says:verified.coop
10:49
Fellow Jitster says:Shorter term: ideally: enterprise offerings would do web profiles that can verify users on Mastodon, etc.  And make doing the rel=me verification seemless
10:50
Fellow Jitster says:This is @DickHardt's project: https://verified.coop/about
10:51
Fellow Jitster says:And added this to the doc: https://washpost.engineering/heres-how-the-washington-post-verified-its-journalists-on-mastodon-7b5dbc96985c
Fellow Jitster says:https://mastometrics.com/
10:53
Fellow Jitster says:why not now? 😄
10:55
Fellow Jitster says:jetpack https://wptavern.com/jetpack-11-9-adds-sharing-button-for-mastodon-updates-stats-dashboard-design
Fellow Jitster says:https://github.com/Juerd/tootpick
Fellow Jitster says:added both to the doc
Fellow Jitster says:Have to go to another (work) zoom, but good chat all
11:01
Fellow Jitster says:Shannon, Steampipe has /deep/ coverage of security and compliance frameworks for AWS/Kube/etc, if that's ever of interest I'm happy to tell you more about it elsewhere/elsewhen.
11:01
Fellow Jitster says:have to jump -- loved the discussion
11:04
SC
Shannon Clark / rycaut says:Jon - will do
11:05
Fellow Jitster says:And in the US people are working so many hours, the whole NGO community is quite dead compared to here in Poland.
Fellow Jitster says:thank you all.
11:08
Fellow Jitster says:Thanks! Great to meet you.
11:08
Fellow Jitster says:thank you, Shannon! great session everyone!
11:08
@Jeremiah@alpaca.gold says:Hello! Camera off while I eat dinner 😃
@Jeremiah@alpaca.gold says:What made it a hot topic the last few days?
11:16
Jaz says:eating lunch, muted/off cam until this chili is done
11:16
SE
Steve Ediger says:camera off for lunch
11:16
Shannon Clark / rycaut says:the announcement of when Twitter is expiring old verification checkmarks
11:16
@Jeremiah@alpaca.gold says:Thanks, Shannon
11:17
David Slifka says:Is there a URL for GreenCheck?
11:21
@Jeremiah@alpaca.gold says:Sounds similar to Keybase.io
@Jeremiah@alpaca.gold says:Where you verify yourself on all your social channels
11:22
Steve Ediger says:is anyone from coopcreds on this call?
11:22
Brad DeGraf says:Decentralized SSO that fits well with Fediverse servers https://github.com/jlinclabs/did-web-auth/blob/master/SPEC.md
11:23
Jesse Baer says:I assume there are two questions: verifying that people are who they say they are, and verifying that  "people" are what they say they are (people)
11:24
@Jeremiah@alpaca.gold says:That's a great point, Gabe. Impersonation becomes less of a problem when you can cheaply own your website.
11:24
Johannes Ernst says:Real-world example: Microsoft developer network showed up on some non-microsoft mastodon server (MSFT isn't operating one). Are they real or not?
11:26
@Jeremiah@alpaca.gold says:I've had several friends have the same Instagram impersonation problem.
11:27
Ryan Barrett says:ie "social leap of faith" vs skilled spearphishers 😐
11:27
Gabe Kangas says:It needs to become more normalized for people to own their place on the internet with a domain they control and as known as them. Your domain should be your hub for social as well as everything else.
11:28
Ryan Barrett says:Gabe++
@Jeremiah@alpaca.gold says:Germany already has this. Such bad legislation.
11:31
Shannon Clark / rycaut says:++ Ryan
11:32
Gabe Kangas says:Agreed Ryan.
11:32
jamiexml@infosec.exchange (Jamie from OASIS) says:❤️ Gabe's point:  "just verify me, whatever" ARGH
11:36
Brad DeGraf says:Microledgers https://whitepaper.jlinx.io/JLINX-WhitePaper.pdf
11:36
Jon Udell says:Shannon: +1
11:38
me says:we are not islands of "self" we are humans with lots of relationships and affiliations - these entities as Shannon suggests - they could issue verifiable credentials to the people who are members.
11:38
Gabe Kangas says:A publication recently added that support to verify their journalists I believe based on their author page, but not a manual "ask to be verified" approach.
Gabe Kangas says:Washington Post maybe it was? I forget.
11:39
David Slifka says:Yes, Washington Post, good example of what Shannon was describing.
11:40
@Jeremiah@alpaca.gold says:Real Name was problematic mostly because legal names are often not people's names.
11:46
David Slifka says:Great point Jeremiah
11:48
@Jeremiah@alpaca.gold says:I like what Gabe talked about. Again, very similar to Keybase. https://book.keybase.io/account#proofs
11:50
Jaz says:I think we're talking about an -optional- identity verification that can be used as and when needed/desired, not something baked in to require across Fedi
Jaz says:I'm hearing proof of celebrity, proof of humanity, proof of age
11:53
David Slifka says:agreed Jaz, strictly optional
11:53
Shannon Clark / rycaut says:I would add proof of some claimed credential (author/degree/job/role/ownership of something etc)
11:55@Jeremiah@alpaca.gold
@Jeremiah@alpaca.gold says:Swift? She works in infosec, right? 😉
11:57
Gabe Kangas says:That's why I don't think rel=me is the real solution. You could fake that verification by hard coding that value in your own Fediverse server.
Gabe Kangas says:But that's the case with *any* "system" of verification.
Gabe Kangas says:...except common sense? 😃
11:59
Ryan Barrett says:the thing you can't easily fake (assuming SSL) is the existence of the rel=me link on your web site itself.