Towards Federated Key Transparency
-
I say “limited” because it will only not support editing or deleting messages provided by another instance. It will only append data. [...] contains an Asymmetric Public Key, the user and instance that hosts it, and other metadata
that's enough data to count as PII under GDPR, you'd need to handle the right to be forgotten somehow
see keys.openpgp.org/about for a pgp keyserver that solved this by separating the identity data from the public key data and letting you delete the former -
@lunareclipse Fuck.
That's so annoying.
-
@soatok @lunareclipse this reminds me about how someone could abuse certificate transparency chains to store PII as SANs
-
@risottobias @lunareclipse I think we can work around this by using HMAC as I sketched out.
Or I could just say "fuck it" and tell the EU they're on their own. idk
-
@risottobias @lunareclipse I understand the spirit of the law here, it's just very annoying to design protocols with it in mind
-
@soatok @lunareclipse I have that kinda with a small business but I'm minimizing how long I keep different things.
Like some engineering data is useful to me but I have to have a free weekend to look at it so it sticks around for a month.
Or detaching receipts from names to be able to process a dispute without keeping names
-
@soatok Is this finally a problem that distributed ledgers / blockchain is a solution for?
Oh, I see...
"Oh, and best of all? You can get all these wins without propping up any cryptocurrency bullshit either."
-
@rubinjoni @soatok sigstore / certificate transparency logs 1) don't require pointless compute - and 2) they're boring
So they're about the only chain adjacent thing I like
-
@soatok The stated goals are similar to those of FEP-c390. In FEP-c390, however, the key is linked directly to an actor object, it doesn't require a separate server.
>We want Fediverse users to be able to publish a public key that is bound to their identity, which anyone else on the Internet can fetch and then use for various purposes.
-
@soatok consider comping to #FediForum in September and running a session about it. HTTPS://fediforum.org