The thing that is telling to me about DMs is that we *have* federated direct message protocols like XMPP which have been around for ages; if Bluesky wanted to they could have tacked that on pretty quickly, E2EE or not.
-
Christine Lemmer-Webberreplied to Christine Lemmer-Webber last edited by
> This is an eyebrow-raising decision on its own; apparently the cloud HSM product they use does billing per key, so it would be prohibitively expensive to give each user their own. (I hear they're planning on transitioning from "cloud" to on-premise hosting, so maybe they'll get the chance to give each user their own keypair then?)
-
Christine Lemmer-Webberreplied to Christine Lemmer-Webber last edited by
Anyway that's the quote and presumably this must be changed. I haven't looked, but I can't imagine they're still doing this today (are they?) but the fact that only one key was ever used in production for expense purposes is a strange decision
-
Christine Lemmer-Webberreplied to Christine Lemmer-Webber last edited by
At any rate, that decision was used to create a kinda confused deputy-ish attack, which is why it came up in the blogpost, and anyway, hi, I'm not a cryptographer, momentary reminder that I am not a cryptographer, but I have designed cryptographic certificate chains and I was pretty shocked by that
-
Christine Lemmer-Webberreplied to Christine Lemmer-Webber last edited by
At any rate, one way or another, you can presumably use did:plc to move yourself from one server to another so in the interest of "credible exit" this is a good choice
Though, one might take a moment to ask: who controls the keys if you *do* want to move?
-
Christine Lemmer-Webberreplied to Christine Lemmer-Webber last edited by
Bluesky has identified, I'd say correctly even, that key management for users is an *incredibly* hard thing to do.
But the solution, once again, ends up pretty centralized: for all users on Bluesky's main servers at least, Bluesky generates and manages the keys for them.
-
Christine Lemmer-Webberreplied to Christine Lemmer-Webber last edited by
I am, once again, kinda sympathetic and kinda unsettled simultaneously.
- Sympathetic: key management *is* hard and we just don't have the UX answers to solve that, and Bluesky is once again trying to deliver to Twitter refugees
- Unsettled: it's centralized, but... there's something *more* troubling -
Christine Lemmer-Webberreplied to Christine Lemmer-Webber last edited by
The big promise here, the "credible exit" side of things is that for most users, the vision they have is that if Bluesky gets bought by a big evil company, no problem, move somewhere else
But for those same users, Bluesky still *controls their keys* and thus *controls their destiny*
-
Christine Lemmer-Webberreplied to Christine Lemmer-Webber last edited by
Regardless, Bluesky has this "your domain is your id!" thing, and that's pretty cool, the domain maps to your DID and your DID maps to your domain
Well, I'm not gonna get into this in detail here, I do on the blogpost if you wanna read it but, the cyclic dependency might be an actual cycle
-
Christine Lemmer-Webberreplied to Christine Lemmer-Webber last edited by
tl;dr on that UX part:
- users only know domains, they don't know the DIDs
- turns out that's a phishing attack when those can change at any time
- if bsky.app ever goes down how do you actually know I *really* mapped to that name
- and a whole lot of "liveness" problems that enter there -
Christine Lemmer-Webberreplied to Christine Lemmer-Webber last edited by
in addition to this long-ass thread there is a long-ass article and if you care about things like "zooko's triangle" maybe read that version, the rest of y'all can move on we've got other stuff to cover here
