from muntedcrocodile@lemmy.world to fediverse@lemmy.world on 31 Aug 04:08
https://lemmy.world/post/35238446
Here’s an idea to make Lemmy even better: true account portability.
Right now, your Lemmy account and all your content are tied to one server. Moving instances or having one shut down means losing your digital presence. Frankly, the server controls your online identity.
But what if you controlled your identity?
I’ve opened a discussion on the Lemmy dev GitHub about integrating Decentralized Identifiers (DIDs). Think of a DID as a permanent, global ID you own, independent of any server.
Why DIDs are a game-changer for Lemmy:
- Real Account Portability: Move your entire account – posts, comments, followers – to any new instance seamlessly. Your identity travels with you.
- More User Control: Your online presence becomes resilient, managed by an ID you control, not governed by a single server’s policies.
- Proven Tech: It works. Protocols like ATProto (Bluesky) successfully use DIDs for portable user identities.
- Full Fediverse Compatibility: We can add DIDs to Lemmy while staying fully interoperable with Mastodon, Kbin, and all other ActivityPub platforms. No breaking changes, just a powerful upgrade.
This is a big step towards a more decentralized and user-controlled fediverse. If you’re interested in more control over your digital self, check out the discussion:
[GitHub Issue: github.com/LemmyNet/lemmy/issues/5942]
If you’re on other ActivityPub platforms, consider pushing for similar solutions! The more platforms that adopt truly portable identity, the stronger the fediverse becomes.
threaded - newest
how would one find someone’s DID public key/ DID documents? wouldn’t it have to be hosted on some single trusted server?
No thats the whole point of a DID. Its an existing standard that has been established to manage decentralised identity. Their exists multiple ways to handle it so a did is did:source:id where the source can be many different things blue-sky uses a group of trusted identity server, but u can use a selhosted file, the blocckchain all sorts of things. Hell u could even use bluesky u could have the same login for ATproto (bluesky) and activpub (lemmy)
ah yeah that makes sense
The way this comment is written doesn’t sound anything like the OP or the GitHub issue. Different tone, different dialect/spelling… lot of linguistic red flags. Not that I’m judging either way, it’s just suspicious how vastly different they are.
yeah it has the telltale tone and structure of a tool that a lot of us hate yk, reply seems to be human though?
im lazy i used llm to write issue and post.
As someone with DID (Dissociative Identity Disorder) please pick a different name/acronym
Bad news champ, it’s already in mainstream use.
Fuck the mainstream
i didn’t name it that’s what its called.
Hey, consider yourself lucky. People who go to Cognitive Behavioral Therapy have it so much worse
This could be easily solved with domain name and certificates
then you have to pay for it though
what by having all users exist on a centralised server? That sounds like vendor lock in which is exactly what federation was trying to avoid.
This is nice in theory but comes with edge cases that are hard to account for. Like, what if you have a post and your new instance defeds the instance the post’s community is on? You either have to allow banned content onto the instance or the user loses data, neither of which are acceptable.
This is part of why ATProto’s decoupling of user data from app logic is kinda genius and the direction we should go in if we want portable actors in Lemmy/thredi.
Not really, every fediverse platform that people use expects an
Object’sidto be a https URI it can just fetch the resource from. This is part of why FEP-ef61 specifies a way of translating a DID to a https URI. That’s not to mention that moving existing actors from their current ID to a DID will cause all sorts of interop problems.Edit: Also, is this AI-generated? It has all the tells of Gemini output, especially the the issue on Github.
Smells like LLM to me.
yeah, if I were a Lemmy dev, I wouldn't take this proposal seriously because of this. I would be wondering if that person really knows what they're proposing and if they're planning to engage in the discussion themselves or let AI do it for them, and in the latter case it would just be a waste of time.
we add a did to objects and keep the id the same. supporting platforms will use did old ones will carry on using id.
did is what ATProto uses this is a step in that direction
https://joinfediverse.wiki/Nomadic_identity
As far as I can tell Hubzilla seems to do it by having alts on different instances and then having a way to associate them with each other, so every instance knows that all the alts they're the same user. It's a bit clunky but it avoids as many fundamental changes to ActivityPub because most things under the hood are the same as without nomadic identity and the UI just treats several actors as the same user.
That’s essentially how ATProto does it and they publish other instance actors under “also known as” in the did. that’s essentially what im proposing.
I like how the
didfield is in addition to the existing actor field, providing a way to gradually transition the protocol to the new way.Yeah that’s critical without it everything would break
So we’re filing LLM slop for Lemmy issues now? Also that’s a pretty poor choice for a name.
yeah, that’s doable, I would do it like this: DIDs could just be cryptographic signing keys, and your client could just sign all your posts, and send it to any server, which will federate that. same with the upvotes/downvotes(timestamps will have to be signed so a server could not just replay an upvote or downvote if you change your mind) in this case, servers will only be useful for naming(and keeping the bio and public signing key) and relaying the messages to other servers. what’s described is pretty much that.
DID already exist they are a Decentralised IDentiy (DID) it is a keypair and user data so usernames, profile, bio, and a list of accounts across different instance that allows associating post comments likes etc.
@muntedcrocodile@lemmy.world
Somehow, this remembers me of Nostr. How much is this different from Nostr? (insofar an user generates their own pair of public and private keys that they use to publish content anywhere within the Nostr ecossystem, at least it's as far as I remember about Nostr, as it's been a long while since I don't use Nostr anymore after it went down the cryptobro road)
yep a did can be anywhere even did:nostr:publickey its part of the same system
I get LLM vibes from this post
DIDs are cool and all but I would trash your proposal because that is clearly llm bullshit. Put effort into it, seriously.
Oh and also, for big changes like these, you need to make a new RFC: github.com/LemmyNet/rfcs
I did put effort into it I just got an LLM to write it. I’ll see what the devs say and might make an rfc if needed. And yes I’ll get an LLM to write that as well.
Yikes. Why would the devs implement anything created by LLM? It shows that the requester (you, in this case) isn’t passionate enough to sit down and write something on their own.
Well, looks like the lemmy devs (like any reasonable devs) will not accept LLM generated shit. So good luck with that.
FEP-ef61: Portable Objects describes how to use DIDs with ActivityPub. Here's a slightly less technical introduction: https://codeberg.org/ap-next/ap-next/src/branch/main/nomadpub.md
It's not easy, though. Adding this feature to an existing project will require a lot of work, especially if you don't want to share signing keys with servers. This was discussed in #3100, Lemmy devs are not opposed to FEP-ef61, but they don't plan to work on it.
Also, I don't recommend copying solutions from ATProto, their
did:plcanddid:webare not really "decentralized".I don’t like LLMs either, but I think its harsh to just close the discussion because someone used an LLM to rephrase someone’s initial idea…
I mean, sure, but LLM issues are currently plaguing open source projects. Curl, for example: gist.github.com/…/07f7581f6e3d78ef37dfbfc81fd1d1c…
If someone isn’t passionate about something enough to write their own request, why would the devs be passionate about implementing it?
Wow that was an amusing read, but not really comparable. Those are automated AI security findings, hallucinated partially. But this is an idea that was phrased out by using AI. He already showed the passion to submit and discuss his idea, what you are doing is valuing the devs passion more than someone that’s clearly not a dev submitting his idea … It sounds a little elitist to me.
The problem is the github issue has hallucinations and incorrect technical terminology. It really shouldn’t be used for this purpose, it’s pretty selfish to expect maintainers to consider something that you used LLM for in my opinion. I don’t think that’s elitist, is it really all that difficult to write a feature request on your own, especially if you’ve already done the hard part (the research)?
I did the research I looked at many different way to get the desired solution. I learned how ATProto works i looked into other services with did got an llm to put those ideas in the required format for the issue. Can you please point out the hallucinations in the issue so i can go and fix them
I also don’t get it, as far as I understood you only used the LLM to have a spell checker on crack basically and not generate the idea or straight up technical solution so whats all the fuzz about?
That’s exactly what I did. Its essentially a translater from 3 pages of dotpoints and notes that would be incoherent to anyone but myself to normal English.
No. Asking other people to read (and now also to correct!) your LLM slop is extremely inconsiderate. Please don’t do that again.
Someone claimed it contained hallucinations. I read through the entire thing as well as doing all the research and understanding of the concept being talked about. If someone is claiming that their are issues I expect them to be able to prove that. I’m not asking for a fact checker I’m asking for someone to provide evidence of the thing they verbatim claimed. If u wanna tell me that my research showing the sky is blue is wrong I would appreciate u pointing out my error otherwise ur just making baseless claims.
Whelp here I go again
Why not GPG!!??
I’ve been working on my own idea for what the “fediverse” should be, I’m calling it userless because I want to avoid users in the database and I wanna use GPG as the individuals identity because it already exists and can yes perfectly verify for me who created a post, I’m not sure why we need more than that.
I haven’t flushed the whole thing out yet and I plan to hand write proper docs for the protocol.
But GPG has been around since forever. I’ve been told that it’s too hard to use, it’s insecure, it’s too old. And when I use the thing I just don’t agree, there is nothing technically wrong with the product like it should be way more popular.
So Activpub needs an actor with an inbox and outbox to send and receive content. A did is a virtual actor that reroutes to a real actor and collects content across real actors. Ideally can send an activity to a did which is resolved to the current home instance. And the did stores ur profile picture a public key display names bio etc etc. U could use pgp as the key in the did if the devs want to support it as a cryptography protocol. The did is also used to sign each message similar to pgp. U simply need more functionality than what pgp provides
Gpg public keys have a dedicated email address field. And if you don’t want to share your “real” email address then just make a new one. (edit) Or don’t include one.
Yeah that’s a pain point I experienced with Gpg armored packets, I couldn’t figure out a way to pack in a PFP. Even shrinking it to 64x64 made the public key file feel too heavy. So I just decided profile pics are out of scope and you should just use gravatar.
I 80% agree. I do wish PGP armored packets had extra fields and if that’s an RFC that could be sent to the Gnupg maintainers then gpg would be absolutely perfect but I haven’t gotten around to figuring that out. All things considered since GnuPG already exists and it’s already installable everywhere and it already works I figured I could just roll with it for userless atleast. I want to use GPG for all user authentication related concerns.
Where is that virtual actor hosted? If it’s centralized, I feel like it defeats the purpose of user-centric identity control. If it’s user-hosted, that sounds like GPG with extra, even more inconvenient steps.
Its both. It can we a json file served from some webserver. It can be a peer hosted thing where a bunch of instances host it on your behalf. It can be something that exists on your designated identity server. It can be a transaction on a blockchain. And as long as the software knows how to resolve it they all work.
Having to figure out hosting, no matter if it’s self, peer, or whatever else hosting, kinda makes this proposal DOA I think. It’s kinda using a jackhammer for a problem that’s already been solved by a screwdriver.
Yeah I don’t think this is gonna get anywhere when the easiest alternative to controlling your account is to just host your own Lemmy instance, and you can do that literally right now with no changes to Lemmy or the protocol.
It’d be nice for ActivityPub to support optional GPG signatures for those that want to have that level of control. That would get you all the identity verification that this new fangled did stuff gets you, with the added bonus of GPG being a reliable, existing, proven technology that people already know how to support.
Did also allows portable identity so ur home instance is whatever instance u feel like. Did has been tested and proven reliable its in use by lots of different applications including bluesky.
So there would have to be another server, hosting my identity? Would identities somehow be federated between identity instances?
Did can be served by your own server as just a json blob or federated between multiple identity servers or on the blockchain. A did is did:source:publickey and their are multiple different sources u can use.
So in a way it's similar to https://joinmastodon.org/verification ? A two sided reference between identity and profiles?