The Future Was Federated

7 points by fiatjaf

Most notably, NOSTR establishes sovereign identity. Just like old, well tested and popular technologies such as GPG/PGP, my identity is not a URL granted by an admin and rented from a registrar. It is a cryptographic key pair, generated offline on my own device, on my own terms

Systems like this always have the same problem: If identity ownership is fully decentralised, how do you handle account recovery? A lot of things can go wrong, but they're mostly covered by these two:

My device is compromised, someone exfiltrates the private key. How do I reclaim my identity from them?
I lose the device that has my key on it (e.g. my house burns down with my computer and phone in it), how do I recover my identity?

If I'm expected to store my private key on every device that I use that identity on, the chance of a compromise is high. So I actually want some personal PKI where I can give a device a revokable certificate that allows it to be me as long as I periodically renew the certificate (or don't tell the computer that's renewing the certificate to stop). But that's a lot of complexity for the end user.

Most people do not have a robust backup strategy (other than 'let some vendor sync my stuff to their computer', which makes the first problem worse).

I can imagine a fully distributed recovery system based on something like Shamir's secret-sharing algorithm, where a bunch of your friends each hold a secret that, if N of them agree, allows you to recover your identity. You would need to tell them not to release the key unless they'd validated your identity somehow. Making that work with the device-compromise thread model remains hard. The key that they recover would need to be a key that is used with some KDF to do key rollover for you, preserving your identity somehow. And then you have the problem in the world of software monocultures, that an at-scale attack can probably recover a load of secret shares and can assemble some moderately large number of these keys.

TL;DR: Sometimes, systems are centralised because the distributed-system version of the same thing involves a number of unsolved research problems. I very-much encourage people to work on these research problems but simply deploying a system that ignores them is not helpful.

miloignis

The best/most-pratical-seeming solution that I've seen put forth for this problem is JuiceBox: https://juicebox.xyz/blog/key-to-simplicity-squeezing-the-hassle-out-of-encryption-key-recovery

Split the encrypted key material between multiple independent organizations that cooperate to check the user's PIN using Threshold-Oblivious PseudoRandom Functions (ideally on HSMs, pure software implementation also available).
setto

Author of the article here! Thanks a lot for your thoughtful elaboration. There's no doubt nostr puts a lot of burden on the end user.

So I actually want some personal PKI where I can give a device a revokable certificate that allows it to be me as long as I periodically renew the certificate (or don't tell the computer that's renewing the certificate to stop).

This is an interesting aspect that is often over looked when nostr is bein talked about: signers. There are not tons of them, but there are. They work very much like European state-issued signer for OTW bank errands. The most commonly used one is Amber (https://github.com/greenart7c3/Amber) I think there is one for Apple devices, but i've never used those. There should be more of these and the terminology they employ leaves for a lot of improvement. Time will tell us where it goes :)

rushsteve1

I've been doing a lot of research on federated social protocols lately, I made this chart to organize my thoughts.

The author seems very Bullish on NOSTR and I honestly can't share their enthusiasm. The protocol is amateurish; Core features are half-baked, the encryption section is especially suspect, and there's an strong trend of cryptocurrency related features being prioritized. The author mentions being able to post many different kinds of content, but the spec only outlines a few varieties and has very little to say about binary content distribution.

They spend a lot of time comparing to ActivityPub but I think their complaints are more about the network model that Mastodon promotes. ActivityPub itself doesn't prescribe much about that. No mention of other protocols either, I would have loved to see a Scuttlebutt comparison.

I also don't think NOSTR is as "sovereign" as the author claims. The relay model tends toward centralization (Ex: Bsky, CDNs) in order to get a wide enough view to be useful. You can still get de-platformed if major relays choose to block you. I'm also personally somewhat worried when "censorship" is the major concern of a protocol.

Key management is not sovereignty, it's just bad UX. As a NOSTR user I control nothing, my content only gets disseminated at the whim of Relay operators. Deleting content assumes that Relay operators respect my request. If want to get around those I have to self-host or stick to ideologically aligned relays, losing out on much of the benefits of social media and trending toward echo chambers.

setto

I love scuttlebutt. But building a community there was way too challenging for me. Doesn't mean it's bad. This article in particular was not meant as a bench mark of all the things. Maybe i should have made that more clear. It's just a recount of my journey.

I'm particularly interested in your amalgamation of sovereignty and decentralization. However, nostr is not a platform, it's a protocol. I don't think the major concern is to stop censorship: like you write, the network is permissionless, but relays are not. Nothing prevents you from only writing to your tightly knitt community to a protected relay. Nothing prevents a community from kicking us out. As a nostr user, you control as much as you understand the protocol. Which is definitely a burden on the user. Like i write in the article:

[nostr] demands a level of intentionality and caution in communication that is alien to the more ephemeral, deletable culture of mainstream or even federated social media.
- rushsteve1
  
  I'm particularly interested in your amalgamation of sovereignty and decentralization.
  
  To me Sovereignty ≠ Decentralization, which is why I’m kinda careful to say “Federated”. I want to retain control as the authoritative source of my own content. In particular I want to be able to control who can view it, and to delete it if I see fit. NOSTR’s solutions to these I find either too broad (view permissions via relay choice) or not viable (asking relays nicely to delete something). Same with Scuttlebutt.
  
  I think the indie web has been a huge success in terms of both network model and personal sovereignty and we should be focusing on growing that network. RSS/Atom, Microformats, ATProto, and ActivityPub (not Masto) are all doing really great jobs of this!
  
  Nothing prevents you from only writing to your tightly knitt community to a protected relay.
  
  NOSTR scales down well. But at that scale (say <100 users) it’s effectively a Group Chat. More IRC than Twitter.
  
  … demands a level of intentionality and caution…
  
  I don’t really like the idea that I need to be worried about the mechanics of making a post, rather than focusing on the content.
  - setto
    
    The same is true on activitypub: deletions are kind requests to the federated servers to please delete.
    
    I spent 14 years promoting the indie web. I don't regret a thing, I am simply moving on to what I percieve better suited for the contemporary internet.
    
    Nostr can be a group chat, yes. And that's what is interesting: it's aching to be more of a new data model than a new social network.
    
    I agree that Sovereignty ≠ Decentralization. I thought you mwant the opposite from
    
    I also don't think NOSTR is as "sovereign" as the author claims. The relay model tends toward centralization (Ex: Bsky, CDNs) in order to get a wide enough view to be useful.
    
    many thanks for elaborating!
- mariusor
  
  My followers subscribe to me, not to a specific platform or format. This eradicates the fragmentation of the Fediverse, where your digital self is scattered across multiple domain names.
  
  That is a problem with the current implementations of the fediverse, but it's not an intrinsic problem of the ActivityPub protocol. It's possible to have a single identity that can use multiple frontends each dedicated to a specific type of content (short text, long form articles, image, audio, video, etc...), which is what OP's complaint is about. I think if you bother ringing the death knell of the federated social web, you might want to do more research about the topic.
  
  And for anyone that cares about this kind of thing, please support projects that already allow this type of single identitiy/multiple uses behaviour, like my generic ActivityPub server called FedBOX, or the library it was built on top of.
  - setto
    
    Thanks for sharing your perspective! I'll look into FedBOX! Can I use an existing identity to leverage it's heterogeneous format capacity, or do I need to create a new identity and ask my network to follow me there instead?
- mariusor
  
  The future was federated, a necessary experiment that revealed the true goal: not federation, but sovereignty
  
  I think that this mentality that an online identity needs to be non-fungible is an artefact of the fact that during most of the life of modern internet social identities, they were built on centralized services, therefore scarce and precious. This is no longer the case, especially for federated services (we can all change our mail provider at any time, with the only issue being to inform the interested parties about the change).
  
  Personally I think the benefit of an identity being tied to a public key instead of a URL is minimal. David mentioned some of the failure cases for the key based identity and frankly I don't see a big difference between that and "renting your identity from a DNS provider".
  
  And finally I'd like to ask OP what difference truly is there between a peer to peer service and a federated one with a single user?
  - kitkat
    
    Personally I think the benefit of an identity being tied to a public key instead of a URL is minimal.
    
    I had the same thought. I agree that the Fediverse's weakness is the need for centralized hosting services, but that only holds because self-hosting your own instance has so much technical overhead. Most non-techies don't want/care to set up Docker/DNS/port forwarding/whatever else is needed to get a Mastodon instance online.
    
    An interesting idea for self-hosting is the HomeAssistant Green model: you can buy a Raspberry Pi preloaded with Mastodon (or FedBOX, as @mariusor mentions adjacently), there's an easy (or easier, anyway) registrar-integrated setup step to get your URL, and then you plug it into your router and then you're federated.
    
    You can probably think of more than a few technical challenges to solve between the start and end of that paragraph, but I think that's the maximum level of friction consumers would accept in order to switch from siloed social media. Mastodon in a box, off the shelf at Microcenter.
  - setto
    
    Technically I am not OP of this thread, but I wrote the article. I don't think nostr is p2p, in fact realys resemble fedi servers in many aspects. The fundamental differences being that 1. on nostr I can define the topology of my known-network myself, whereas on fediverse it is defined by the server admin 2. I can migrate to a new server without losing any of the friends I made along the way.