Regarding "AT was written because ActivityPub can't handle portable content and identity", I wrote up stuff about this *in 2017* https://github.com/WebOfTrustInfo/rwot5-boston/blob/master/final-documents/activitypub-decentralized-distributed.md and wrote a demo on how to do the portable content part https://gitlab.com/spritely/golem/blob/master/README.org
Good luck to the Bluesky / AT folks, truly. The main thing that frustrates me is this claim that AP can't do this though. (The Bluesky folks are aware of this, we both wrote some documents about it together, so they *should* know, that's my main irritation with the FAQ item that says ActivityPub can't do it.)
But also:
- I am not currently focused on ActivityPub so maybe it's not the best question to direct at me anymore
- I am focused on Spritely, which will eventually loop back to AP stuff, but that's not its current focus (it's a bit more general and dare I say a bit more revolutionary to how applications are written than that)
- I have never been interested in making a Twitter replacement because I am not convinced a global content space is necessarily a good idea
- It's good that almost everyone agrees that decentralized networks are fundamentally necessary now though
- I am glad that AT/Bluesky is using DIDs and some other components that really might be truly useful
- I am not the best person to ask this question, but I guess I am one of the most obvious people to ask this question
The portable identity people always, inevitably forget one simple truth: the identity and the means of accessing it should be separable. I've explained them way too many times that a public key is not a viable form of identity. They still keep insisting on using public keys as identifiers.
The fatal flaw of the use of cryptographic keys for identity is that
- Once leaked, it can't be revoked to prevent further unauthorized access and impersonation
- Once lost, it can't be recovered and a new key pair, thus a new identity, is required
This stuff is non-negotiable really. I worked at VK, they have an entire department dedicated to restoring people's access to their accounts. People are terrible with passwords and they will be even more terrible with private keys.
The portable identity people always, inevitably forget one simple truth: the identity and the means of accessing it should be separable. I've explained them way too many times that a public key is not a viable form of identity. They still keep insisting on using public keys as identifiers.
The fatal flaw of the use of cryptographic keys for identity is that
- Once leaked, it can't be revoked to prevent further unauthorized access and impersonation
- Once lost, it can't be recovered and a new key...