
Mastodon and Keybase - malgorithms
https://keybase.io/blog/keybase-proofs-for-mastodon-and-everyone
======
zach43
Just wanted to say that i moved from twitter to mastodon sometime late last
year amd couldn't be happier with it. Keybase integration is interesting to
me, but not realky useful since i don't want to tie mastodon with my real life
identity.

the Fediverse as a whole has a very different 'feel' to it compared to
Twitter. Twitter feels significantly more commercialized amd
stressful...mastodon / pleroma feel a lot more relaxed and pleasant in
comparison.

Maybe i just accidentally joined nicer communities, but i see a lot of small-
scale chitchat and genuineness on mastodon than i rarely see on twitter.

I've also had zero issues with the platform from a technical
perspective...overall i think Mastodon, etc have done decentralization
"right", and have a lot of potential for growth in the future

~~~
jeena
It would be cool to see everyone's Mastodon usernames/domains, I'm on my own
self hosted instance where it's a bit more difficult to find other people.

Mine is: [https://toot.jeena.net/@jeena](https://toot.jeena.net/@jeena)

~~~
JoshTriplett
What has your experience been with self-hosting?

I'd love to self-host a Mastodon instance that two-way mirrors my Twitter
account and acts as a Twitter client (letting me pseudo-follow folks from
Twitter). But in any case, I'd want to ensure that no content from people I
follow gets mirrored/hosted on my own instance; the only content actually
hosted on my own instance should be the content I post.

~~~
StavrosK
What do you mean? No content other than what your users generate will be
hosted on your instance.

~~~
bisby
There is a concept of a federated timeline, which does get synced to your
local instance. If you follow someone on a remote instance, that instance
feeds content into your instance so it can be loaded.

~~~
StavrosK
It syncs the people you follow, right? So presumably the only additional
content on your instance is content from the people you follow, which should
generally be low-risk.

~~~
metildaa
You can also block just media if an instance is known to host images that are
illegal in your country or your users don't want to see (silencing is a better
option for the latter tho).

------
founderling
This seems backward.

They want ActivityPub servers to apply to a central service (keybase) to offer
cross server identities.

And they want users to trust that central service to decide who is who.

It's always amazing, how strong the force of centralization is.

Even when the whole value proposition of a technology is that it is
decentralized, users will soon flock to centralized services built around it
and end up in the mercy of a few organizations again.

Reminds me of all the people who think they hold crypto currency while in
reality they "hold" yeah-we-promise-we-owe-you-somethings by some exchange.

Reminds me of how little resistance the Ethereum elite faced when they flushed
"code is law" down the toilet and forced all users to switch to a fork with
rewritten history.

What makes this attempt of centralization even more tragic is that it does not
bring anything to the table. If you want to run a service that let's people
claim they are joedoe@host1 and joe_the_doe@host2, just let them publish two
messages. "I am joedoe@host1" on joe_the_doe@host2 and "I am
joe_the_doe@host2" on joedoe@host1. Neither the integration with the hosts nor
the crypto spiel is needed.

~~~
BinaryIdiot
> It's always amazing, how strong the force of centralization is.

This is because Mastodon is a UX nightmare because of the way they
decentralized it. With Twitter you go on and you @ your friends / etc and
you're done. With Mastodon you have to figure out where they are and if
they're not all in the same place it becomes a nightmare to try and manage.

I get it, decentralization can be great. But so far most of the
implementations of decentralized social networks have been a UX nightmare for
even the casual user.

~~~
Leace
> With Twitter you go on and you @ your friends / etc and you're done. With
> Mastodon you have to figure out where they are and if they're not all in the
> same place it becomes a nightmare to try and manage.

Nope, that's actually not the problem with Mastodon UX. On Twitter you still
have to ask if your friend is @Johnny or @John1256 or @JDoe or depend on
visual cues (avatar).

The problem with Mastodon UX (and Fediverse in general) is the friction of
"remote follow" buttons instead of one-click Follow (the same goes for
reply/like etc.)

~~~
coldacid
I find that remote follow is only an issue this way if you've gone directly to
the other party's profile rather than following them from your own instance,
or when your instance is being banned for some reason by the other party's
instance. It could be smoother, but this is what we get for having to defend
against XSS.

The bigger problem with Mastodon is the explicit support for censorship via
defederating instances you don't like.

~~~
Leace
> rather than following them from your own instance

This all requires people to explicitly copy user/page URL to clipboard and
paste it on their instance. "Follow me" buttons or twitter.com/share-link URLs
are just not possible on Mastodon. Copying and pasting stuff doesn't look like
good UX to me.

------
mirimir
This is great. But damn:

> Are there sites you won't link to?

> Like a Mastodon instance, we reserve the right to work with whichever
> partners we prefer. We specifically will avoid at least these sites:

> sites which encourage or are known for illegal activity

Just what is "illegal activity"? According to whose laws?

Given that Keybase servers are in the US, I suppose that means US law. And
frankly, that sucks.

But please do clarify.

------
ocdtrekkie
I wonder if the Mastodon community will pick up Keybase chat as the de facto
chat option with this integration in place. Chat or private messaging has
always been considered the weak link of the fediverse since it's easy for bad
servers to mishandle "private" toots.

~~~
0xb100db1ade
I wish that Keybase could work with the Signal team on something.

Signal has a lot of experience in UI [1] and security, and Keybase had the
identity proofs. I'd love to see them work together rather than compete.

[1] Signal UI used to be horrible but as of the past few months it's improved
a ton! It's now my preferred SMS client.

~~~
giggles_giggles
>Signal UI used to be horrible but as of the past few months it's improved a
ton!

That's funny, I've had the opposite experience. Once I got everyone I know to
start using it and was completely locked-in, I started having all kinds of
weird issues.

My favorite is when my phone has been off awhile. After I turn it back on, I
get a notification for every message I sent/received on another device while
it was off. Usually takes about 30 minutes for it to fully sync, buzzing
and/or producing popups for every message along the way. I have about a dozen
equally frustrating issues I could, if I had the time, enumerate.

And of course because it's free, there's no real support. Signal has been a
huge disappointment for me. I'm preparing to move back to regular SMS, but now
I have to untangle all of the users like my mother that I convinced to use
Signal. Caveat emptor!

~~~
pault
You'd rather opt in to global passive surveillance than deal with an
inconvenient UX?

~~~
giggles_giggles
It's not inconvenient, it's broken. The issue I described above is not the
only misbehavior to which I'm frequently subjected. Another example: messages
are delayed, often.

Recently I failed to reply to an urgent text about a medical diagnosis from my
fiance due to Signal failing to push the message to my phone. This is
unacceptable behavior from a critical application.

Do I get on a soapbox about how surveillance is terrible and miss being there
for her by insisting on using Signal? No! I want her to be able to get in
contact with me if there's an emergency, and that's the #1 priority.

~~~
arthur_pryor
(note: not trying to say the medical diagnosis scenario you describe is less
important than your contribution to getting the world off SMS, just
spitballing how we can work towards timely updates in our current world _and_
wean off SMS)

in the situation you describe, or any urgent situation where speed of
communication is paramount, what about bombardment through multiple channels?
like, i'll often leave my phone out of my pocket, and not pay super close
attention to it. and if it lights up with one text message, or one signal
message, or whatever, i might not look at it. but if it's buzzing like crazy,
or someone starts calling, i'd pick it up.

i guess what i'm saying is, "urgent" to me means signal/text/call/call someone
that might be around the person/whatever, until the message gets through. if
something is urgent, i would not send it solely by text. i've certainly had
SMS messages get dropped or delayed many many times over the years.

can you really only use one messaging app at a time? signal is my primary
messaging app, but i don't really find it bothersome to use whatsapp and
regular SMS also. different people i communicate with prefer different
channels, and often the same person will use different channels with me
depending on the purpose (e.g., my dad mostly chats with me by SMS, and most
of my immediate family's group chat is on SMS, but when my dad is texting with
me about some sensitive personal financial info, it's over signal).

also, i hope that whatever the urgent issue was, it was resolved in an ok way.
like i said, not trying to shortchange the urgency of a medical emergency or
second guess your decision making or frustration at the time.

------
wut42
This sucks -- not all Mastodon instances will be able to use this. It's
subject to approval by keybase, ensuring only big instances can use this. A
step backwards a proper decentralized network…

~~~
xgess
Keybase team member here. We have more than 30 so far, and they range from
some of the largest down to single-user instances.

~~~
mirimir
OK, but what about "sex workers and such" that wut42 mentions in a subthread?

------
Leace
From:
[https://keybase.io/docs/proof_integration_guide](https://keybase.io/docs/proof_integration_guide)

> To send us the config, you can send us the public URL for your config file
> or attach it directly in a Keybase chat message to @mlsteele or email
> miles@keyba.se. In our example the file is hosted at
> [https://keybase.io/.well-known/example-proof-
> config.json](https://keybase.io/.well-known/example-proof-config.json).

Will this always require manual step (sending config by e-mail) or is there
some automation planned?

~~~
malgorithms
Good q - this step will likely be automated soon. Still, there will always be
one final step of our _approving_ any integration, otherwise there would be
10,000 pr0n sites or ad sites. (We mention this in the FAQ.) But we can
automate everything up to turning it on.

For now, we want to talk to everyone working on integrations, so we can see
what steps are working and what are confusing, what could be improved, etc. So
we're talking to everyone doing an integration.

~~~
velcrovan
I still don't get it. You have always been able to get a keybase proof for ANY
website/domain without being approved first. Why do you need to whitelist
mastodon instances? Why not just let people type in the domain name for their
instance and get rolling?

~~~
fermuch
But now they're showing every integration possible (as in, every mastodon
instance they approve of) on their UI

~~~
velcrovan
Again…why? who cares? Why is picking from a pre-approved list better than just
letting people type in their instance domain name and allowing every instance
by default?

~~~
Leace
Agreed. Not to mention Mastodon could've a linkback to Keybase with all data
pre-filled (username + instance name). For example in Settings a link "Connect
with Keybase".

------
gtt
I never understood keybase as a useful product. What do you use keybase for?

~~~
Nadya
Task: Send me a tweet on Twitter. Careful not to send it to any imposters.

Challenge: Finding me on Twitter. For example, I am not @Nadya

Extra Credit Challenge: Let's say I'm e-famous enough to have imposter
accounts but not have a Twitter "verified" badge. Which Twitter account is the
real me? And how do you know?

Where Keybase comes in: On my HN profile itself you can find my signatures on
Keybase. Keybase is not necessary for these signatures but becomes a
convenient place to look. You also _do not need to trust Keybase_ ; although
in practice many people will. Don't lie to me and tell me you'd verify the
keys. :)

Now you can go directly from my HN profile to my Twitter profile and tweet at
me knowing that I am who I say I am. Or at least the individual posing as me
has access to three of my accounts (HN, Keybase, and Twitter) and that you'd
at least be talking to the same person.

The social proof and web of trust bit is where Keybase falls down but that's
an inherit flaw of the web of trust (key exchange parties aren't as popular as
they used to be and people will sign/trust keys of people they've never met
IRL). Ultimately you'll have to trust that the people who follow me on Keybase
are certain beyond a reasonable doubt that I am who I say I am. From there,
you can trust the social proofs.

I personally use it so that people can find me on other services more easily
and know that they are speaking to me.

~~~
eadmund
> On my HN profile itself you can find my signatures on Keybase.

… or your HN account could just link straight to your Twitter account. I don't
get what Keybase adds here.

~~~
Twisol
If you have an account on N different sites, and you want to let people
identify you between each of those, linking directly requires (N-1) links per
profile, or N*(N-1) links total. When you create a new profile elsewhere, you
need to update your profile on each of the N original sites, plus add N links
in your profile at the new site.

Or you could collect all of your identities into a Keybase profile, which all
of your other profiles link to. That's a lot less to manage. Plus, proving
your identity at some site (usually) has the byproduct of pointing back at
your Keybase profile, so even if you come at this just from a "less work for
me" angle, you're getting verifiability for free.

~~~
WA
Or you could collect all of your identities in one other central place (say
your website or HN) and link to the central place from all other profiles.
Because that is exactly the scenario you just mentioned. Having direct links
to all other profiles isn't solved by keybase. The only thing it provides is a
central place for profile links – and there are obviously other ways to
achieve this.

~~~
bloopernova
Sure, but if you look at how Keybase is verifying the information and how it
is presenting that trust to external users, I feel that the value they are
providing has increased greatly over a static page listing social network IDs.

Take a look at
[https://keybase.io/anthonyclarka2/sigchain](https://keybase.io/anthonyclarka2/sigchain)

You can see a whole bunch of extra crypto is being used to verify the
information.

------
bloopernova
Keybase is certainly interesting. Is it possible to link up to your
stackoverflow identity yet?

How are people using Keybase right now? I added several of my accounts but I'm
especially interested in the GPG encryption/signing.

~~~
dcbadacd
StackOverflow integration sounds really cool. Wish they added Discourse
support as well - hard to prove I'm me on all of these Discourse instances.

~~~
xfalcox
Tracking the Discourse implementation here:
[https://meta.discourse.org/t/discourse-keybase-
proof/115239?...](https://meta.discourse.org/t/discourse-keybase-
proof/115239?u=falco)

------
waferedpie
Can someone explain Mastodon to me? Because I’m not really sure I “get” it.

As I understand it, I need to register for Mastodon at some server ``foo``,
and with this one single registration I can also access other servers ``bar``
and ``baz`` and read what their members post, but I’m not able to post on
those servers myself, only on my original ``foo`` server.

So what happens when ``foo`` goes under for whatever reason? Or what if the
admins at ``foo`` decided to ban me from their server for whatever reason? Am
I just shit out of luck now?

And what if my friends decide to join Mastodon some time later, but they all
agree to join ``bar`` leaving me the odd person out? I think I’ve read
somewhere that it’s not possible to relocate my ‘home server’?

~~~
fiatjaf
Yes, you are right.

The entire ActivityPub concept is flawed, but not because you would be left
alone in your server, it's the opposite: since you're interacting with your
friends, your friends' server would then fetch all posts from your server and
vice-versa, it will be as if there was just one server, but maintenance costs
are now duplicated and the discovery process is not great also.

These problems are less problematic the smaller the servers are, which makes
me think the best structure would be one in which each user is its own server
and just syncs to temporary syncing hubs when possible -- or maybe sync
directly to other online peers they know.

Oh, wait, that's what
[https://www.scuttlebutt.nz/](https://www.scuttlebutt.nz/) does!

(Disclaimer: I don't use Scuttlebutt nor Mastodon nor anything like that, and
I really thought about Scuttlebutt in the middle of my comment, not before.)

------
AgentME
Bug report: I just connected my Mastodon.social and Keybase profiles. On my
Keybase profile, the "post" link next to my Mastodon.social profile link
doesn't go directly to the proof post, but instead just links to my profile
again.

------
forgotmypw3
I'm working on a web-based system that uses PGP key as identity.

How do I integrate with Keybase?

------
s09dfhks
I'm not entirely sold on keybase.

Why would I want my online presence 100% identifiable and traceable back to
me?

What is the appeal of this service exactly?

