-- Leo's gemini proxy
-- Connecting to bbs.geminispace.org:1965...
-- Connected
-- Sending request
-- Meta line: 20 text/gemini; charset=utf-8
> no way to know that "Morgan" here is the same as "Morgan" anywhere else
This is also a positive aspect for privacy. You are not supposed to be able to track who is who across different servers. I suppose if someone wants others to know that their identity is the same in different places, they'll have to provide some independent evidence of this. For example, links to each account/username on their capsule. A service like Bubble could have a Mastodon-style profile verification using such backlinks.
2023-06-03 · 1 year ago
I think privacy is already well served by allowing free creation of identities and managing which sites they are used on; I was thinking more of impersonation and accidental clashes.
It feels like with identity based on certificates there might be some nice way of solving this.
For example if the browser knew the certificate behind the display name, it could notice that the "Morgan" you encounter is usually the same identity--and highlight visually when it's not. Or if I choose to use a different certificate on each site then the browser could let me know there's never a link and I can do with that what I like.
I don't see any way for that to be doable on Gemini, but maybe there's something that could achieve the same goal.
I was pondering whether you could decorate display names with hashes of the identity, like Lagrange does with site icons / colors; but that doesn't work, there's nothing to stop someone generating random certificates until the display happens to match someone else's.
@morgan what about simple backlink verification? I see the theoretical utility of your idea but wonder if backlinks aren’t already sufficient. If a bubble-like service wanted, it could display check emojis next to profile links with backlinks
> I was pondering whether you could decorate display names with hashes of the identity
Well, technically it is possible to do the equivalent of PGP signatures but using the client certificate key pair. You would have your username followed by a signed hash, and anyone who has your public key could verify that the signature is valid.
However, you'd have to use quite low-level cryptography APIs to do that in practice, and while OpenSSL will let you do it, I'm not sure how many other TLS libraries would. Any client that wouldn't support this would show ugly hashes to the user.
This would be perhaps the only way to prove your identity, but I doubt anyone wants to implement it. Might as well make an actual PGP signed message saying that, "yes, this is my account."
@satch @skyjake
I tried some things, and wrote about them :)
Domain Changed — Please note the original "geminispace.org" domain has been changed to "bbs.geminispace.org". Update your client certificate activation accordingly if you haven't already.
-- Response ended
-- Page fetched on Sun Jun 2 16:40:07 2024