Conversation

Notices

1. Embed this notice
   Alex Gleason (alex@gleasonator.com)'s status on Friday, 14-Jul-2023 12:19:31 JST Alex Gleason
   how to do RSA keys on the Fediverse the good way
   
   DONT: generate an rsa keypair for every user on signup and then store the entire thing in the database. that's called BLOAT, Mastodon
   
   DO: combine the user's id with a secret key as a seed for the RSA PRNG, create the RSA key and then cache it in a LRU cache with a max of like 1000 or so. do all this in realtime so inactive keys get evicted but can be quickly regenerated at any time.
   • Doughnut Lollipop 【記録係】:blobfoxgooglymlem: likes this.
   • GNU Too repeated this.
   • Embed this notice
     Alex Gleason (alex@gleasonator.com)'s status on Friday, 14-Jul-2023 12:20:45 JST Alex Gleason

     in reply to
     bonus: you can easily support multiple different types of keypairs for all users without database bloat, by seeding each algorithm with a secret key and data unique to that user. then cache it for speed.
   • Embed this notice
     anime graf mays ?️? (graf@poa.st)'s status on Friday, 14-Jul-2023 12:21:30 JST anime graf mays ?️?

     in reply to
     @alex good to see you almost immediately instead of 10, 15 minutes later like yesterday. sort everything out? in the event that happens again you can always call me any time
     Alex Gleason likes this.
   • Embed this notice
     Alex Gleason (alex@gleasonator.com)'s status on Friday, 14-Jul-2023 12:21:50 JST Alex Gleason

     in reply to

     • anime graf mays ?️?
     @graf Thanks brother. Still running repack, but shutting down some other VMs seems to have freed up enough RAM for now.
   • Embed this notice
     Alex Gleason (alex@gleasonator.com)'s status on Friday, 14-Jul-2023 12:27:23 JST Alex Gleason

     in reply to

     • Stacks
     @c060b31fe2bbb0be4d393bc7c40a80848a25b8f0e0f382cb5b49c37bf7476cb4 Pragmatic answer: private messages, mainly
     
     Actual answer: HTTP Signaturs, which have a variety of benefits and consequences.
   • Embed this notice
     Stacks (c060b31fe2bbb0be4d393bc7c40a80848a25b8f0e0f382cb5b49c37bf7476cb4@mostr.pub)'s status on Friday, 14-Jul-2023 12:27:24 JST Stacks

     in reply to
     What are RSA keys in the Fediverse used for? 🧐
   • Embed this notice
     InceptionState (inceptionstate@poa.st)'s status on Friday, 14-Jul-2023 12:39:43 JST InceptionState

     in reply to
     @alex Kinda weird that they chose RSA instead of ECDSA. Eg. with Curve25519 the keys would be 32 bytes each which would be much more reasonable to store in the database. Also it's a lot quicker to compute the signatures.
     
     cryptobook.nakov.com/digital-signatures/eddsa-and-ed25519
   • Embed this notice
     Alex Gleason (alex@gleasonator.com)'s status on Friday, 14-Jul-2023 12:39:43 JST Alex Gleason

     in reply to

     • InceptionState
     @InceptionState Before Mastodon, there was GNU Social. Originally Mastodon federated with GNU Social over OStatus, then later Mastodon switched to ActivityPub. Not sure when RSA came in, but point is there's a long and stupid history (baggage).
   • Embed this notice
     anime graf mays ?️? (graf@poa.st)'s status on Friday, 14-Jul-2023 12:52:45 JST anime graf mays ?️?

     in reply to
     @alex running on the gitlab runner server?
   • Embed this notice
     Alex Gleason (alex@gleasonator.com)'s status on Friday, 14-Jul-2023 12:52:45 JST Alex Gleason

     in reply to

     • anime graf mays ?️?
     @graf Different one. It has nearly limitless storage space (12TB I think?) but it's all spinning disk.
   • Embed this notice
     InceptionState (inceptionstate@poa.st)'s status on Friday, 14-Jul-2023 12:52:53 JST InceptionState

     in reply to
     @alex Classic. Also apparently the ActivityPub spec doesn't even specify an authentication mechanism.
     
     > Unfortunately at the time of standardization, there are no strongly agreed upon mechanisms for authentication.
     
     w3.org/TR/activitypub/#security-considerations
     Alex Gleason likes this.
   • Embed this notice
     GNU Too (gnu2@gnusocial.jp)'s status on Friday, 14-Jul-2023 12:56:38 JST GNU Too

     in reply to
     @alex why does anyone use Mastodon?
     Alex Gleason likes this.
   • Embed this notice
     Alex Gleason (alex@gleasonator.com)'s status on Friday, 14-Jul-2023 12:58:56 JST Alex Gleason

     in reply to

     • GNU Too
     @gnu2 Because it's mostly not full of security vulnerabilities and Eugen is great at marketing.
     Marcin Mikołajczak and s4if like this.
   • Embed this notice
     GNU Too (gnu2@gnusocial.jp)'s status on Friday, 14-Jul-2023 12:59:57 JST GNU Too

     in reply to
     @alex " Eugen is great at marketing" is that supposed to be a joke?
   • Embed this notice
     anime graf mays ?️? (graf@poa.st)'s status on Friday, 14-Jul-2023 13:01:41 JST anime graf mays ?️?

     in reply to

     • GNU Too
     @alex @gnu2 im amazing at marketing and you look like eugen. we can capitalize on this you know
     𝕾𝖎𝖗 𝕽𝖞𝖆𝖓 𝕿𝖍𝖔𝖒𝖆𝖘 likes this.
   • Embed this notice
     Kirino Kousaka (kirino@seal.cafe)'s status on Friday, 14-Jul-2023 13:07:17 JST Kirino Kousaka

     in reply to

     • GNU Too
     • anime graf mays ?️?
     no
   • Embed this notice
     Fikrān Mutasā'il (fikran@thebag.social)'s status on Friday, 14-Jul-2023 13:28:58 JST Fikrān Mutasā'il

     in reply to

     • GNU Too
     @alex
     @gnu2 that, and Pleroma doesn't seem to chase features the same way as Mastodon does (sorta)
   • Embed this notice
     GNU Too (gnu2@gnusocial.jp)'s status on Saturday, 15-Jul-2023 03:56:47 JST GNU Too

     in reply to

     • Fikrān Mutasā'il
     I don't know mate. From an end user perspective Pleroma seems to have more useful features than Mastodon does.
   • Embed this notice
     GNU Too (gnu2@gnusocial.jp)'s status on Saturday, 15-Jul-2023 03:58:31 JST GNU Too

     in reply to
     "not full of security vulnerabilities" is that your way of saying GS is?