@identity Also a vaguely related, but possibly just more generally useful primer on authentication and authorisation (or authorization if your spell checker is set to West Atlantic)

https://metalsamurai.wordpress.com/2023/03/26/authentication-and-authorisation/

@identity If it helps people realise that moving between instances isn't that easy a problem to solve, great. Hopefully someone will come up with a way to make that work.

@identity I had some more thoughts about Mastodon and portable identities. Probably too many thoughts, and none of them were great. Too many for a single toot or even a thread, but you can read it all here:

https://metalsamurai.wordpress.com/2023/03/26/more-on-mastodon-and-portable-identities/

@happyday @identity For Mastodon? Maybe start here:

https://docs.joinmastodon.org/user/moving/

@MetalSamurai @identity Is there a doc that describes the user scenarios? I'm new. Apologize.

@identity In particular alternative authentication schemes such as public and private key pairs mean your server doesn’t need to store a hashed/encrypted copy of your password or have complicated SSO schemes asking other servers to authenticate you, just knowing the private key proves who you are. I think Nostr works this way. Users are not used to this, though.

@identity Some existing technologies used by either Mastodon or other Fediverse platforms are OAuth, OpenWebAuth, and Zot. These support some of the ideas above.

It would be good to get a clearer idea about how other fediverse platforms have already solved this.

@identity Wouldn’t it be good if you had a Mastodon account, but could use that to log in to a Lemmy instance and start posting, or post your book reviews on a Bookwyrm server? And if this carried on working even after you’d migrated your Mastodon account to another instance? Or even to a Pleroma instance?

@identity SSO or Single Sign On would allow you to use your primary Mastodon account to authenticate and access other services. If you ever used “Login with Twitter/Facebook/Apple/Google” you can see the attraction. Although Mastodon supports OAuth I’m not aware of this working anywhere.

@identity A true Nomadic identity would allow you to transplant your whole profile, exactly as it is, from one server to another. Some parts of the Fediverse allow for this.

@identity Your other data (profile information, lists, block/mute lists, following list and all your post history are not moved and the old account is mostly disabled from use. You can’t migrate if your old instance is no longer available.

@identity Mastodon account portability exists, but is fairly limited. You can create multiple separate accounts on different Mastodon instances and declare some as aliases of each other. If you want to move your account you set up the aliasing, trigger the migration and your followers will (over time) be notified of your new location and update their following lists.

@identity An alternative is for instances run by businesses or institutions to manage their own user accounts and ensure that only people they know have accounts so you know that @reporter@news.org really is that reporter.

@identity You place a special link back your Mastodon account on a webpage that you manage and a link to that same webpage on your profile and thereby “prove” that the person who can edit that page is the same person that manages the Mastodon account. Maybe you can follow the chain of ownership for who owns the domain, hosting and so on. Maybe you can’t.

@identity Mastodon has a useful notion of Verification. This is a simple way of mapping your Mastodon identity to another identity elsewhere in the real world. Unlike Twitter’s old blue tick scheme where a Twitter employee would verify that the person with access to an account was who they said they were, the Mastodon scheme is a self service one and relies on a complex web of DNS, registrars, web hosting and web site admins to verify an account.

@identity This causes grief and confusion for new users who are used to centralised social media such as Twitter where there is only one user database. If you use the web interface for Mastodon and follow threads or click on the user profile of someone on another instance you may not be able to directly interact and you’ll be faced with a login window. The login details from your instance will not work as this other instance has no idea who you are.

@identity Only your instance knows your email address and password combination.

@identity The password can either come from Mastodon’s internal database or can use PAM or LDAP to authenticate you against an existing institutional user database (such as Active Directory). Each Mastodon instance manages local handles (usernames - the publicly visible bit). If your instance is instance.tld, and your handle is “user” then once authenticated you can then post as @user@instance.tld and read that user’s home timeline.

@identity An identity is a specific actor, usually a person, but maybe a bot or some other special kind of user. In order to use Mastodon you need to authenticate, to prove that you know the password for this account. Usually you provide your email address and a password (and optionally a one time code for two factor authentication if you’ve enabled that).

@identity The following thread contains some proposals or starting points for discussion. Better vocabulary, alternative viewpoints and corrections welcome. Hopefully there are enough people here familiar with both how Mastodon works and how other parts of the Fediverse work so we can all get up to speed. For some of us the first part of this, describing what happens now will not be news.