Accounted verifiable toots

[FantasticoFox]

Pitch

This is for dear friends of digital sovereignty, freedom of speech, and digital democracy,

we all suffered from the information warfare age we are in, and the lack of accountability in social networks. This is due to an increase in misinformation, manipulation, deep fakes, bots, censorship and reach manipulation in social media platforms (and the information grid in general) where pretty much all big tech companies are in with. This all has been documented with the Twitter files which documented the collusion between different governmental organizations and the big tech companies and their information networks and services.

To strengthen independent and free social networks, information must be accounted for by cryptographic metadata. This means we know what was posted and when by which account (that does not imply a KYC). An account could be simply created without any e-mail or password just by using a public-private key pair.

Mastodon has gained momentum recently because of Twitter affairs and it's a good time to promote and support the development of Mastodon as a free and open social network.

We would like to support this by establishing accounted verifiable toots by supporting wallet login, signatures, integrity verification, and cryptographic time stamping.

We implemented the AQUA protocol (documentation here https://aqua-protocol.org is experimental). Our first integration is with Mediawiki, by developing an extension for it to add all the cryptography to get verifiable datasets in Mediawiki (to say it differently, to fully account for the data).

We added GPG-like signatures to Wikipedia articles (revisions) but we have done all the other work as well to do integrity verification, log in with wallet, and cryptographic time stamping.

We believe that the right way to go is the widely adopted browser-based key management with wallets. If you want increased security, because you deem the browser to be too insecure, you can use a hardware wallet (~around 50 Euro /USD).

We use Ethereum as a standard for key management. We use the Ethereum wallets because of their wide adoption with way more than 10 million users worldwide, a large ecosystem with software and hardware wallets, and an extensive set of created standards to allow various safe interactions with those wallets.

In addition to login and signatures (which work fully off-chain), we are using it for cryptographic time stamping (on-chain).

We developed a MediaWiki Extension that implements all the required cryptography into the Mediawiki instance and developed a web extension that verifies the signatures, hashes, and proof of existence (cryptographic time stamping). We see the potential to do the same with Mastodon.

See proof of concept for wallet login and wallet signatures here:

• Login with a wallet: https://www.youtube.com/watch?v=zD6_E-2LH_4&t=50s

• We could easily integrate wallet login via the OpenID API which has been merged to Mastodon https://github.com/mastodon/mastodon/issues/7958

• Signing: https://www.youtube.com/watch?v=jKe_-ayIpwY You could sign toots similar to that.

• Cryptographic time stamping by publishing a hash: https://www.youtube.com/watch?v=zD6_E-2LH_4

All those things are necessary to ensure that we can successfully address fake news and misinformation.

An integration in Mastodon is not an easy feed, as we would propose to do that with an extension of the decentralized social media protocol with the full set of cryptographic metadata required for verification.

If you're convinced, as I am, that public-private keys are the new identity anchors we need to rely on, then it would be massively beneficial for Mastodon to integrate it.

Recommended next step: Develop a Mastodon fork as a proof of concept to integrate with the aqua protocol.

• This requires us to extend the protocol with the aqua metadata.
• Change the way how we link, from Weblinks to also include the verification hash of the toot we are linking to (so we work with interlinking hashes to create hash-chains). So a source can not be altered after the fact. A link becomes stateful. This could be an optional decision when inserting a link).
• Add and expose an API for verification on the Mastodon server.
• Same API should be used to transfer the data to the other Mastodon servers which also need to have the database required to store all the cryptographic metadata for all toots which support this feature.

All development is done open source. All documentation and code from our site are available as GPLv3.

Wish you all a happy new year, Tim Bansemer

Motivation

How do we trust in the origin and integrity of digtial data? We add an integrity layer to ensure we can account the data to it's origin. Furthermore digital identites are much stronger if they are based on cryptographic keys.

[JacksonChen666]

tl;dr: "We're using cryptocurrency to solv problems (moderation, something sovereignty, verified toots, wikipedia, etc.)"

(ignore the fact that it's [cryptocurrency](https://drewdevault.com/2021/04/26/Cryptocurrency-is-a-disaster.html))

[RokeJulianLockhart]

@FantasticoFox, your suggestion contains multiple technologies which interact in nondescript manners to achieve ultimately nondescript outcomes, despite this proposition being the utter opposite of concise. Some rephrasal is necessary if you are to receive any support.

[rbairwell]

ActivityPub updates are already cryptographically signed. If a "non-username/password" login required, there are several tried and tested technologies such as WebAuthn (aka "Apple Passkeys" practically) and SQRL (along with FIDO/FIDO2) etc.

There are already social networks orientated around cryptocurrency - such as Minds - and cryptographic keypairs - such as Nostr - and Bluesky says it'll be based on PublicKeys

I say "No" to this (not just because this is a buzzword filled request by someone invested in the proposal and asking Mastodon to implement something which, by its own documentation, "is heavily under development" - and, from what I can tell from the "reference implementation of AQUA Protocol" relies on a centralised third party anyway for authentication)

[FantasticoFox]

tl;dr: "We're using cryptocurrency to solv problems (moderation, something sovereignty, verified toots, wikipedia, etc.)"

This is not an accurate tl;dr; we are not relying on cryptocurrency to solve problems. We rely on cryptography. We are using a part of the infrastructure for key management, and use Ethereum to publish timestamps. But you could also publish those timestamps to the New York Times, or in toots and it would work as well, with less guarantee that the information stays accessible.

[FantasticoFox]

ActivityPub updates are already cryptographically signed. If a "non-username/password" login required, there are several tried and tested technologies such as WebAuthn (aka "Apple Passkeys" practically) and SQRL (along with FIDO/FIDO2) etc.

There are already social networks orientated around cryptocurrency - such as Minds - and cryptographic keypairs - such as Nostr - and Bluesky says it'll be based on PublicKeys

I say "No" to this (not just because this is a buzzword filled request by someone invested in the proposal and asking Mastodon to implement something which, by its own documentation, "is heavily under development" - and, from what I can tell from the "reference implementation of AQUA Protocol" relies on a centralised third party anyway for authentication)

@rbairwell thanks for your reply We haven't looked into Minds but we are put off by the 'earn crypto reward's stuff which is usually a big red flag.

Re: Centralised third-party authentication This is not accurate. In a deployment, every Mastodon server would have its authenticator instance. Therefore this is a federated infrastructure. The identities are not managed by any organization but every instance manages its own identities.

Using SQRL is a nice way to log in and sign data. Certainly, a way to use a mobile phone instead of a hardware wallet. I would say it's less secure than using WebAuthn or a hardware Wallet but it's a great way for useability.

Using WebAuthn is similar to how you use a hardware Wallet to sign in / sign a transaction. Would be useful to support WebAuth as a method to sign data or log in.

The passwordless login/authentication is good to have, but a minimum viable requirement for the integration between Mastodon and AQUA is the integrity verification of a toot, and cryptographically timestamping of a toot to prove its existence. Everything else is secondary.

[JacksonChen666]

ok yeah, i over simplified it.

[rht]

@FantasticoFox, your suggestion contains multiple technologies which interact in nondescript manners to achieve ultimately nondescript outcomes, despite this proposition being the utter opposite of concise. Some rephrasal is necessary if you are to receive any support.

I think the stated goal is clear: to prevent misinformation/information fabrication via timestamping of toots & being able to trace the publisher of the toots. The technologies used are for authentication (Ethereum challenge signing for OpenID), identity management (MetaMask), content management/publication (MediaWiki), and timestamping (to Ethereum on-chain). Maybe this wasn't described concisely.

You may disagree on the tech choice (e.g. why not use PGP, why not use OpenTimestamps instead, etc), but in the meantime the problems of centralized control of means of publication, and misinformation, are still there. The former is being tackled by Mastodon, but the platform itself is still prone to the latter.

[trwnh]

Duplicate of #928