hambierNov 30, 2022
Given that #Luxchat will be Matrix-based, I finally tried out the #Matrix / #Element ecosystem. To be frank: If I didn't have reasonable cryptographic knowledge I wouldn't have the slightest idea what is going on:
At the second start of the app it gave a cryptic message about re-authentication and a subsequent warning about data loss. Key backup is rather manual and I have to provide a passphrase that should be different from my password. Cross-signing has to be enabled manually. 1/n
Show threadhambierNov 30, 2022

Since some more keys were generated I hit key backup or recovery agin (or was it yet another menu entry?) and it spit out a long recovery key that I should keep safe. So that'd be: my account password, a backup passphrase and a recovery key.

Again: I know that crypto is hard and adding it after the fact is always messy, but in the current state it's just a nightmare for a non-technical user.

It's obvious that #Luxchat will have to be way more than just a skin for an existing app. 2/n

Show threadhambierNov 30, 2022
At the very least, all encryption keys will have to be derived from the user's password and all auxiliary keys should be generated right from the beginning.
My bet is that the accounts will be linked to #Luxtrust in order to have only properly authenticated users on the platform.
It will be interesting to see how it'll all turn out.
3/3
Show threadKlotiiiNov 30, 2022
@hambier Oh, that wouldn't be good, would it?
Show threadhambierNov 30, 2022
@klotiii What wouldn't be good? Just reskinning and launching to the general public? That'd be a total clusterfuck 😆
But I really don't think that's the intent, especially since it's foremost for internal use by the state, so Luxtrust should be a given. Maybe that's what made them announce it also for the general public.
Show threadKlotiii
@hambier No, the Luxtrust thing.
Nov 30, 2022 at 10:06amWeb
Show threadhambierNov 30, 2022
@klotiii Why not? I guess it all depends on the use cases. But if it's intended for communication with and between gov. agencies and commerces, having proper authentication could be reasonable. (scam prevention...)
It could be problematic for minors. But it wouldn't differ much from other daily activities, banking, guichet.lu, logging in to my work stuff, etc.
(It does not imply that you'd have to relogin daily or so.)
Show threadKlotiiiNov 30, 2022
@hambier I'm not a fan of having to authenticate online, especially not if the service is thought to be something you would kinda have to use (don't know if that's the case). If it works here (and even if everything here is not tracable, idc) the floodgate might open for authetication online for most, if not all things.
Show threadhambierNov 30, 2022
@klotiii Sure enough, I also do like my pseudonymity 😉
But here we're discussing a platform that's primarily intended for internal government use and for business purposes (see the official announcement).
Show threadKlotiiiNov 30, 2022
@hambier And it will be going public at some point, I know.
Show threadhambierNov 30, 2022
@klotiii Just to be clear: when Luxtrust started out, with signing sticks and crappy java middleware, it was a catastrophic experience. Also on older devices when they started with their mobile app. (And I did hate all of it.) But today, with their current app, I think it's mostly fine.