(moved) boots‮🌸🌿‭

okay look
#mastodev, there needs to be a brainstorm on something:
a lot of users are concerned about cross-instance users using their username and impersonating them

what would be a good and userfriendly way to fix this?
gnu social doesn't even have a fix for this yet, it seems, so...

Apr 4, 2017 at 6:35pmWeb
Show thread(moved) boots‮🌸🌿‭Apr 4, 2017
frankly there just needs to be distinction across instances
like it currently isn't very easy to tell if a user is @example or @[email protected] from the timeline
Show threadPete KeenApr 4, 2017
@b it should show the whole handle if it's not local, IMO.
Show threadPete KeenApr 4, 2017
@b but be configurable on the server, so I wouldn't have to look at whole handles on my private instance if I didn't want to.
Show thread(moved) boots‮🌸🌿‭Apr 4, 2017

@pete i mean, it does, but frankly the issue is demonstrated best by your post

(also, even if it did, how am i supposed to tell at a glance what instance you're on)
https://icosahedron.website/media/_VOotY4ouLk3wUS0f4E

Show thread(moved) boots‮🌸🌿‭Apr 4, 2017
people are misinterpreting the issue
*verification* doesn't matter rn
*impersonation* is the issue here
i want two users with the same username and the same avatar to still be identifiable as different people
Show thread(moved) boots‮🌸🌿‭Apr 4, 2017
(same username and same avatar but different instances, mind you)
Show threadthe anarsmurfApr 4, 2017
@b Alternative example for the same issue, if I understand it right: I use the same @ on different instances, and I've already missed notifications because the person talked to the wrong account when using autocomplete... ^^°
Show thread0x7fa046c9Apr 4, 2017
@b To carry on with the email analogy, the solution is the same here: asymmetric key encryption and signing. Hopefully this platform is still malleable enough to allow for a seamless introduction.
Show thread(moved) boots‮🌸🌿‭Apr 4, 2017
@0x7fa046c9 look, i just want [email protected] and [email protected] to be distinct
i don't think *implementing keys and signing* is the solution to what is effectively an ui issue
Show thread0x7fa046c9Apr 4, 2017
@b I suppose the question I should ask first then is how much more distinct do you want it and with what amount of verifiability? As it is toots already list the user and instance of origin.
Show thread(moved) boots‮🌸🌿‭Apr 4, 2017
@0x7fa046c9 I want the instance of origin to be visible on this screenshot from the timeline. https://icosahedron.website/media/mO2WnPbsnPnZuTPURtM
Show thread0x7fa046c9Apr 4, 2017
@b I'm on board with that. All we need is a newline! :grin:
Show threadHedgeMageApr 4, 2017

@b Could someone please make an effort to explain to me the source of the concern? I have a couple of theories, but I want to start with the whole of the problem in my head.

Start with: how is this different from caring whether someone has a similar email address to yours, but at a different domain?

Show thread(moved) boots‮🌸🌿‭Apr 4, 2017
@HedgeMage because it's more public and there isn't exactly a great way of saying "this is me"
imagine if say like email worked like this:
bob wants to find alice, so bob emails alice@ every email domain until he finds alice. what happens when, say, jane registers alice@ and says they're alice?
Show threadHedgeMageApr 4, 2017
@b Is there anything else I should put on the list? That's not even the one that occurred to me, so I want to make sure I'm not missing something.
Show thread(moved) boots‮🌸🌿‭Apr 4, 2017
@HedgeMage it's not easy to tell what instance someone is on from the timeline or even from any post
imagine supercalifraglistic joins here
their handle name gets cut off with "..."
imagine a different supercalifraglistic joins another
domain
how do you tell at a glance which one is whic?
Show threadHedgeMageApr 4, 2017
@b I've made some notes, will revisit when I have time to examine the protocol and do some thinking about UI limitations.
Show threadmalokiApr 4, 2017
@b @HedgeMage Can't this just be solved with hi I'm [@maloki]
Show threadHedgeMageApr 4, 2017

@maloki There's some concern over the ability to mix up similarly-named accounts in limited (e.g. mobile) interfaces, and/or what happens when non-technical users go about trying to find other non-technical users (who may not have enough of a well-developed web presence to quickly turn up the right account, especially if a malicious impostor exists).

I'm thinking on it.

Show threadTim Pastoor ✅Apr 4, 2017

@HedgeMage @maloki Working on it. Prepare for content overflow.

https://maly.io/web/statuses/38333

Show threadHedgeMageApr 4, 2017
@tim @maloki Ready and waiting.
Show threadHedgeMageApr 5, 2017
@tim never saw something from you after this...should I have?
Show threadTim Pastoor ✅Apr 5, 2017
@HedgeMage I need a few more weeks. Just. Prepare. :P
Show threadccApr 6, 2017
@HedgeMage @b Doesn't matter if it is technologically similar, Mastodon is perceived as being one universe (or federation) and if you're just viewing the Fed Timeline, you are not necessarily paying attention to which instance that user is a member of. Therefore, some could create an account with the same name and same avatar as you on another instance, but it isn't actually you and you could be blamed for things you didn't actually post. Email is a terrible analogy.
Show threadNeonApr 4, 2017
@b Maybe something with Keybase? Works with verifying identities on the birdsite. Would require compatibility on Keybase's end though.
Show threadmalokiApr 4, 2017
@b too bad not everyone in that thread retained the #mastodev hashtag..
Show threadConstance VariableApr 4, 2017
@b @kitredgrave the fix is simple, display full account names, with domain part intact.
Show thread(moved) boots‮🌸🌿‭Apr 4, 2017
@lambadalambda @KitRedgrave mastodon's ui doesn't have enough room for that
as well, i would like to note the maximum domain length is 253 characters, so frankly i don't think displaying full domain is the solution
Show threadConstance VariableApr 4, 2017
@b @KitRedgrave not always, just on hover over the username.
Show threadOracle(tm) e-Business Social 🎃Apr 4, 2017
@b something like keybase? if only it supported ostatus-compliant websites...
Show threadDrew Dale ✅Apr 5, 2017
@b nothing, and that's the deal with federation, like https or any measure users just need to look at the actual site they're on
Show threada pile of mossApr 5, 2017

@b was talking about this this am. too-much-tech solution would be to use keybase to prove your mastodon identity, rather than the other way around...

but we have the same problem with email addresses tbh so maybe people getting used to seeing the second `@` is what is needed?