Hasty Briefsbeta

Bilingual

The Long Tail of Work Left Until ActivityPub Has E2EE

3 hours ago
  • #Fediverse
  • #E2EE
  • #Key Transparency
  • The W3C is developing end-to-end encryption (E2EE) for ActivityPub, separate from a key transparency proposal for the Fediverse.
  • Three main goals are outlined: enabling E2EE messaging (Fundamental), ensuring correct encryption (Security), and verifiably authenticating user keys without central authority (Authenticity).
  • Key transparency provides a decentralized root of trust by logging which ActivityPub actor controls which signing keys, addressing authenticity.
  • Current direct messages lack E2EE, posing legal risks for instance hosts due to plaintext storage of sensitive content like images.
  • MLS (Messaging Layer Security) implementations in various languages (e.g., TypeScript, Rust) are needed for E2EE, with post-quantum ciphersuites recommended.
  • Client software must manage digital signature keys (e.g., Ed25519, ML-DSA) to authenticate MLS KeyPackages, linking to key transparency for public key verification.
  • Authentication methods considered include certificate authorities, key fingerprinting, and key transparency, with a proposed traffic light protocol (green/amber/red) for user verification.
  • HTTP Message Signature libraries need updates to support ML-DSA-44, and Fediverse software should adopt FEP-521a for multiple signing keys per actor.
  • Adoption requires third-party assessments (cryptography audits, penetration tests) and funding for expert reviews to build trust in the implementations.
  • The work emphasizes that most tasks involve general software development and collaboration, not deep cryptography, encouraging broad technical contribution.