Introducing PortaFed — cryptographic account portability for #ActivityPub
Fediverso
18
Posts
7
Posters
15
Views
-
@PortaFed ~ do you think these ideas would work alongside the existing work being done by the W3C social web community group? https://swicg.github.io/activitypub-data-portability/lola
I *think* you're solving the issue of "my server disappeared, I don't have a backup, and I can't prove I'm still me." Is this close?
Because that's the one use case that the portability spec DOESN'T do. So, maybe there's a way for us to work together, instead of making competing standards.
@benpate Yes, that’s exactly the gap I’m aiming at: the case where the old server is gone, hostile, or unavailable, and the user needs some way to carry forward verifiable account state without relying on that server’s cooperation.
My reading is that LOLA covers the cooperative portability path well, while this harsher failure case still needs more work. I don’t see PortaFed as a competing standard so much as a possible building block for that scenario. -
@benpate Yes, that’s exactly the gap I’m aiming at: the case where the old server is gone, hostile, or unavailable, and the user needs some way to carry forward verifiable account state without relying on that server’s cooperation.
My reading is that LOLA covers the cooperative portability path well, while this harsher failure case still needs more work. I don’t see PortaFed as a competing standard so much as a possible building block for that scenario.@PortaFed That's awesome. Let's work you into the existing effort. We could use all the help we can get.
Also: I'm pretty new to the data portability spec; so I know that "hostile server" is out of scope, but I wasn't there to know why that choice was made. I'm *guessing* is was too much to tackle at the time.
But one way or another, it would be great to have something in place for this situation, too.
I still need to read your work fully, so I understand what we're talking about :)
-
-
@jonny@neuromatch.social tracks doesn't it 😝
-
@PortaFed That's awesome. Let's work you into the existing effort. We could use all the help we can get.
Also: I'm pretty new to the data portability spec; so I know that "hostile server" is out of scope, but I wasn't there to know why that choice was made. I'm *guessing* is was too much to tackle at the time.
But one way or another, it would be great to have something in place for this situation, too.
I still need to read your work fully, so I understand what we're talking about :)
@benpate That would be great and happy to contribute wherever it fits.
My guess on the scope decision is the same as yours: hostile-server recovery is genuinely harder, and a cooperative spec is already a lot to get right. Makes sense to tackle it separately.
Take your time reading. I'll put together a short write-up of how MigrationProof could slot into the existing spec easier to react to something concrete than to an abstract pitch. -
Introducing PortaFed — cryptographic account portability for #ActivityPub
When your server shuts down, your identity and posts are gone.
PortaFed fixes this with a MigrationProof: a Merkle commitment
over your full export, signed by your ed25519 key, verifiable
by any destination server without contacting the origin.No blockchain. No registry. No core spec changes.
Spec + Rust implementation:
https://codeberg.org/portafed/portafedFeedback welcome — especially from server maintainers.
I have a couple of comments regarding the spec https://codeberg.org/portafed/portafed/src/branch/main/portafed-spec/spec.md
It contains a comparison with FEP-ef61, but it is not quite correct:
- FEP-ef61 identity is not actor-rooted. The closest equivalent of FEP-ef61 identity in normal ActivityPub is a server with a domain name. A single FEP-ef61 authority can manage multiple actor documents.
- FEP-ef61 does not lack a migration flow. Strictly speaking, it doesn't need one, because data is not attached to a server and can be continuously synchronized between multiple servers. But a more familiar migration flow is also possible via outbox export-import. -
I have a couple of comments regarding the spec https://codeberg.org/portafed/portafed/src/branch/main/portafed-spec/spec.md
It contains a comparison with FEP-ef61, but it is not quite correct:
- FEP-ef61 identity is not actor-rooted. The closest equivalent of FEP-ef61 identity in normal ActivityPub is a server with a domain name. A single FEP-ef61 authority can manage multiple actor documents.
- FEP-ef61 does not lack a migration flow. Strictly speaking, it doesn't need one, because data is not attached to a server and can be continuously synchronized between multiple servers. But a more familiar migration flow is also possible via outbox export-import.@silverpillThank you , these are important corrections and I appreciate you taking the time.
You're right on both points. I'll update the spec to reflect that FEP-ef61 authority is not actor-rooted in the way I described, and that migration is possible via outbox export-import. I was overstating the gap.
The distinction I was trying to draw is narrower: -
@julian @PortaFed
giving a further read: I can't really imagine a case where someone would a) regularly be creating signed backups and also b) know in advance where you wanted to migrate to to set thedestination_did. Like if this is for the case where the instance has shut down, you might have some signed backup, but you probably haven't planned in advance where you would want to migrate, and if the instance is down you wouldn't be able to create the migration object after the fact.the validation strategy for the export is sort of mystifying to me. if the whole object is signed, then why would you need a merkle tree for objects and also an object count? if the contents of the object have changed post signing, then the signature validation will just fail and those are irrelevant.
true to form for LLM generated documents, several critical things are left undefined, like what
last_accepted_sequenceis or how that works.probably the most important problem is that it's not really clear how all other instances are supposed to handle this, which is the entire hard part of a migration spec. Like, if the purpose here is to preserve identity, then you would need to have all the other instances come to see the new identity as being equivalent to the old identity, and there's no discussion of how that process works for third-party instances at all. like e.g. in FEP-1580 i had to spend a long time gaming out scenarios for how third party instances would handle a move event.
so without that it's not really an account portabiltiy spec, it's an account export/import spec, which is fine, just not really needed since signing objects and collections (which this spec should use anyway) is already described by other specs.
-
@julian @PortaFed
giving a further read: I can't really imagine a case where someone would a) regularly be creating signed backups and also b) know in advance where you wanted to migrate to to set thedestination_did. Like if this is for the case where the instance has shut down, you might have some signed backup, but you probably haven't planned in advance where you would want to migrate, and if the instance is down you wouldn't be able to create the migration object after the fact.the validation strategy for the export is sort of mystifying to me. if the whole object is signed, then why would you need a merkle tree for objects and also an object count? if the contents of the object have changed post signing, then the signature validation will just fail and those are irrelevant.
true to form for LLM generated documents, several critical things are left undefined, like what
last_accepted_sequenceis or how that works.probably the most important problem is that it's not really clear how all other instances are supposed to handle this, which is the entire hard part of a migration spec. Like, if the purpose here is to preserve identity, then you would need to have all the other instances come to see the new identity as being equivalent to the old identity, and there's no discussion of how that process works for third-party instances at all. like e.g. in FEP-1580 i had to spend a long time gaming out scenarios for how third party instances would handle a move event.
so without that it's not really an account portabiltiy spec, it's an account export/import spec, which is fine, just not really needed since signing objects and collections (which this spec should use anyway) is already described by other specs.
@jonny@neuromatch.social honestly good for you for investing the time to critique this knowing it's AI (adjacent or wholesale) involvement.
-
@julian @PortaFed
giving a further read: I can't really imagine a case where someone would a) regularly be creating signed backups and also b) know in advance where you wanted to migrate to to set thedestination_did. Like if this is for the case where the instance has shut down, you might have some signed backup, but you probably haven't planned in advance where you would want to migrate, and if the instance is down you wouldn't be able to create the migration object after the fact.the validation strategy for the export is sort of mystifying to me. if the whole object is signed, then why would you need a merkle tree for objects and also an object count? if the contents of the object have changed post signing, then the signature validation will just fail and those are irrelevant.
true to form for LLM generated documents, several critical things are left undefined, like what
last_accepted_sequenceis or how that works.probably the most important problem is that it's not really clear how all other instances are supposed to handle this, which is the entire hard part of a migration spec. Like, if the purpose here is to preserve identity, then you would need to have all the other instances come to see the new identity as being equivalent to the old identity, and there's no discussion of how that process works for third-party instances at all. like e.g. in FEP-1580 i had to spend a long time gaming out scenarios for how third party instances would handle a move event.
so without that it's not really an account portabiltiy spec, it's an account export/import spec, which is fine, just not really needed since signing objects and collections (which this spec should use anyway) is already described by other specs.
@jonny @julian You're right on all three points. Updated the spec: destination_did is now optional the backup-before-shutdown case is the primary use case and requiring a destination in advance was a mistake.
Added Section 5.1 explaining why the Merkle tree exists alongside per-object signatures: the signatures prove per-object authenticity but not completeness. A Merkle root over the full set detects silently dropped objects.
Added Section 8 explicitly scoping this as an export/import substrate -
@jonny @julian You're right on all three points. Updated the spec: destination_did is now optional the backup-before-shutdown case is the primary use case and requiring a destination in advance was a mistake.
Added Section 5.1 explaining why the Merkle tree exists alongside per-object signatures: the signatures prove per-object authenticity but not completeness. A Merkle root over the full set detects silently dropped objects.
Added Section 8 explicitly scoping this as an export/import substrate
Gli ultimi otto messaggi ricevuti dalla Federazione
-
@PortaFed
@julian
Why wouldnt the whole export object be signed? If an object is missing, the merkle root wouldnt match and you wouldnt be able to do partial validation anyway. I could have missed something on the strategy there
-
@jonny @julian You're right on all three points. Updated the spec: destination_did is now optional the backup-before-shutdown case is the primary use case and requiring a destination in advance was a mistake.
Added Section 5.1 explaining why the Merkle tree exists alongside per-object signatures: the signatures prove per-object authenticity but not completeness. A Merkle root over the full set detects silently dropped objects.
Added Section 8 explicitly scoping this as an export/import substrate
-
@jonny@neuromatch.social honestly good for you for investing the time to critique this knowing it's AI (adjacent or wholesale) involvement.
-
@julian @PortaFed
giving a further read: I can't really imagine a case where someone would a) regularly be creating signed backups and also b) know in advance where you wanted to migrate to to set the destination_did. Like if this is for the case where the instance has shut down, you might have some signed backup, but you probably haven't planned in advance where you would want to migrate, and if the instance is down you wouldn't be able to create the migration object after the fact.the validation strategy for the export is sort of mystifying to me. if the whole object is signed, then why would you need a merkle tree for objects and also an object count? if the contents of the object have changed post signing, then the signature validation will just fail and those are irrelevant.
true to form for LLM generated documents, several critical things are left undefined, like what last_accepted_sequence is or how that works.
probably the most important problem is that it's not really clear how all other instances are supposed to handle this, which is the entire hard part of a migration spec. Like, if the purpose here is to preserve identity, then you would need to have all the other instances come to see the new identity as being equivalent to the old identity, and there's no discussion of how that process works for third-party instances at all. like e.g. in FEP-1580 i had to spend a long time gaming out scenarios for how third party instances would handle a move event.
so without that it's not really an account portabiltiy spec, it's an account export/import spec, which is fine, just not really needed since signing objects and collections (which this spec should use anyway) is already described by other specs.
-
@silverpillThank you , these are important corrections and I appreciate you taking the time.
You're right on both points. I'll update the spec to reflect that FEP-ef61 authority is not actor-rooted in the way I described, and that migration is possible via outbox export-import. I was overstating the gap.
The distinction I was trying to draw is narrower:
-
I have a couple of comments regarding the spec https://codeberg.org/portafed/portafed/src/branch/main/portafed-spec/spec.md
It contains a comparison with FEP-ef61, but it is not quite correct:
- FEP-ef61 identity is not actor-rooted. The closest equivalent of FEP-ef61 identity in normal ActivityPub is a server with a domain name. A single FEP-ef61 authority can manage multiple actor documents.
- FEP-ef61 does not lack a migration flow. Strictly speaking, it doesn't need one, because data is not attached to a server and can be continuously synchronized between multiple servers. But a more familiar migration flow is also possible via outbox export-import.
-
@benpate That would be great and happy to contribute wherever it fits.
My guess on the scope decision is the same as yours: hostile-server recovery is genuinely harder, and a cooperative spec is already a lot to get right. Makes sense to tackle it separately.
Take your time reading. I'll put together a short write-up of how MigrationProof could slot into the existing spec easier to react to something concrete than to an abstract pitch.
-
@jonny@neuromatch.social tracks doesn't it 😝
