@koteisaev @sozialwelten FWIW, since Nostr identities are based on key pairs by design, and its developers care a bit more about privacy, E2EE DMs are already being tested via an MLS-based protocol there:

I think it's a shame that none of the large AP implementers are prioritizing this, because without user-owned keys, not just are DMs unencrypted, but there can be no true user sovereignty and account portability on the fediverse.

@raucao @koteisaev @sozialwelten the problem is, as always, key management. nostr has the advantage that people are already comfortable with handling cryptographic keys. e2ee on AP doesn't make much sense if people don't own their keys.

@lain @sozialwelten @koteisaev Yes.

@raucao @lain @sozialwelten @koteisaev FWIW, encryption with user-owned keys is on my roadmap. I don't want to start with MLS, though, it's too complex. The first prototype will likely encrypt messages with user's identity key, as described in https://codeberg.org/silverpill/feps/src/branch/main/0806/fep-0806.md

@silverpill @lain @sozialwelten @koteisaev That could be the first step for anyone. Still better than sending unencrypted DMs around.

sozialwelten@ifwo.eu I apologize if my point of view may seem conservative and narrow-minded... but in my opinion, pushing for the integration of encrypted messaging into the Fediverse is not advisable. I believe the best solution is that of the Lemmy developers, who have created a button that allows two users with a Matrix account to communicate via software designed for secure communications.

@raucao @silverpill @lain @sozialwelten @koteisaev the problem is not e2ee in itself. It's all the consequences: key management ux nightmare, no spam prevention from servers, no csam filter on servers, no search in server (client must download everything to index and search locally, good luck with mobile). I don't see a world where we have both e2ee and good usability

@lutindiscret @raucao @silverpill @lain @sozialwelten
I seen a good explainer (can't recall where) that systems either created for public communication (such as social media & activity pub) or for private communication (such as e2ee messengers). And them both don't mix well.
So attempt to stretch e2ee over fediverse will end mass usage of technical and social crutches and band-aids.
That explainer proposed to use email for direct messages (with PGP?), OR giving links pointing to e2ee messengers

@koteisaev yes. Fediverse is designed to give everyone a megaphone. Some people want to use the megaphone to have private conversations. Quite a strange idea. Same for e2ee encrypted messengers some will use as a megaphone (making rooms with thousands people).

I agree a protocol between x people to automatically negociate a chatapp to dm would be cool. Or maybe integrate xmpp, there is a bluesky dm implementation based on matrix. Reuse may work best

@raucao @silverpill @lain @sozialwelten

@silverpill @raucao @lain @sozialwelten @koteisaev

As a note, FEP-0806 is overly simplistic in that it has no forward secrecy.

As an easy improvement, if the sender also generates a per-message ephemeral X25519 keypair, you can do static-static + static-ephemeral KEX and get imperfect forward secrecy (no additional round trips required).

@lutindiscret @koteisaev @raucao @lain @sozialwelten

>Fediverse is designed to give everyone a megaphone.

This is true for (micro)blogging platforms, but Fediverse is bigger than that. Some platforms are designed primarily for private communication (Hubzilla & co), and ActivityPub works very well for them.

>Or maybe integrate xmpp, there is a bluesky dm implementation based on matrix. Reuse may work best

It is easier to encrypt ActivityPub messages than to implement additional protocol like XMPP. We can reuse cryptographic libraries, though.

@greyarea @raucao @lain @sozialwelten @koteisaev Thank you for the advice. I need to start with something simple in order to learn how cryptography works. Then it will be replaced with a more secure scheme.

From what I learned so far, the core principle is pretty much the same in all modern encryption schemes, they differ in how shared symmetric key is generated. Is that correct?