End-to-End Encrypted Messages Over ActivityPub

activitypub 1 Minute

One important pattern in social networking is end-to-end encryption for direct messages. This is a structure in which the native or Web clients encrypt the message on the user’s device, and no intermediate actor — neither user’s servers, nor any network node — can read the message.

This wasn’t a big part of our planning for ActivityPub when it was created, but it’s become more important. I think it’s possible to provide the functionality today.

For Activity Streams 2.0, you can set the mediaType property of a Note, Article, or other AS2 object. Using one of the encrypted text types — PGP/MIME or S/MIME or both — would make this pretty useful.

So an encrypted Note might look like:

{
  "@context": "https://www.w3.org/ns/activitystreams",
  "type": "Note",
  "mediaType": "multipart/encrypted",
  "summary": "This is an encrypted message.",
  "content": "<Unreadable encrypted content here>"
}

This might be a good start to making end-to-end encryption work.

For additional effort, we’d need the following:

  • How to encrypt binary attachments like an Image, Video, or other files. I think using inline content, with the same encryption type, might make sense, but could be too big for some JSON parsers to handle.
  • How to exchange keys between people in a conversation. I think a simple Offer activity with a public key object should manage the process pretty well.
  • Handling group conversations — adding people to a conversation, removing people from a conversation. I think this should be out of scope; many social messengers treat this as a different conversation.
  • How to handle the private keys — keeping them safe on the client, and sharing them to another client (probably with a QR code, like most encrypted messengers do).
  • Fallback representation. `summary` is the right thing to use here.
  • API. It’s probably easiest to do this with the ActivityPub API, but it’s not widely implemented.
  • Two interoperable implementations.

I hope that the SocialCG community group takes up this issue and comes out with a recommendation note.

Published by Evan Prodromou

Director of Open Technology at Open Earth Foundation (OEF). Past founder of Wikitravel, StatusNet, identi.ca, Fuzzy.ai. CTO of Breather, TRU LUV and MTTR. Creator of GNU Social and pump.io. Co-chair of the Social Web Working Group at W3C. Co-author of ActivityStreams 2.0. Co-author of ActivityPub. Co-author of OStatus. In Montreal, from San Francisco. Greek, Arab, American, Canadian. Husband, father, cook, gardener.

Published

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s