[Royalaid]

Just curious, how would you solve the authentication problem? I worked on a semester long project building decentralized chat and found this as well as bootstrapping to a node that you could trust be some of that hardest problems to solve because it always boiled down to just trust.

[baby]

As he said, first you should encourage your users to authenticate one others by out-of-bands means. Then display who you truly authenticated. This can be gamified to encourage users doing it.

Now to authenticate a user out of band you can just have a shared secret that both users need to enter. You can share that secret via another channel in hope that it is not man-in-the-middled (or at least not by the same attacker). But then it is close to a trust on first use (TOFU) security: often "good enough", sometimes not (SMS).

Now if you're looking for cool ways to force the user to do it IRL, there are things like Bluetooth and NFC that would help.

There are also easier ways to do that, as ashitlerferad says, that we use for larger problems like mail and www: web of trust (WOT) and public key infrastructure (PKI).

[sigmar]

I'd offer up keybase.io as a workable way to solve this authentication problem. On keybase I can authenticate my identify by leveraging social media and public identify proofs across multiple services.

[viraptor]

Out of band, very public signatures. Of course this only works for fairly known people, but the reporter example could be easily covered by that solution. Publishing signatures with every article for example.

This fails for two anonymous people... but that's "by design" of being anonymous.

[userbinator]

This fails for two anonymous people... but that's "by design" of being anonymous

It's almost like a tautology: by definition, someone who is anonymous has no identity to authenticate.

[ashitlerferad]

There are several ways:

Central authorities: SSL, DNSSEC

TOFU: SSH, OTR etc

Web of trust: OpenPGP

Not sure, but I think Signal/WhatsApp a combination of central authority, TOFU and in-person 2 party verification, but no web of trust.