[danShumway]

Same thoughts, I guess. This describes the process, and the process (at least for on-device comparison) sounds almost identical to what Matrix does today. I'm not sure what code is going to be compared, Matrix uses emoji which I've found helps a lot, neither article for Apple specifies what they'll use.

But :shrug: unless I'm not seeing a broader picture or there are details here that I don't understand, it does kind of sound like this is going to have the same problems that Matrix has. Although, to be fair, I've run into validation errors and syncing problems with Matrix before that theoretically Apple won't have? So maybe it'll be the same UX, but slightly more stable? Although also to be fair, Matrix doesn't require me to update all of my computers in order to verify an identity and Apple seems to be saying that users will need to do that, so I'm not necessarily taking it as a given that Apple's system system won't have its own share of annoying caveats.

It's a tiny bit disappointing, my takeaway from Matrix is that this all needs to be easier to do, and I was mildly hopeful that there would be some UI takeaways from Apple's implementation.

Or maybe people will just be more tolerant if it's Apple asking them to jump through the hoops instead of an Open Source messenger? If that's the case, and if the UX really is basically the same as Matrix's, maybe some of that tolerance will bleed over to Matrix as well.

[aspenmayer]

Here’s my verification key, so you know what they look like, since you were wondering what would be shown/compared:

APKTIDJ_J3S3UhVqZKCX5EgKYnh9ez4pO9Hsr5YWv_5pXF5GUcLA

[danShumway]

Ow. Okay, I take it back, unless there's something I'm missing then Matrix's system is better than this.

I'm sorry, I just can not imagine asking a non-technical person to copy and paste that into a messenger and then needing to help them debug which letter they left off. It's hard enough to get them to validate "I see a cat, a dog, a horse, a pizza, and a basketball."

I guess I'll wait and see what happens with it, but I'm going to temper my expectations about people adopting this.

[_rs]

To be clear, that code is only for offline verification. For live verification (akin to Matrix's emojis) Apple has you compare an 8 digit code.

[danShumway]

Okay, fair, that's a lot better then. Still not ideal, but... yeah, my guess would be then that maybe people mostly do live verification.

I don't know, we'll see what happens. Maybe I'll be wrong and the system will take off.

[_8j50]

They both suck, TOFU is bad. Apple should apply their central pki to certify that contact with their icloud id.

TOFU is a good idea when you don't want a central party arbitraring identities like with federated matrix. Makes little sense with apple.

[danShumway]

You know, that is a good point. Far be it from me to encourage Apple to do more attestation -- to be clear, UX problems aside I don't want a centralized identity management service.

However, from Apple's perspective, this does kind of feel like the worst of both worlds. People have to update their devices to the most recent iOS version, apparently being signed in on an old device just turns off verification, apparently it's not even per-device?

So if that's the case, Apple has all of the downsides of attestation right now. Why also have the downsides for keys and in-band verification as well. It does seem like it would be simpler for them to try and have this be something that's tied into iCloud that gets set up only by the person who wants to be verified. Again, I'm not saying I want that, I don't want Apple arbitrating identities, but... why wouldn't they? Why have a system with both downsides?

I'm sure there are caveats I'm not thinking of, but it does seem like they could probably do this in a less federated/decentralized manner?

[GoblinSlayer]

Is it any different from copying an url? That said it might be formatted as an url like totp url.

[danShumway]

In theory no, but in practice, wow do people seem to struggle with keys. Matrix's current system went emoji only because even numbers seem to be too much for people. And arguably, even emoji are too much for people.

There's larger UX problems surrounding when/where to copy and what the caveats are, but even ignoring them, people do seem to struggle with copy paste, especially cross-device stuff. I'm not sure what the solution is.