Using PGP is a good idea indeed.
I’d like to support identity proofs based on GPG keys in addition to wallet-based proofs I mentioned earlier in this thread.
My general plan is to use Move() activity for account migrations, but let people sign this activity with their own key. If I understand correctly, implementation of Move() in Mastodon requires a cooperating server. If your old server is offline or if admin banned you, there’s no way to move your followers. But if user-signed activities are allowed, you can simply register new account on another server, import your follower list and send them a command to un-follow your old account and follow your new account.
To make user-signed activities possible on Fediverse, I’m working on two protocol extensions:
- Embedded signatures. Mastodon can create them, but their implementation is outdated and not portable. There should be a clean and simple way to sign JSON object, otherwise embedded signatures will never be adopted in Fediverse. I’ve implemented JSON signing according to Verifiable Credential Data Integrity 1.0 standard (which replaces old LD signatures spec), using JCS algorithm, which is much simpler than RDF canonicalization. It has implementations in several languages and for signing simple JSON objects people can even use ordinary JSON serialization libraries that can produce compact JSON with sorted keys because the output will be the same.
- Identity proofs. This is a verifiable link between domain-based account and user’s public key identity. When server receives activity signed by user-owned key, it can verify its authenticity just like it does when activity is signed by server-owned key.
That doesn’t solve the problem of data ownership, but I think my solution is compatible with any data migration mechanism: manual export/import, backing up on IPFS, Solid, or mirroring to multiple servers.
In the future, I want to create FEPs for both of these extensions. Feedback is welcome!