Hello! Do all people on one federation server see all the shared information, or are you able to pick and choose who sees what?
Example:
System A and System B are both friends with C, but not friends with each other. C creates a server for all 3 of them, so C can see both of their information. Can System A and System B therefore see each other's information?
Also I don't exactly know how federation works so correct me if my understanding of how the server sharing works is wrong please :)
In this situation, friend C would be privy to the shared data of both parties. System A and System B cannot see each other’s details. I will detail the typical server model, versus federated, vs ours.
With a typical server, the server is the trusted party. It performs tasks for users after validating that they have permissions, and it manages the data however it sees fit. Often a server will have a database of user logins, a database of user permissions, and a database of user data. To check if a user is who they say they are, it requests they login and checks the credentials they provide against those stored. To check if a user has permission to do something, the server takes the user id and checks its permissions in a table/database. Same with user data. The server functions like a clerk or secretary, they provide the service and you must trust how they do so. Things like password hashing or data encryption are done to secure data in the case of a breach, like locking cabinets & drawers in an office, but the server typically has access. This is why something like a user password reset or account recovery is possible — from the perspective of the server, these things can be arbitrarily changed.
With federation, you retain the same model, but you diversify the implementation. With a centralized service, like Instagram, one group controls the servers. If you don’t trust Meta, you cannot go elsewhere. With federation, a party would take the server & app code to make a protocol any group can use (they may also provide their source code). This means that if users don’t trust Group A (ie, they suspect they’ll try to train AI on user data) they can only use Group B’s servers. They still need to trust Group B, but they have diversity of choice. There can also be diversity of implementation, ie two different Groups can make different apps that connect to the same server. Consider something like Email, where there are multiple providers and receivers to choose from. An example of a federated alternative to Instagram is something like Pixelfed.
We take that a step further, by treating the server as untrusted. The reasoning is that we’re trying to deploy quickly and en masse. There’s not significant time for users to develop trust around new entities. So, centralizing trust even with a variety of groups to choose from is a gamble. We also lack immense interest in personally storing user data, or running the backup/sharing services. If the funds become available we will, but we wanted to open it up. The solution we thought of was removing (or dampening) the need for trust.
The server does not have a user’s login information. Instead, the user uses their encryption keys — a user has a public key that can encrypt things, and a private key that can decrypt things. The user shares their public key with the server. If the server wants to verify a user, it generates a secret, let’s say a random sentence, and encrypts it with the user’s public key. Then, it asks the party claiming to be a user what the secret is, given the encrypted message. If the party on the other end can answer correctly, it means they either have the (private) decryption key, or had a lucky guess. This process is called a challenge. This also means a user can upload encrypted volumes to the server, and the server can be sure it’s the user without knowing what’s in the volumes. A similar process happens for sharing with other users.
When a Friend wants to download data, another process is needed. First, the Friend can get the users public key. The server knows what volumes the user can request, and will only serve those volumes. But more importantly, the user has another key — the VEK — which encrypts individual volumes. Without this, even a user who has the volumes can’t read them (this protects against a server that implements sharing poorly, ie). The System can provide the Friend their VEK with a few layers of security. First is TLS, just normal website encryption. This protects against people watching the connection, but the server can decrypt this. However, the Friend and System can securely talk by exchanging keys.
Imagibe encryption like putting something in a locked box. Your public key is a lock that only opens to the last key used to make it, and your private key is the actual key to unlock it. You can copy your lock or your key, and both you and your friend have your own versions. You want to send messages the server can’t read, and the server is an armored car.
If your friend has your lockbox, which everyone has because it’s public, they can put a copy of their key in it. They send the box to you, the only person who can unlock it. You unlock the box and take out the copy of your friend’s key, which you combine with a copy of yours to create a new key, say A+C. You can then lock the box using your friends key, and send it to them. Your friend, C, did the same thing with System B, but they created the new key B+C. Your friend never saw your private key, A, so they can’t solve your challenges or make new keys using yours. The server never saw any of the keys, and so has no idea what was exchanged.
Now you have a shared way to securely message, and can exchange your VEK for the volumes your friend has.
The friend could do some things, like save the VEK to decrypt data even after their permission was revoked. But our app doesn’t support this (we actively try to prevent it), the relay server’s enforcement of permissions acts as a second layer of defense, and the user being able to re-encrypt volumes with a new VEK acts as another (though this isn’t presently implemented).
The federated relay acts as an independent party to almost all operations. It’s expected to fulfill tasks, and the security model assumes it will try to snoop on data — which is why all data is encrypted even to the server.
The federation model is not what causes the security behavior, that’s instead something adjacent to a zero-trust model. Federation is just the independent servers model. We’ve combined them. Hopefully this provides some explanation. We’ll create a blog post at some point to describe it more formally! And hopefully with pictures.









