Just a random thought experiment. Let’s say I have my account on a lemmy instance: userA@mylemmy.com
. One day I decide to stop paying for the domain and move to userA@mynewlemmy.com
, and someone else gains it and also starts up a lemmy instance.
If they make their own userA@mylemmy.com
, how do federated instances distinguish who’s who?
Have I misunderstood the role of domain names in this?
I imagine it works exactly like email where it is possible to inherit someone else’s expired domains.
Checking out the relevant specifications: ActivityPub and WebFinger
In conclusion, it certainly seems like you could take over someone else’s domain name, and I suspect that public key cryptography is the only way to avoid this.
(edited to add: expired domains aren’t the only attack surface here, domain takeover is also a thing, either by transferring the domain or simply changing the DNS records.)