why it this separate mechanism needed in the first place?

Because ActivityPub was not designed for E2EE. That’s the simplest answer.

The longer, and more technical answer, is that doing the actual “Encryption” part of E2EE is relatively easy. Key management is much harder.

I initially set out to just do E2EE in 2022, but got roadblocked by the more difficult problem of “which public key does the client trust?”.

Certainly. Thanks <3

The client side is its own beast. See https://github.com/soatok/mastodon-e2ee-specification?tab=readme-ov-file#components from my initial project (the “key transparency” thing from today slots neatly into the “Federated PKI” hole).

No, if you read the post it will make more sense.

Or the specification if you’re more technical.

If you want E2EE for Mastodon, you need key management to be solved first.

This solves a lot of the key management pain. It’s not v1.0 stable yet, but it’s finally implemented. I’ve been working on the spec for nearly 2 years.

It’s a building block to make E2EE possible at Fediverse scale.

I’ve written about this topic pretty extensively: https://soatok.blog/category/technology/open-source/fediverse-e2ee-project/

If you can build in Federated Key Transparency, it’s much easier to reason about “how do I know this public key actually belongs to my friend?” which in turn makes it much easier to get people onboarded with E2EE without major risks.

Which is more toxic?

The one that contains the most aggression.

Aggression isn’t toxicity. The logical consequence of your stance is negative peace, and broken stairs.

Do most of those strangers know that you are receiving hundreds of requests? They’re strangers, so I’m betting on no.

Sure they do, because I tell them. The screenshot you posted is proof that I inform them.

The rest of this is needless language policing.

You say you’re arguing in favor of less toxicity, but your example was a screenshot of a comment where I asserted my own healthy boundaries (after being needled by hundreds of demands in the form of “what about <other app>?” from strangers over the course of months).

Which is more toxic?