(with apologies to Gil Scott-Heron)

If you get all of your important technology news from “content aggregators” like Hacker News, Lobste.rs, and most subreddits, you might be totally unaware of the important but boring infrastructure work happening largely on the Fediverse, indie web, and other less-centralized communities.

This is no accident.

The rough consensus of these spaces has been strongly in favor of the sort of centralized tech monopolies, venture capitalists, private equity ghouls, and “innovation” that weakens the position of workers against the wealthy (i.e., most use cases for Large Language Models).

Occasionally they sprinkle in a bit of faux resistance–just enough to be able to pretend they’re counterculture, so they can pretend that Silicon Valley spirit hasn’t been thoroughly sold out to Palantir over the past two decades. That’s why a few “anti-AI” rants will occasionally slip through.

If you’re interested in the substance that underpins this mild rant, I’ve written about technology that causes massive cultural harm recently.

Earlier this week, I announced the immediate availability of a reference implementation for the Public Key Directory–a project I’ve been working on since June 2024. Hundreds of people shared it on Mastodon and BlueSky. Comparatively, almost nobody on Hacker News ever saw it.

Today, the COCKTAIL-DKG specification is now live (previous blog post). It’s an early version (v0.1.0), and the reference implementations are still a work-in-progress, and there’s still a lot of work to do, but it’s a tangible specification. With test vectors (from my hacky implementation that isn’t clean enough to publish)!

Two months ago, I wrote a blog post titled The Dreamseeker’s Vision of Tomorrow. In the time since, I’ve gotten two of my three current projects to the next stage of maturity (and the third one was blocked by one of those two).

I have no illusions that the larger tech industry will do anything but collectively shrug at this sort of progress. I’m sure you’ve all heard it before.

This is boring infrastructure work!

There’s no drama; no scandal. There’s nothing sexy. No one is bleeding. Why would anyone want to read about this?

Hell, why are you even blogging instead of making short-form video content?

Get with the times. The attention economy demands tribute.

Don’t you want to be important? Don’t you want money?

While you’re at it, cut the furry crap; it’s totally unprofessional.

2026 Will Be More Boring Infrastructure Work

While the rest of the Internet descends slowly into AI-induced mass psychosis, I’ve got different plans.

1. Push the Fediverse Key Transparency project closer to v1.0.
2. Begin working on a realistic proposal for end-to-end encryption for ActivityPub-enabled software.
   • I plan on building atop MLS. If your opinion of MLS was tainted by Evgeny’s disingenuous rant, I already wrote a rebuttal earlier this year.
   • W3C-affilited folks are also planning to build atop MLS. I’m already talking with them about Key Transparency.
3. Improve COCKTAIL-DKG and implement it in several popular languages to make Threshold Signing with FROST easier for teams to develop.
4. Build the next version of FREEON with COCKTAIL-DKG, so FOSS development teams can have geographic resilience even if one of their team members reside in a nation that goes totally authoritarian.
5. Design tooling to integrate FREEON into other workloads that already support single-secret Ed25519 today.
   • Imagine tying this into SigStore and attestations like PEP-740.

None of this work will generate much buzz, but I’m building it because I feel strongly that it needs to exist.

• Fediverse users should be able to have private chats with each other, that not even their instance admins can snoop on.
  • This encryption should be accessible to mere mortals, without sophisticated training or discipline.
• Geographically distributed open source software teams should be able to mitigate the $5 wrench problem.

AuxData is a little exciting

One thing that I feel is underappreciated about the Key Transparency system I designed is that it’s extensible. That is to say, you can push more than just public keys; you can also publish (and revoke) typed blobs of “auxiliary data”.

If you asked a cryptographer how to enable a workflow where strangers can encrypt a file and send it to you, such that only you can decrypt it, they’ll recommend something like age. (If they recommend PGP without you specifically adding it as a constraint, they’re a clown.)

But, in this scenario, how does anyone know that they’re using YOUR age public key and not the NSA’s? Or Mossad’s?

Well, if you publish your age public key as AuxData via Key Transparency, you can reason about how long it’s been published and how much verification the transparency log offers. This is a much stronger notion for baseline trust than trust-on-first-use.

I’m not just building a solution for the Fediverse. I’m building a viable way for developers the world over to build federated trust and transparency that doesn’t involve cryptocurrency and all the crap that comes with that crowd.

(But, of course, the fact that it’s not a blockchain or AI solution is precisely why tech news message boards won’t give a shit.)

2025 Retrospective

I’m hesitant to say that this will be my last blog post of the year. After all, I thought I was done last year when I wrote The Better Daemons of Our Profession only to get an unsolicited AI-generated “roast” on Christmas morning.

Here are some highlights from this year:

• I criticized Session (the Signal fork that removed forward secrecy) and advised my readers to not use it. Now they’re updating their protocol to re-add forward secrecy.
• I wrote an 8-part review of Signal’s cryptography over a long weekend. One of the topics covered was how I approach cryptography auditing in general.
• I found and disclosed vulnerabilities in FreeSWITCH and they still haven’t tagged a release with the fix as of this writing.
  • Andrev Volk had said, “We do not have plans to make a release of FreeSWITCH Community till summer 2025” but it’s December and they still haven’t.

    I guess my assumption about SignalWire not giving a shit about their users’ security stands.

• I gave two conference talks this year. In fursuit.
  • One of these was the keynote for the first Queer in Cryptography conference.
  • The other was a talk introducing FREEON at the DEFCON Furs suite.
• In response to some interesting work using the Wycheproof test vectors with Javascript cryptography, I created a shim package to help developers migrate to more secure implementations.
  • As thanks for this, a blockchain/AI fan baselessly accused me of computer crimes.

Y’know, this is probably what they call, “taking it easy.”

I still haven’t finished that damn key management blog post. But now that the Key Transparency project has a reference implementation, and COCKTAIL-DKG exists in the C2SP repository, I’m a lot closer than when I started.

At the risk of jinxing myself into having another thing to write about before January 1, here’s to 2026.

Header art by CMYKat.