I’d like to see if we could get some sort of report on what security measures are in place on omg.lol, dns.kitchen, etc. Is data encrypted at rest, the user map being restricted to logged in users, etc. Does Passage record our data and send it to 1Password?
Furthermore, my concerns with the site and especially dns.kitchen mainly are durability - is there redundancy in place? What if Adam gets hit by a bus and carks it - is there a plan for going from there? An idea of protocol is nice and would make me feel more comfortable running domains through dns.kitchen, storing photos on some.pics, etc.
However I do understand it’s a lol project and nothing here is really that serious, so it’s totally okay to nix this as out of scope. I just prefer to invest in sites I have reasonable belief they’ll be around for a while - I hate migration
I might pop the Passage team an email and ask about what data is sent to 1Password for you. For now though, I found their Privacy Policy if you want to give that a read. It’s probably just the tokens needed for passkeys to work + email data (based on what I’ve seen)
This is a great idea, and, frankly, I should have already done all of this by now.
I’ll work on getting something together. I’d really like to have it checked over by some relevant experts (or even properly audited?) as well!
Before the “official” thing is published, though, I can try to address the points that you raised:
Data hosted/stored in the omg.lol universe is generally public by nature and is intended to be accessible on the internet, so it’s not stored in an encrypted manner.
While omg.lol is a small service, I still work to maintain high availability and redundancy. DNS Kitchen is less than a week old, but it already has three global nameservers and I’m working on securing IP space for an even more available and resilient setup using anycast with multiple PoPs in even more locations. (To be clear, I wouldn’t move omg.lol’s zone from DNSimple to DNS Kitchen unless I was 100% confident that I could offer equivalent performance and reliability.)
Passage knows your email address and holds your passkey’s public key, and nothing else.
I’m not worried about getting hit by a bus because I’ve already established a thorough contingency plan for continuous operation of services. It’s already a known fact that I will die someday, and omg.lol is protected regardless of the timing and circumstances of my inevitable demise.
Thanks for raising the need for more transparency here, and I’ll get started on the report soon!
