01:09 <TimMc> I tried to help someone link together two Sandstorm accounts (one logged in via email, one via Google) and it gave them "Error linking credential: Error: Cannot link a credential that can already log into another account"

01:09 <TimMc> Do I need to add a second login method to the Google one, unlink the Google login, and re-link it to the other account?

01:10 <TimMc> I'll try it out first on some dummy accounts, but I wanted to check first if there was a better way.

01:12 <kentonv> Hmm, I seem to recall that if the credential you want to add is already attached to a different account, we check if the other account has any grains. If it doesn't, then we delete the other account and add the credential to the current account.

01:12 <kentonv> but if it has grains then we show the error

01:13 <TimMc> Say both have grains. Is there a solution?

01:16 <isd> It seems like maybe a better behavior would be to change the grains' ownership. I think conceptually we want to "merge" the accounts.

01:22 <CaptainCalliope> Could a merge-type experience be administered as a multi-directional sharing of capabilities? Secondary use case: I have multiple identities I want to keep seperate from the perspective of other people but have everything together in one dashboard. Side effect for federation down the line: if I have logins on multiple servers, I can combine them with the same flow and have the same unified experience as when I

01:22 <CaptainCalliope> combine multiple identities on the same server.

01:22 <CaptainCalliope> Just thinking out loud.

01:36 <kentonv> TimMc, log into the account you don't want, delete all the grains, and empty the trash... :)

01:37 <kentonv> IIRC we thought about supporting "merge" at the time but decided it was more work than it was worth

01:39 <kentonv> CaptainCalliope, Sandstorm's identity model used to support the concept of an account having multiple identities which others couldn't necessarily tell were the same person. It turned out to be a lot more confusing than useful.

01:40 <TimMc> I want all the grains from both to be under the same account. :-/

01:40 <kentonv> maybe with more work it could have been better, but eventually I ripped the whole thing out and simplified things a lot

01:41 <kentonv> https://sandstorm.io/news/2017-05-08-refactoring-identities

01:41 <kentonv> TimMc, maybe do a "mass transfer" between the accounts?

01:45 <CaptainCalliope> Gotcha. I know a bunch of people in the identity space who are trying to figure out how to make these kinds of use cases actually work. Probably not the best use of resources to try and figure it out ourselves when there are already people on it we can wait on.

01:46 <kentonv> personally I think the right answer is to log into separate accounts in separate browser profiles. If you try to mix identities in a single browser window it gets really easy to make a mistake and do something as the wrong identity, revealing yourself.

01:47 <CaptainCalliope> Yeah. Not the best for facilitating good .opsec.

01:47 <CaptainCalliope> "Finally, we will be disassociating the user ID as seen by apps from the underlying user credentials." 👍🏼

01:49 <kentonv> yeah part of the problem is that we tied identities to credentials which was definitely not the right approach

01:53 <CaptainCalliope> Have you paid any attention to what's been going on with the w3c credentials community group? They've been working on some specs for decentralized identity that might possibly be useful for us to implement sometime down the line. https://w3c-ccg.github.io/

01:54 <CaptainCalliope> Ocaps are part of the architecture they're incubating.

01:54 <CaptainCalliope> https://w3c-ccg.github.io/did-primer/

01:59 <TimMc> kentonv: Oooh, I forgot about mass transfer! :-D

02:00 <kentonv> I *think* a mass transfer should work between accounts on a single server, with some copying of links / logging out and back in again. I haven't actually tried it though. :)

02:01 <TimMc> I will. :-)

13:11 <TimMc> kentonv: It was dicey, but it worked! I initiated the transfer, and my browser blocked the popup. When I allowed it, I got a page saying something about "it looks like there's a transfer in progress". I signed out in another tab, reloaded the transfer page, and then everything worked as expected.

15:06 <TimMc> Hmm! Interesting that I can't have the same Etherpad open on two computers from the same Sandstorm account.

21:36 <isd> TimMc: what happens when you try?

21:56 <TimMc> isd: One or the other client instances yells at me about having it open twice in the same browser. :-) (Except it's not, it's the same user on two different computers.)

23:31 <isd> Probably an etherpad bug.