#indiewebcamp 2012-10-02

2012-10-02 UTC
donpdonp, dascher, zztr, Alex_Lykos, danbri, friedcell, josephboyle, josephboyle1, tantek and adactio joined the channel
#
tantek.com
edited /2013/Guest_List (+1) "/* Official Guest List */ fix link, update counts"
(view diff)
dascher, tantek, spinnerin and friedcell joined the channel
#
tantek.com
edited /POSSE (+3570) "add more implementations, background, reorganize"
(view diff)
#
tantek
!tell barnabywalters - when did you add POSSE support to your site where the syndicated copy on twitter linked or at least referenced back to the original? add dates/permalinks to the POSSE list of current sites: http://indiewebcamp.com/POSSE#Sites
#
Loqi
Ok, I'll tell them that when I see them next
#
tommorris
tantek: a few of us are putting together a collaborative thank-you-and-get-well-soon card in HTML/CSS for Molly Holzschlag. wanna sign?
#
tantek.com
edited /PESOS (+568) "/* PESOS */ dfn, subsections, background, related more disadvantages details"
(view diff)
hober joined the channel
#
tantek
welcome hober
dascher joined the channel
#
hober
hi tantek
#
donpdonp
tantek: very interesting article!
#
donpdonp
now that social login buttons are gone, the password field is next.
#
tantek
indeed - it's helpful to see metrics posted for this sort of thing, instead of just repeated marketing messages / hopes for better engagement
#
tantek
right!
#
donpdonp
which leaves email, not urls.
#
tantek
that's the nice thing with web sign-in - you always just use your own domain, and whatever 3rd party services you happen to be using, you can auth with them
#
donpdonp
thats where we diverge :)
#
tantek
with email, you're still dependent on a 3rd party service
#
donpdonp
also i think the site itself should have the first crack at processing the email address. which is why i dont like persona's approach of the popup
#
tantek
and if you're using your own domain for email, then why not just trim the part with the @ and before?
#
tommorris
tantek: I tried to log in to Meetup.com the other day with Facebook on my phone. the whole thing was such a clusterfuck.
#
tantek
tommorris - lol
#
tantek
I stopped using Meetup.com because it's too spammy
#
tantek
Twitter is on that path...
#
donpdonp
tantek: vanity domains are a very small minority of nerds. email addresses have the widest common understanding by the average internet user
#
donpdonp
i took a look at facebok and google logins one day and said yup, email addresses have won. openid had a few years to get urls to catch on and they didnt.
#
tommorris
tantek: I'd arrived at the bar and couldn't find anyone. and I had to log in to see "ah, it's upstairs"
#
tantek
donpdonp and decades ago email addresses were a very small minority of nerds, fax machines had a wider common understanding
#
donpdonp
tantek: true but there was a clear path from phone # to email. the path from email to the next thing is not clearly domains
danbri_ joined the channel
#
tantek
I'm ok letting other design for / solve the inertia of the past while we build the future
#
tantek
s/other/others
#
Loqi
tantek meant to say: I'm ok letting others design for / solve the inertia of the past while we build the future
#
donpdonp
what if multiple people are behind the same domain?
#
tantek
what if multiple people are behind the same email? (already happens, e.g. with Amazon)
#
donpdonp
mydomain.com/usera, mydomain.com/userb, well we have a syntax for that usera@mydomain.com
#
tantek
what if multiple people are behind the same phone number? (used to be the common case with home and work numbers)
#
donpdonp
a domain is a lot bigger investment
#
tantek
less than a cell phone
#
tantek
in terms of annual cost
#
tantek
so from there on, it's just a free software + usability problem
#
donpdonp
ok but user@domain is practically free, which is appealing
#
tantek
until 3rd party domain revokes your identity for violating some obscure TOS provision
#
donpdonp
i dont associate email with 3rd party domain, it could go either way
#
tantek
or griefers get the 3rd party to do so by claiming you've violated the TOS
#
tantek
donpdonp - email is either 3rd party domain = vulnerable, or email is on your own domain = why not just use the domain
#
tantek
less typing etc.
#
tommorris
tantek: that's one thing I think we need to beef up on the wiki, is the whole explanation of how the "we're solving this for ourselves first" thing avoids the network effect conundrum.
#
tantek
well it avoids many conundrums
#
tommorris
new slogan: #indiewebcamp - sisters doin' it for themselves.
#
tommorris
at barcampbrighton, I did have a hilarious idea: a Rails plugin called RandomAuth. it randomly chooses a web service for you to sign in with.
#
donpdonp
goes back to coding
#
donpdonp
tommorris: heehee
#
tommorris
one day, it might be twitter, next day it might be github, day after it might be fetlife.
#
tantek
tommorris - we have this so far: http://indiewebcamp.com/Principles
#
tantek
a bit of a stub
#
tantek
RandomAuth choosing randomly from among your rel-me'd profiles?
#
tommorris
no, just a random authenticator. it'd be a joke, a code-based reductio ad absurdum for the NASCAR problem.
#
tantek
tommorris like a Wheel of Fortune Auth
#
tantek
AuthRoulette
#
tommorris
yep, and if it happens to pick a site you don't have an account on, you don't get to use the site that day.
#
Loqi
nice
#
tommorris.org
edited /Principles (+467) "adding the sisters doing it for themselves principle"
(view diff)
sivy joined the channel
#
sivy
tantek: done :-)
#
tantek
welcome sivy!
#
sivy
i wonder: would "markdown on dropbox" be considered an indie platform?
#
sivy
even if the serving/rendering happened in a hosted environment?
#
tantek
what do you mean by "platform"?
#
tantek
and where are the URLs?
#
sivy
for example:
#
tantek
as long as you have indieweb URLs, storage is just plumbing
#
tantek
and if you don't have indieweb URLs, it doesn't help where you store things
#
sivy
i know that's not indieweb
#
sivy
without an own-domain
#
sivy
and the urls are lame
#
sivy
but the idea is that your content is hosted on dropbox
#
sivy
but the urls are served via a third party
#
sivy
i know it's not "full-indie" but curious what the opinion on these services is
#
sivy
i think it's pretty good as far as data portability goes
#
tantek
it's not indie at all
#
tantek
since it doesn't the URLs
#
tantek
*have
#
tantek
portability is orthogonal
#
sivy
i know that particular service doesnt
#
tantek
no "particular service" is indie
#
tantek
only your own site is
#
sivy
fair nuf
#
sivy
that's kinda what i was thinking
#
tantek
!tell aaronpk special page link bug, this page: http://indiewebcamp.com/wiki/index.php?title=Special:UserLogout links the text "log in again" errantly to http://indiewebcamp.com/Special:OpenIDLogin whereas it should link to http://indiewebcamp.com/Special:UserLogin
#
Loqi
Ok, I'll tell them that when I see them next
#
tantek
!tell aaronpk - or you could give me admin privs to edit http://indiewebcamp.com/Special:UserLogout directly to fix it - assuming that's an admin editable page instead of a page to edit by hand/vi in the DB/server.
#
Loqi
Ok, I'll tell them that when I see them next
#
sivy
tantek: did you hlp with Persona
Alphi joined the channel
#
tantek
sivy yes - have helped iterate on it a lot
#
tantek
especially from the usability perspective
#
tantek
Persona/BrowserID is the way to go to support legacy email-logins.
#
sivy
how does it work? i tried to read about browser id at one point, and didn't follow that either
#
tantek
I'd start with browserid.org and see where you get
#
tantek
if anything seems unclear there at all, I strongly encourage you to say so in the #identity IRC channel on the Mozilla IRC network
#
Alphi
sorry for butting in, i've been playing with Persona over the weekend, its pretty slick
#
Alphi
i'm working on getting my own idp setup
#
tantek
Alphi - no apology needed - great to hear it!
#
tantek
the team has worked very hard with numerous iterations based on critical feedback to make it "pretty slick"
#
singpolyma
I saw an article the other day that said Persona was "like OpenID without the headaches" and I laughed
danbri joined the channel
#
Alphi
OpenId certainly does induce headaches...
#
singpolyma
Alphi: not any more or different ones than BrowserID, though
tilgovi joined the channel
#
tantek.com
edited /2011/Schedule (+11) "fix demos link"
(view diff)
#
tantek.com
edited /one-click-install (+5) "fix demos redir"
(view diff)
#
tantek
singpolyma - OpenID definitely has more and different headaches than BrowserID
#
tantek
in fact, just documented a few
#
singpolyma
tantek: really? The normal complaints about OpenID are "you get redirected" and "the UI is not identical to username/password" and "IdPs all implement slightly differently" These all seem to be the case with BrowserID as well (well, except maybe the last one because there are so few IdPs at this point)
#
tantek.com
created /Why_web_sign-in (+7509) "draft"
(view diff)
#
tantek
singpolyma see ^^
#
singpolyma
<< And if you don't, you have to install the OpenID libraries on your own site. This is difficult enough of a task as to be either impossible for typical users, or too complicated/annoying for even experienced developers. >> -- ... unless you delegate or use a package IdP you can just drop on (like phpMyId)
#
tantek
donpdonp since I've had to make those arguments more than once (about why personal domain vs. some email), it was time to wikify them so anyone here can make the point for web sign-in and personal domains in the future: http://indiewebcamp.com/Why_web_sign-in
#
tantek
singpolyma - perhaps add details for that below where I mentioned "anyauth"
#
tantek
it's not discoverable to "use a package IdP you can just drop on (like phpMyId)"
#
singpolyma
I agree that rel=me delegation is much easier for indie use cases than XRDS
#
tantek
we have to keep making the indieweb use cases easier and easier
#
tantek
once we approach the ease-of-use + usefulness level of typical monthly tech service expenditures like cell phones, cable, netflix etc. we'll see mainstream adoption take off
#
singpolyma
I think rel=me as a delegation option makes a lot of sense. Using that as a delegation option for OpenID makes it basically equivalent to RelMeAuth (except supporting existing OpenID IdPs instead of OAuth IdPs)
#
singpolyma
indieauth.com is great, but the security model is very weak
#
tantek.com
created /Persona (+35) "stub"
(view diff)
#
tantek.com
edited /IndieAuth (-6) "event past"
(view diff)
#
tantek.com
created /web-sign-in (+55) "see stub"
(view diff)
#
tantek
singpolyma - please feel free to document any problems with IndieAuth (security or otherwise) on the wiki page: indiewebcamp.com/IndieAuth
#
singpolyma
hmm, ok, will do :)
#
singpolyma
or should I maybe put it on the talk page for that page?
#
tantek.com
edited /IndieAuth (+16) "h1, toc"
(view diff)
#
tantek
singpolyma - just add an "Issues" section after the To Do section
danbri joined the channel
#
tantek
and note that I've already added a bunch of security to do items there: http://indiewebcamp.com/IndieAuth#To_do
#
tantek
or feel free to directly contact aaronpk to give him a heads up if you find some really big vulnerability
#
tantek
nice to avoid zero days if we can help it ;)
#
tantek.com
edited /web-sign-in (+84) "see why"
(view diff)
#
tantek
sivy btw there was some discussion at IndieWebCampUK of using DropBox for an easy sync-solution to support indieweb publishing (where your server is also on drop box and pulls things down and publishes from there)
#
tantek
I wasn't in the session
#
tantek
but perhaps you can ping folks
#
tantek
realizes that good note-taking / scribing is an essential habit for community memory / continuity.
#
singpolyma.net
edited /IndieAuth (+354) "/* To do */ Document some security concerns"
(view diff)
#
tantek
singpolyma - the firesheep problem right?
#
tantek
tokens (e.g. cookies) sent not over SSL are vulnerable to sniffing / replay right?
#
singpolyma
tantek: the second one I list (replay) is closely related to the firesheep problem
#
singpolyma
the former is a sniffing issue in the race condition case, but it's a authenticity issue in the MITM/poisoning cases
#
singpolyma
s/the former/the first one
#
Loqi
singpolyma meant to say: the first one is a sniffing issue in the race condition case, but it's a authenticity issue in the MITM/poisoning cases
#
tantek
presumably even with MITM/poisoning the attack can be thwarted with SSL with a signed cert
#
singpolyma
TLS with a signed cert on IndieAuth.com (forced to be used, refuse any request not over TLS, not even a redirect should be given) fixes all three vectors on th efirst case
#
singpolyma
TLS or vetting re-use of tokens fixes the replay attack on the second case
#
tantek
which is I think where everyone ends up once they feel the need to harden their auth
#
tantek
TLS + signed cert that is
#
singpolyma
(for clarity: to fix the second (replay) case, the TLS would have to be on the RP, not on indieauth.com, and even then re-use detection would be good, and since it's good enough by itself that may be better)
#
tantek
right, TLS on the RP is what's needed to avoid the firesheep scenario
#
singpolyma
TLS or just detecting token re-use (since tokens should be unique per request)
danbri joined the channel
#
@BarnabyWalters
@barnabywalters is testing in_reply_to tweet syndication #web #indieweb
danbri and barnabywalters joined the channel
#
Loqi
barnabywalters: tantek left you a message 4 hours, 57 minutes ago: - when did you add POSSE support to your site where the syndicated copy on twitter linked or at least referenced back to the original? add dates/permalinks to the POSSE list of current sites: http://indiewebcamp.com/POSSE#Sites
tilgovi, tantek and tantek_ joined the channel