#indiewebcamp 2012-10-02

2012-10-02 UTC
donpdonp, dascher, zztr, Alex_Lykos, danbri, friedcell, josephboyle, josephboyle1, tantek and adactio joined the channel
# 15:07 
tantek.com edited /2013/Guest_List (+1) "/* Official Guest List */ fix link, update counts" (view diff)
dascher, tantek, spinnerin and friedcell joined the channel
# 16:07 
tantek.com edited /POSSE (+3570) "add more implementations, background, reorganize" (view diff)
# 16:10 
tantek !tell barnabywalters - when did you add POSSE support to your site where the syndicated copy on twitter linked or at least referenced back to the original? add dates/permalinks to the POSSE list of current sites: http://indiewebcamp.com/POSSE#Sites
# 16:10 
Loqi Ok, I'll tell them that when I see them next
# 16:13 
tommorris tantek: a few of us are putting together a collaborative thank-you-and-get-well-soon card in HTML/CSS for Molly Holzschlag. wanna sign?
# 16:20 
tantek.com edited /PESOS (+568) "/* PESOS */ dfn, subsections, background, related more disadvantages details" (view diff)
# 16:31 
tantek interesting article: http://blog.mailchimp.com/social-login-buttons-arent-worth-it/
hober joined the channel
# 16:31 
tantek welcome hober
dascher joined the channel
# 16:39 
hober hi tantek
# 16:43 
donpdonp tantek: very interesting article!
# 16:44 
donpdonp now that social login buttons are gone, the password field is next.
# 16:44 
tantek indeed - it's helpful to see metrics posted for this sort of thing, instead of just repeated marketing messages / hopes for better engagement
# 16:44 
tantek right!
# 16:45 
donpdonp which leaves email, not urls.
# 16:45 
tantek that's the nice thing with web sign-in - you always just use your own domain, and whatever 3rd party services you happen to be using, you can auth with them
# 16:45 
donpdonp thats where we diverge :)
# 16:46 
tantek with email, you're still dependent on a 3rd party service
# 16:46 
donpdonp also i think the site itself should have the first crack at processing the email address. which is why i dont like persona's approach of the popup
# 16:46 
tantek and if you're using your own domain for email, then why not just trim the part with the @ and before?
# 16:46 
tommorris tantek: I tried to log in to Meetup.com the other day with Facebook on my phone. the whole thing was such a clusterfuck.
# 16:46 
tantek tommorris - lol
# 16:46 
tantek I stopped using Meetup.com because it's too spammy
# 16:47 
tantek Twitter is on that path...
# 16:47 
donpdonp tantek: vanity domains are a very small minority of nerds. email addresses have the widest common understanding by the average internet user
# 16:47 
donpdonp i took a look at facebok and google logins one day and said yup, email addresses have won. openid had a few years to get urls to catch on and they didnt.
# 16:47 
tommorris tantek: I'd arrived at the bar and couldn't find anyone. and I had to log in to see "ah, it's upstairs"
# 16:47 
tantek donpdonp and decades ago email addresses were a very small minority of nerds, fax machines had a wider common understanding
# 16:48 
donpdonp tantek: true but there was a clear path from phone # to email. the path from email to the next thing is not clearly domains
danbri_ joined the channel
# 16:48 
tantek I'm ok letting other design for / solve the inertia of the past while we build the future
# 16:48 
tantek s/other/others
# 16:48 
Loqi tantek meant to say: I'm ok letting others design for / solve the inertia of the past while we build the future
# 16:48 
donpdonp what if multiple people are behind the same domain?
# 16:48 
tantek what if multiple people are behind the same email? (already happens, e.g. with Amazon)
# 16:48 
donpdonp mydomain.com/usera, mydomain.com/userb, well we have a syntax for that usera@mydomain.com
# 16:49 
tantek what if multiple people are behind the same phone number? (used to be the common case with home and work numbers)
# 16:49 
donpdonp a domain is a lot bigger investment
# 16:49 
tantek less than a cell phone
# 16:49 
tantek in terms of annual cost
# 16:49 
tantek so from there on, it's just a free software + usability problem
# 16:49 
donpdonp ok but user@domain is practically free, which is appealing
# 16:49 
tantek until 3rd party domain revokes your identity for violating some obscure TOS provision
# 16:50 
donpdonp i dont associate email with 3rd party domain, it could go either way
# 16:50 
tantek or griefers get the 3rd party to do so by claiming you've violated the TOS
# 16:50 
tantek donpdonp - email is either 3rd party domain = vulnerable, or email is on your own domain = why not just use the domain
# 16:50 
tantek less typing etc.
# 16:51 
tommorris tantek: that's one thing I think we need to beef up on the wiki, is the whole explanation of how the "we're solving this for ourselves first" thing avoids the network effect conundrum.
# 16:51 
tantek well it avoids many conundrums
# 16:52 
tommorris new slogan: #indiewebcamp - sisters doin' it for themselves.
# 16:52 
tommorris at barcampbrighton, I did have a hilarious idea: a Rails plugin called RandomAuth. it randomly chooses a web service for you to sign in with.
# 16:52 
donpdonp goes back to coding
# 16:52 
donpdonp tommorris: heehee
# 16:52 
tommorris one day, it might be twitter, next day it might be github, day after it might be fetlife.
# 16:53 
tantek tommorris - we have this so far: http://indiewebcamp.com/Principles
# 16:53 
tantek a bit of a stub
# 16:53 
tantek we could use a http://indiewebcamp.com/dogfooding page
# 16:53 
tantek RandomAuth choosing randomly from among your rel-me'd profiles?
# 16:54 
tommorris no, just a random authenticator. it'd be a joke, a code-based reductio ad absurdum for the NASCAR problem.
# 16:59 
tantek tommorris like a Wheel of Fortune Auth
# 16:59 
tantek AuthRoulette
# 17:00 
tommorris yep, and if it happens to pick a site you don't have an account on, you don't get to use the site that day.
# 17:00 
tantek haha
# 17:00 
Loqi nice
# 17:04 
tommorris.org edited /Principles (+467) "adding the sisters doing it for themselves principle" (view diff)
sivy joined the channel
# 17:06 
sivy tantek: done :-)
# 17:06 
tantek welcome sivy!
# 17:07 
sivy i wonder: would "markdown on dropbox" be considered an indie platform?
# 17:07 
sivy even if the serving/rendering happened in a hosted environment?
# 17:07 
tantek what do you mean by "platform"?
# 17:07 
tantek and where are the URLs?
# 17:07 
sivy for example:
# 17:08 
tantek as long as you have indieweb URLs, storage is just plumbing
# 17:08 
tantek and if you don't have indieweb URLs, it doesn't help where you store things
# 17:09 
sivy http://scriptogr.am/steveivy
# 17:09 
sivy i know that's not indieweb
# 17:09 
sivy without an own-domain
# 17:09 
sivy and the urls are lame
# 17:09 
sivy but the idea is that your content is hosted on dropbox
# 17:09 
sivy but the urls are served via a third party
# 17:10 
sivy i know it's not "full-indie" but curious what the opinion on these services is
# 17:10 
sivy i think it's pretty good as far as data portability goes
# 17:11 
tantek it's not indie at all
# 17:11 
tantek since it doesn't the URLs
# 17:11 
tantek *have
# 17:12 
tantek portability is orthogonal
# 17:12 
sivy i know that particular service doesnt
# 17:12 
tantek no "particular service" is indie
# 17:12 
tantek only your own site is
# 17:12 
sivy fair nuf
# 17:12 
sivy that's kinda what i was thinking
# 17:14 
tantek !tell aaronpk special page link bug, this page: http://indiewebcamp.com/wiki/index.php?title=Special:UserLogout links the text "log in again" errantly to http://indiewebcamp.com/Special:OpenIDLogin whereas it should link to http://indiewebcamp.com/Special:UserLogin
# 17:14 
Loqi Ok, I'll tell them that when I see them next
# 17:15 
tantek !tell aaronpk - or you could give me admin privs to edit http://indiewebcamp.com/Special:UserLogout directly to fix it - assuming that's an admin editable page instead of a page to edit by hand/vi in the DB/server.
# 17:15 
Loqi Ok, I'll tell them that when I see them next
# 17:18 
tantek.com edited /How_to_set_up_web_sign-in_on_your_own_domain (+30) "why" (view diff)
# 17:29 
sivy tantek: did you hlp with Persona
Alphi joined the channel
# 17:30 
tantek sivy yes - have helped iterate on it a lot
# 17:30 
tantek especially from the usability perspective
# 17:30 
tantek Persona/BrowserID is the way to go to support legacy email-logins.
# 17:30 
sivy how does it work? i tried to read about browser id at one point, and didn't follow that either
# 17:31 
tantek I'd start with browserid.org and see where you get
# 17:31 
tantek if anything seems unclear there at all, I strongly encourage you to say so in the #identity IRC channel on the Mozilla IRC network
# 17:32 
Alphi sorry for butting in, i've been playing with Persona over the weekend, its pretty slick
# 17:32 
Alphi i'm working on getting my own idp setup
# 17:34 
tantek Alphi - no apology needed - great to hear it!
# 17:34 
tantek the team has worked very hard with numerous iterations based on critical feedback to make it "pretty slick"
# 17:35 
singpolyma I saw an article the other day that said Persona was "like OpenID without the headaches" and I laughed
danbri joined the channel
# 17:39 
Alphi OpenId certainly does induce headaches...
# 17:39 
singpolyma Alphi: not any more or different ones than BrowserID, though
tilgovi joined the channel
# 17:56 
tantek.com edited /2011/Schedule (+11) "fix demos link" (view diff)
# 17:56 
tantek.com edited /one-click-install (+5) "fix demos redir" (view diff)
# 17:58 
tantek singpolyma - OpenID definitely has more and different headaches than BrowserID
# 17:58 
tantek in fact, just documented a few
# 18:00 
singpolyma tantek: really?   The normal complaints about OpenID are "you get redirected" and "the UI is not identical to username/password" and "IdPs all implement slightly differently"  These all seem to be the case with BrowserID as well (well, except maybe the last one because there are so few IdPs at this point)
# 18:14 
tantek.com created /Why_web_sign-in (+7509) "draft" (view diff)
# 18:14 
tantek singpolyma see ^^
# 18:15 
singpolyma << And if you don't, you have to install the OpenID libraries on your own site. This is difficult enough of a task as to be either impossible for typical users, or too complicated/annoying for even experienced developers. >> -- ... unless you delegate or use a package IdP you can just drop on (like phpMyId)
# 18:15 
tantek donpdonp since I've had to make those arguments more than once (about why personal domain vs. some email), it was time to wikify them so anyone here can make the point for web sign-in and personal domains in the future: http://indiewebcamp.com/Why_web_sign-in
# 18:15 
tantek singpolyma - perhaps add details for that below where I mentioned "anyauth"
# 18:16 
tantek it's not discoverable to "use a package IdP you can just drop on (like phpMyId)"
# 18:16 
tantek or better, add your suggestions to http://indiewebcamp.com/How_to_set_up_OpenID_on_your_own_domain
# 18:17 
singpolyma I agree that rel=me delegation is much easier for indie use cases than XRDS
# 18:17 
tantek we have to keep making the indieweb use cases easier and easier
# 18:18 
singpolyma phpMyId seems already listed on http://indiewebcamp.com/How_to_set_up_OpenID_on_your_own_domain :)
# 18:18 
tantek :)
# 18:19 
tantek once we approach the ease-of-use + usefulness level of typical monthly tech service expenditures like cell phones, cable, netflix etc. we'll see mainstream adoption take off
# 18:20 
singpolyma I think rel=me as a delegation option makes a lot of sense.  Using that as a delegation option for OpenID makes it basically equivalent to RelMeAuth (except supporting existing OpenID IdPs instead of OAuth IdPs)
# 18:22 
singpolyma indieauth.com is great, but the security model is very weak
# 18:27 
tantek.com created /Persona (+35) "stub" (view diff)
# 18:33 
tantek.com edited /IndieAuth (-6) "event past" (view diff)
# 18:36 
tantek.com created /web-sign-in (+55) "see stub" (view diff)
# 18:36 
tantek singpolyma - please feel free to document any problems with IndieAuth (security or otherwise) on the wiki page: indiewebcamp.com/IndieAuth
# 18:36 
tantek http://indiewebcamp.com/IndieAuth
# 18:37 
singpolyma hmm, ok, will do :)
# 18:38 
singpolyma or should I maybe put it on the talk page for that page?
# 18:39 
tantek.com edited /IndieAuth (+16) "h1, toc" (view diff)
# 18:39 
tantek singpolyma - just add an "Issues" section after the To Do section
danbri joined the channel
# 18:40 
tantek and note that I've already added a bunch of security to do items there: http://indiewebcamp.com/IndieAuth#To_do
# 18:40 
tantek or feel free to directly contact aaronpk to give him a heads up if you find some really big vulnerability
# 18:40 
tantek nice to avoid zero days if we can help it ;)
# 18:43 
tantek.com edited /web-sign-in (+84) "see why" (view diff)
# 18:45 
tantek sivy btw there was some discussion at IndieWebCampUK of using DropBox for an easy sync-solution to support indieweb publishing (where your server is also on drop box and pulls things down and publishes from there)
# 18:45 
tantek http://indiewebcamp.com/Hosted_API#Dropbox
# 18:45 
tantek I wasn't in the session
# 18:45 
tantek but perhaps you can ping folks
# 18:47 
tantek realizes that good note-taking / scribing is an essential habit for community memory / continuity.
# 18:49 
singpolyma.net edited /IndieAuth (+354) "/* To do */ Document some security concerns" (view diff)
# 18:55 
tantek singpolyma - the firesheep problem right?
# 18:55 
tantek tokens (e.g. cookies) sent not over SSL are vulnerable to sniffing / replay right?
# 18:55 
singpolyma tantek: the second one I list (replay) is closely related to the firesheep problem
# 18:57 
singpolyma the former is a sniffing issue in the race condition case, but it's a authenticity issue in the MITM/poisoning cases
# 18:57 
singpolyma s/the former/the first one
# 18:57 
Loqi singpolyma meant to say: the first one is a sniffing issue in the race condition case, but it's a authenticity issue in the MITM/poisoning cases
# 18:57 
tantek presumably even with MITM/poisoning the attack can be thwarted with SSL with a signed cert
# 18:58 
singpolyma TLS with a signed cert on IndieAuth.com (forced to be used, refuse any request not over TLS, not even a redirect should be given) fixes all three vectors on th efirst case
# 18:58 
singpolyma TLS or vetting re-use of tokens fixes the replay attack on the second case
# 18:58 
tantek which is I think where everyone ends up once they feel the need to harden their auth
# 18:58 
tantek TLS + signed cert that is
# 18:58 
singpolyma right
# 19:01 
singpolyma (for clarity: to fix the second (replay) case, the TLS would have to be on the RP, not on indieauth.com, and even then re-use detection would be good, and since it's good enough by itself that may be better)
# 19:09 
tantek right, TLS on the RP is what's needed to avoid the firesheep scenario
# 19:17 
singpolyma TLS or just detecting token re-use (since tokens should be unique per request)
danbri joined the channel
# 20:08 
@BarnabyWalters @barnabywalters is testing in_reply_to tweet syndication #web #indieweb
danbri and barnabywalters joined the channel
# 21:08 
Loqi barnabywalters: tantek left you a message 4 hours, 57 minutes ago: - when did you add POSSE support to your site where the syndicated copy on twitter linked or at least referenced back to the original? add dates/permalinks to the POSSE list of current sites: http://indiewebcamp.com/POSSE#Sites
tilgovi, tantek and tantek_ joined the channel