#indiewebcamp 2014-06-21

2014-06-21 UTC
#
@agoracollective RT @brennannovak: Interested in a better & more open web? Come learn & hack at #IndieWeb Camp 2014 in Berlin @agoracollective http://t.co/J… (twitter.com/_/status/480139154118832128)
#
bnvk Wow, whoever runs the Agora collective just checked their Twitter at 2 AM
#
aaronpk out partying friday night?
#
rascul aaronpk how do you sign your key for the pgp login?
#
aaronpk I use GPGTools for osx which puts an entry into the "Services" menu in chrome. then I can select the plaintext and press my keyboard shortcut which signs it and replaces the highlighted text with the signed version
#
rascul i think i did gpg --clearsign
#
rascul can't really remember if i used gpg or keybase but the end is the same
#
aaronpk i've also done it with the keybase CLI
#
aaronpk but it's way slicker with the keyboard shortcut!
#
rascul i found a pgp extension for firefox that looked like it would allow me to sign it in the browser
#
rascul i was tricked, though
#
aaronpk lol
#
aaronpk here's my crazy idea for a mobile app to do the GPG login https://farm3.staticflickr.com/2912/14466040011_aeec2dba92_b.jpg
#
rascul can't check it now i'm not on a computer with graphics
#
aaronpk lol k
#
aaronpk bnvk: bear: KartikPrabhu: kylewm: rascul: what do you guys think of this idea for a mobile GPG login app? https://farm3.staticflickr.com/2912/14466040011_aeec2dba92_b.jpg
#
KartikPrabhu this is to log in on your mobile right?
#
aaronpk you'd be signing in at a computer, but your phone has the key
#
aaronpk that top rectangle is supposed to be a browser window
#
bear that is what I was noodling over at the pub just now
#
aaronpk sweet
#
bear using the gpg endpoints to allow non-person automation to also authenticate
#
aaronpk true!
#
bnvk aaronpk: I think it sounds great. I actually spec'd out a similar flow https://brennannovak.com/uploads/files/easy-key-sharing.pdf and talk https://vimeo.com/84468358
#
bear the phone would allow a 2factor like auth check
#
bnvk well, mine flow deals more with key signing
#
bnvk and sharing
#
bnvk but using QR code to transmit key info + fingerprint
#
KartikPrabhu sounds nifty. never used a QR code before so can't picture how this would feel to use
#
bnvk I think a mobile QR / PGP app would enable so many amazing things
#
aaronpk KartikPrabhu: go download the google authenticator app or duo mobile or one of those, then go to https://indieauth.com/totp and set it up!
#
aaronpk it'll feel kinda like that
#
KartikPrabhu will test soon
#
bear yea, the gauth tool is a great example of using qr codes
benwerd joined the channel
#
bear aaronpk - what I like is that you can use http headers to control which gpg version a caller gets
#
bear automation could send a expects header that is non-human-doing-call something (cannot remember web lingo sorry)
#
bnvk bitcoin QR apps are pretty neat too
#
bear aaronpk - i've sent an email to my ios dev teammate asking about gpg libs
#
aaronpk yay thx
#
Loqi giggles
#
aaronpk i feel like this shouldn't be too hard to put together... there's already a barcode library and JSON library in ios
#
bnvk yah
#
bear yea, you can use the barcode scanner to do the rendering and return the data
#
aaronpk yeah it's all built in to ios now http://maniacdev.com/2014/02/example-use-the-ios-7-barcode-scanner-api-and-identify-different-types-of-barcodes
#
bear email sent - it's his birthday today so he may not be at his keyboard :)
#
bear waves and heads out to the pub
#
kylewm wish kbs were still around. he has an android app that exchanges PGP keys via QR code
#
aaronpk oh yeah!
#
kylewm but I like your idea a lot aaronpk, would be super nice to use that at an untrusted computer
#
aaronpk yeah! and would also make a great second factor
#
bnvk I know a few devs in Iceland who were messing around witha QR code / PGP app, i've ping them on Twitter
#
aaronpk let me see if I can put together a better outline of this then
#
aaronpk I could even implement the whole thing on the server so that someone else could build the app given the spec. Even if I make an ios app i'm certainly not going to make an Android one
#
kylewm so the other day, I left my phone somewhere, and was trying to sign into google to find it (device manager or whatever), but couldn't because the TOTP thing is on my phone
#
aaronpk ha
#
kylewm is that the way that is supposed to work? :P
brianloveswords joined the channel
#
aaronpk need a name for this auth app... I really don't want to call it IndieAuth
#
bret AaronAuth
#
bret loljk
#
aaronpk :)
#
gRegor` Re kbs, you could try to reach him on g+ or github. Looks active on github.
#
gRegor` ^ kylewm
#
gRegor` "Pull Request: IWC wants you to come back!" :)
#
bret what if my authserver was an app in my phone?
#
bret and my identity, my website
#
aaronpk bret: as long as your auth server has an internet-accessible URL you can use it
#
bret how addressable are phones?
#
aaronpk well you can't really do it on ios cause they don't let you run stuff like that in the background
#
bret hrmm yeah, wouldnt really work would it
#
aaronpk it's conceivable that you could run an http server on android, then you'd just be limited by what the cell network allows
#
colintedford.com edited /User:Colintedford.com (+114) "/* Current setup & practices */ fix Wordpress date, small rewording & addition" (view diff)
#
aaronpk i could call it the GPGAuth app
#
bret snorts and pushes up glasses
#
bret yeah!
#
bnvk bret: if you have Android, you could use https://pagekite.net/
#
bret :) GPGAuth would work, but its pretty dorky
#
aaronpk GPG is pretty dorky :P
#
bret XD
#
bnvk yah, does work, but is a bit geeky
#
aaronpk hmm a gnu is an animal
#
bnvk we gotta make GPG cool and not geeky
#
gRegor` NerdAuth
#
bnvk l33t auth
#
gRegor` Oh, in that case, ArtisanalAuth
#
aaronpk oh dear
#
bret lol
#
gRegor` tangent: I love how Merlin Mann pronounced that "Artis-anal"
#
aaronpk could just call it Antelope
#
bnvk go full hipster and call it a complete non sequitur
#
gRegor` Call it "Oy"
#
bnvk what's a clever animal
#
aaronpk Fox
#
bret call it "Goooooaaaaallllllll"
#
bnvk one who would be a lock picker
#
aaronpk http://list25.com/25-most-intelligent-animals-on-earth/
#
bnvk ooo Fox Auth
#
aaronpk Squid
#
aaronpk or Pigeon!
#
aaronpk ha Falcons are on that list
#
bnvk Crow is pretty cool
#
bnvk they're dark, security is "dark" ish
chrissaad joined the channel
#
gRegor` PrettyGoodAuth
#
bnvk Crow, Hawk, or Owl
#
aaronpk this would make a sweet app icon http://thenounproject.com/term/crow/627/
#
bnvk wait, hawks aren't on that list
#
aaronpk can't use Hawk... that's already Eran's alternative to OAuth ;) https://github.com/hueniverse/hawk
#
bret GPGOwl
#
bnvk Owl Auth
#
bnvk "hoo" "who"
dybskiy joined the channel
#
bnvk you could put in owl sound effects while it's performing the auth proc
dybskiy_ joined the channel
#
aaronpk Owl Auth... abbreviated OAuth
#
@soapfanfiction GOOD LUCK to all #daytimesoaps and #indieweb shows tonight @ the #CreativeArtsEmmys! @BandB_CBS @YandR_CBS @GeneralHospital @nbcdays (twitter.com/_/status/480154055264972800)
#
bnvk aaronpk: lol, noooooo
#
bnvk wtf, with that Soap tweet
#
aaronpk weird. usually it's the #indieauthor tweets that leak in here
#
bret , ,
#
bret )\___/(
#
bret {(@)v(@)}
#
bret {|~~~|}
#
bret {/^^^\}
#
bret `m-m` ldb
#
@Muffit1 RT @soapfanfiction: GOOD LUCK to all #daytimesoaps and #indieweb shows tonight @ the #CreativeArtsEmmys! @BandB_CBS @YandR_CBS @GeneralHosp (twitter.com/_/status/480154385368891392)
#
bnvk heh
#
bnvk oi, the bots
#
bret does twitter take spam seriosly? it seems like its just a boost to user count
snarfed joined the channel
#
kylewm bret: see https://twitter.com/JoeMande/followers 1 million, mostly bots (he did it on purpose)
#
bret terrible
#
@kyle_wm @soapfanfiction sincere question, what's #indieweb in this context? :) (twitter.com/_/status/480156705573978114)
#
@kevinmarks "@Case: @waxpancake @mathowie we basically need user-friendly DIY alternatives for all these things." #indieweb (twitter.com/_/status/480156887187345408)
wolftune and scor joined the channel
#
aaronpk hm duolingo already has a cute owl logo. should probably go with crow
bnvk joined the channel
#
bret ohhh media wiki plugin for sublime :)
tantek, wolftune, chrissaad, snarfed, krendil, ab9 and dns53 joined the channel
#
Loqi [mention] https://brid-gy.appspot.com/comment/twitter/BarnabyWalters/479915990084354049/479916750893768704 linked to http://indiewebcamp.com/fragmention (webmention)
#
rascul aaronpk your qr code thing looks good
#
@obra Is there an indieweb protocol to replace yo yet? Cc @t @benwerd @aaronpk (twitter.com/_/status/480177235253415936)
dybskiy and vanderwal joined the channel
#
@madradavid What we truly need are user-friendly One Click install , DIY alternatives ... #indieweb (twitter.com/_/status/480181567743352832)
#
kylewm one-click install isn't very DIY :P
#
rascul indeed
wolftune, scor and paulcp joined the channel
#
snarfed Jeena: just fyi, i'm seeing webmention 500s on jeena.net: https://www.brid.gy/facebook/728407677
#
snarfed glennjones: just fyi, i'm seeing webmention 502s on glennjones.net: https://www.brid.gy/twitter/glennjones
#
snarfed (click the X minutes ago links for details)
#
Jeena thanks snarfed, fixed. The funny thing is that I'm drunk now (just came back from a party, it is 7:30 am here now) and my fix seems to have worked regardless ^^
#
snarfed drunkcoding++
#
Loqi drunkcoding has 1 karma
wolftune and KartikPrabhu joined the channel
#
aaronpk lol
snarfed, tantek, dybskiy and KevinMarks2 joined the channel
#
KevinMarks the trouble with drunk coding is that you wake up and find all the global variables you added
#
@kevinmarks @Case @waxpancake @mathowie come along to IndieWebCamp in NYC or Portland next weekend - we've made a start: http://indiewebcamp.com/2014 (twitter.com/_/status/480224610223685632)
wolftune joined the channel
#
KevinMarks anyone here good at SSL checking? https://www.atunit.org needs some help
KevinMarks2, snarfed and zaal joined the channel
#
aaronpk chrome says it's fine
#
aaronpk ssllabs test tool has some suggestions https://www.ssllabs.com/ssltest/analyze.html?d=atunit.org
friedcell, nloadholtes, eschnou, snarfed and iboxifoo joined the channel
#
@AnthroPunk Yay! @internetarchive save #FTW! Thanks for saving our paper on Feb 7 Hosts took site down w/o telling us! #indieweb @brewster_kahle (twitter.com/_/status/480264100510183424)
snarfed, eschnou, wolftune, bnvk, nloadholtes, vanderwal, chrissaad, chrissaad1, brianloveswords, markmhendrickson, KevinMarks2 and nemo-yiannis joined the channel
#
@kevinmarks @tom_watson what's your blog running on? I'm sure http://indiewebcamp.com would love to help (twitter.com/_/status/480377435246977025)
Kopfstein, nloadholtes, gRegor`, ttepasse, markmhendrickson and bnvk1 joined the channel
#
Loqi [mention] http://werd.io/2014/simple-quick-stupid-set-the-bar-low-so-you-can linked to http://indiewebcamp.com (webmention)
kylewm, chrissaad and chrissaad1 joined the channel
#
kylewm.com edited /2014/Guest_List (+0) "/* Further East */ changed to Farther" (view diff)
brianloveswords, caseorganic, wolftune, friedcell, KartikPrabhu and eschnou joined the channel
#
gRegor` Question for anyone using a DB-backed CMS and displaying webmentions: Do you correlate the webmentions with the post via the post URL in the DB, or do you do any "discovery" process to find the ID of the post and just associate them using that?
#
gRegor` I am doing the latter currently, since I'm only accepting webmentions on articles, so it's easy to extract the post ID from the URL...
#
gRegor` But now I'm adding notes, which will have a different URL path, obviously. I could add more methods to parse the ID out of the URL, but I'm wondering if I should change my approach
#
gRegor` E.g. http://gregorlove.com/2014/02/1180/ "1180" is the post ID.
#
aaronpk my webmentions are correlated by full post URL
#
gRegor` I need to think on this some more. I forgot that I'm also displaying local blog comments, so it's easiest in my complex query to join together "all comments for post 1180" and "all webmentions for post 1180"
#
gRegor` Any caching, aaronpk?
KartikPrabhu and awolf joined the channel
#
aaronpk caching?
caseorganic joined the channel
#
gRegor` Are you reading the wm from the database on each page display, or are they cached periodically?
#
gRegor` KartikPrabhu: Question for you http://indiewebcamp.com/irc/2014-06-21#t1403379984
#
KartikPrabhu gregor`: i am reading the wm from the db on each page display... and they are linked to the relative URL of the post. So I can associate them to articles and notes
#
gRegor` Ok
#
gRegor` relative URL, interesting.
#
KartikPrabhu might contemplate caching them but not a priority at the moment
#
KartikPrabhu yes. that way if my site changes to "newsite.com" it still works
#
gRegor` Smart
#
gRegor` Well, guess I'll do whatever is quickest to get notes up and going before IWC. :)
#
gRegor` How's your top-secret project coming?
#
KartikPrabhu gregor`: writing the corresponding article so I can test/build it
#
KartikPrabhu you can see the broken draft here: https://kartikprabhu.com/article/marginalia
KartikPrabhu1, awolf and tantek joined the channel
#
aaronpk bear: thanks for the ios gpg link
#
aaronpk I'm guessing there is little support because GPG is GPL'd code http://tomwhipple.com/2013/11/where-is-pgp-for-ios/
#
aaronpk this looks good tho https://github.com/upnext/unnetpgp
#
kylewm aaronpk: did you ever end up writing a webmention notification app?
#
aaronpk no not yet, just specced most of it out here http://indiewebcamp.com/mention-app including the API methods and DB schema
#
kylewm cool ty
#
aaronpk as an initial test I subscribed to my mentions rss feed (via barnaby's h-entry to RSS proxy) using the Boxcar app
#
aaronpk it's pretty cool actually, but it does mean I get duplicate notifications for instagram likes and such :) one from instagram and one from Boxcar
#
aaronpk also it makes me reaaallly want to have bridgy pick up mentions faster
#
aaronpk I may need to have some filter on my mentions feed that doesn't send silo mentions to my notification app, only sends webmentions
#
kylewm haha, yes
#
Loqi ahaha
#
kylewm so i have an IFTTT trigger that does something similar... follows my mentions.atom feed and sends me a push notification
#
kylewm but the IFTTT app notification is not very useful. it just says "updated Kyle Mahan mentions"
#
aaronpk haha
#
aaronpk yeah mine are all "so and so likes this" without telling me what was liked
#
kylewm it wouldn't be hard at all to run a "secret" bridgy and tweak the polling rates
#
aaronpk i've never run a python app before
#
aaronpk actually wait i have... trac
#
aaronpk isn't that python?
#
kylewm looks like yes
#
kylewm bridgy (only) runs on google app engine tho
#
aaronpk why?
#
aaronpk why only i mean
#
kylewm mainly because it uses app engine's datastore
#
kylewm NDB
#
aaronpk ah
#
kylewm there might be 3rd party implementations, not sure
emmak and KartikPrabhu joined the channel
#
aaronpk what other asymmetric crypto libraries/standards are there besides GPG?
dybskiy joined the channel
#
aaronpk screenshots incoming
#
aaronparecki.com uploaded /Special:Log/upload "uploaded "[[File:kirby-1-download-app.png]]""
#
aaronparecki.com uploaded /Special:Log/upload "uploaded "[[File:kirby-2-generate-key.png]]""
#
aaronparecki.com uploaded /Special:Log/upload "uploaded "[[File:kirby-5-email-export.png]]""
#
aaronparecki.com uploaded /Special:Log/upload "uploaded "[[File:kirby-3-key-saved.png]]""
#
aaronparecki.com uploaded /Special:Log/upload "uploaded "[[File:kirby-4-export-key.png]]""
#
aaronparecki.com uploaded /Special:Log/upload "uploaded "[[File:kirby-6-link-to-key.png]]""
dybskiy joined the channel
#
aaronparecki.com uploaded /Special:Log/upload "uploaded "[[File:kirby-7-indieauth-login.png]]""
#
aaronparecki.com uploaded /Special:Log/upload "uploaded "[[File:kirby-8-kirby-code-prompt.png]]""
#
aaronparecki.com uploaded /Special:Log/upload "uploaded "[[File:kirby-9-scan-kirby-code.png]]""
#
aaronparecki.com uploaded /Special:Log/upload "uploaded "[[File:kirby-10-code-verified.png]]""
#
aaronparecki.com created /kirby-login-app (+2729) "wireframes and description of mobile-based GPG auth" (view diff)
#
aaronpk alrighty!
#
aaronpk here is a more thorough wireframe and UX flow for mobile GPG auth! http://indiewebcamp.com/kirby-login-app
#
bnvk1 aaronpk: Kirby?
#
aaronpk ya!
#
aaronpk it's a cute name and i found a cute logo
#
bnvk1 what happened to owl or crow?
#
bnvk1 :]
#
tommorris.org created /Gowalla (+497) "new article" (view diff)
#
bnvk1 it is cute tho
#
aaronpk Kirby, a shortening of the greek Kerberos
#
bnvk1 ah hah, i see
#
bnvk1 oh, you might want to checkout https://guardianproject.info
#
tommorris snarks snarkily with more snark
#
bnvk1 extra snark
#
aaronparecki.com edited /Gowalla (+81) "facebook, not foursquare, acquired gowalla" (view diff)
#
tommorris Snark, not necessarily accuracy.
#
aaronpk bnvk1: interesting. I don't see anything about auth/login there
#
aaronpk also I wanted to spec something that could have multiple implementations and isn't tied to any sort of silo account
#
aaronpk basically the experience is equivalent to https://getclef.com/ but doesn't require signing up with an account anywhere
#
bnvk1 so, If I understand this correctly- the app is going to replace the "signing" part of the process at IndieAuth that currently is manual and requires GPG Tools locally, right?
#
aaronpk right, this would allow you to sign the GPG challenge from your phone
#
bnvk1 So, kinda like a GoogleAuth token generator but uses PGP signing to auth into sites using your phone / QR while logging you on a website, rigth?
#
aaronpk the neat thing is if the phone can generate the key, then this is actually a very slick user experience that requires no knowledge of GPG
#
bnvk1 yes, so then how do you transmit the key to your site?
#
aaronpk that's the missing piece right now
#
aaronpk right now it's manual, you can export the public key from the app
#
bnvk1 yah
#
aaronpk I had an alternate version where it could submit the public key to indieauth.com directly (using the QR code again) but then it's tying it to specific auth providers
#
bnvk1 hrm, perhaps we could establish some sort of PGP transmission standard that uploads the key to your site?
#
bnvk1 of course, this would need some sort of auth process
#
bnvk1 hehe
#
aaronpk chicken and the egg :)
#
bnvk1 yea
#
bnvk1 i'll bounce that idea around everyone here
#
aaronpk cool
#
bnvk1 all of which are saying big thumbs up- really neat stuff tho :)
#
aaronpk i'll make a note at the bottom of my alternate flow
#
bnvk1 I'd absolutely love to help implement my key signing aspect at some point
#
aaronpk sweet
#
aaronparecki.com edited /kirby-login-app (+1262) "add intro, and notes about alternate public key setup" (view diff)
#
aaronpk bnvk1: see http://indiewebcamp.com/kirby-login-app#Alternate_Setup
chrissaad joined the channel
#
bnvk1 cool
#
bnvk1 so, the threat model of transmitting the pub key to your site is really only opening up a way for data to be uploaded to your site, right?
#
bear why not have the app use a webmention like url in the header
snarfed and jvalleroy joined the channel
#
bnvk1 aaronpk: here's an idea- your site generates a nonce style token that is compatible with Kirby
hodge joined the channel
#
bnvk1 perhaps a QR code
#
bnvk1 that kriby scans which then grants the app time limited access to upload the public key
#
bnvk1 aaronpk: are you editing the Kirby page? I can jot down this flow idea
wolftune joined the channel
#
bear reads the scroll back and catches up
#
bear if it's my site, putting the pub key is my task, but I see how this may be an issue for someone who doesn't control the server
#
bnvk1 yes, for non-techies uploading a key to a server is darn near impossible
#
bear and I think this method of auth is not for that set of users
#
bear because unless kirby is going to also send the key to keyservers, then it's not really pgp
#
bnvk1 well, improving the usability of PGP is kinda my thing at the moment- so i'm scheming in anyway I can ;)
#
bear nods
#
bear yea I see a lot of good in that
#
bnvk1 I've been having lots of chats about how to do decentralized keyexchange
#
bear btsync
#
bnvk1 mailpile, for instance, is going to send out key attachments to emails by default
#
bnvk1 indieweb sites are a perfect match for allowing keys to be hosted on one's own domain
#
bear nods
tantek joined the channel
#
bnvk1 subkeys are also an interesting possibility
#
bnvk1 but might be a rabbit hole as implementations of managing them are even worse than the parent keys, usually
#
bear including a nonce in the QR code so that kirby has a token to send back along the response path seem saner
#
bear yea, subkeys seem to shift the problem to another level but not solve it
#
bnvk1 yep
snarfed joined the channel
#
snarfed hey aaronpk, re wishing bridgy saw responses faster, were you thinking of one silo in particular? or all of them?
#
snarfed and would dropping it from the current 10-15m to 2m (or so) do it? or do you want seconds for your use case?
#
bnvk1 snarfed: i'll be in your neighborhood July 8th - 14th for https://soups.ece.cmu.edu/ would be cool to meetup if you have some free time
#
snarfed bnvk1: totally! happy to
#
bnvk1 sweet
#
bnvk1 do you use email, or are you like tantek in that respect?
#
snarfed email works for me
#
snarfed public@ryanb.org
#
bnvk sweet
#
aaronpk So one of the goals here is to make the gpg option as easy as adding an HTML tag to your site
#
aaronpk I don't want to require changes to your server architecture
#
bear then kirby should take the given pubkey, generate a nonce and have that placed in the tag
#
aaronpk So one way is to delegate the key management to an auth server like IndieAuth.com so that you just need to point to IndieAuth.com with a rel=authorization_endpoint tag
#
aaronpk The Kirby could upload the key to IndieAuth.com directly, don't even need to point to the key from your site
#
bear that moves the problem to another server tho - how does my site know that indieauth was authorized to store that key and has it correctly stored
#
aaronpk You'd be delegating to an auth server of your choosing
#
aaronpk Like you used to delegate to an openid we're
#
aaronpk Server
#
bear hrmm - yea, I see
#
aaronpk Then the consuming site doesn't even care about the gpg part, it's just doing normal IndieAuth (basically oauth) in this case
#
aaronpk Hmm yeah in practice I think people are more likely to not upload a key to their actual site
#
bear nods
#
aaronpk Even I didn't, I just linked to my keybase.io key
#
rascul i got my key on my site and on keybase
#
bear yea, while I like the gpg part of indieauth delegation, I just am wondering who will use it
#
rascul i will use it
#
aaronpk Part of my goal is to make it seamless to use, without even needing to know it's gpg
#
aaronpk Basically I just care about the asymmetric crypto part
#
bear I am wondering if this can be used to authorize in a temp fashion 3rd party tools - since they would not have my private key
#
aaronpk Normal IndieAuth should be able to do that too
#
bear :) - I shouldn't be thinking about crypto while watching futbol
#
aaronpk Haha
#
bnvk aaronpk: did you upload your private key to keybase.io ?
#
aaronpk I don't think so
#
aaronpk I honestly can't remember
#
bnvk hehe
#
aaronpk Wait no I must have cause I can sign things on the site
#
bnvk yah, then you did
#
bnvk the crypto scene ppl I know are very against the idea of ever putting your unencrypted private key on someone elses hardware
#
aaronpk Is there any drawback to having multiple private keys?
#
bnvk and thus very very skeptical of keybase
#
aaronpk Yeah I can understand that
#
bnvk it's basically as bad as storing ppls passwords in plain text in a password protected DB
#
rascul the drawback to more private keys is that it's harder to manage
#
bnvk yah, transmitting private keys between devices is hard
#
rascul keybase does not have my private key
#
aaronpk Well in theory the private key is encrypted with my pass phrase on keybase's servers, right?
#
bnvk mine either
#
rascul nobody will ever get my private key if i can help it
#
bnvk in theory
#
bnvk but their server code is not open source AFAIK
#
aaronpk Ya
#
bnvk and even it was, there is no proof they implemneted the public code
#
aaronpk I think a bigger worry than malicious intent by keybase is them making a mistake
#
bnvk I believe Apple uses a dual key system where each ICloud syncing device generates two keys and sends one private key wrapped in an encrypted envelope which Apple then decrypts
#
aaronpk In which case do I trust keybase or myself to not make a mistake
#
rascul btw if you use the keybase cli tool to make your keys it calls gpg and will go into your gpg key stuff
#
bnvk right
#
rascul so you can use either keybase or gpg tools with no farther intervention
#
bnvk yah, I use the keybase CLI from my machine
#
aaronpk Considering I lost a bunch of files both my canonical and backup copies... I'm having a tough time trusting myself lately
#
rascul backup your private key on a thumb drive or something
#
aaronpk Which thumb drive and where do I put it to not lose it etc etc
#
rascul hang it from your ceiling
#
aaronpk Ha
#
aaronpk That's a great idea actually
#
bear that's a cat toy in our house
#
rascul i built a computer awhile back, each component i had hung individually from the ceiling
#
aaronpk omg
#
brennannovak.com edited /kirby-login-app (+977) "/* Link to your public key from your website */" (view diff)
#
rascul with fishing line and thumb tacks
#
rascul hard drive was the first to fall
#
aaronpk I was at a friends house and their roommate has a computer with all the hard drives hanging
#
rascul thumb tacks are not good for hanging computer components from ceiling heh
#
aaronpk He also has like 12 CRTs there
#
brennannovak.com edited /kirby-login-app (+12) "/* Kirby based transmission of public key to your website */" (view diff)
#
rascul the motherboard and video card were constantly moving due to the fans
#
bnvk yah, I store all my private keys on encrypted thumb drives
#
aaronpk bnvk I really don't want to put the burden of accepting a public key on the persons site
#
aaronpk This should not require any server side infrastructure to work
#
aaronpk Like Bret should be able to use it with his static site
#
bnvk aaronpk: well, it should have to for sure
#
aaronpk That's why I've been talking about delegating to an auth server which is responsible for it
#
bnvk but more mature / robust web publishing platforms like p3k could easily bundle it, no?
#
aaronpk Of course you can run your own auth server on your domain if you want
#
bnvk that sounds a lot more complicated that something that generates a QR code or nonce
#
bnvk obvs ppl running static html sites are techies- it's a different user type altogether, no?
#
aaronpk Nope same idea as relmeauth
#
aaronpk Delegation of services is a good thing
#
aaronpk All it takes is adding an HTML tag. And if you want to go all out then yeah you can do it all yourself
#
aaronpk Check out the IndieAuth category on the wiki
#
bnvk adding HTML tags is still techie, IMHO, it's not Facebook easy
#
aaronpk Specifically the authorization endpoint page
#
aaronpk Yeah and server side components can add the tag for you. The point is it's a lot less to ask of platforms like Known or p3k to add the ability to add an HTML tag vs implement crypto
#
aaronpk Gotta go for now
#
bnvk reading...
#
bnvk what "generation" is this supposed to be relevant to?
#
bnvk maybe I'm missing the scope / goal of what you're trying to achieve- but it feels both "techie" and encouraging a more semi-centralized architecture of providers for simple auth
#
bnvk I really don't like the idea of having to engage with a 3rd party simply to login to my own site
#
bnvk or maybe it's just 2 AM here in Germany :)