#miklbgRegorLove what's the case? I thought IndieWeb was about owning your identity.
#sknebelmiklb: if I understand right you could point people there to allow non-indiewebified people to comment on your site, without having to implement anything extra? (although you could see it as a feature that they can't ;))
#cmalsknebel: indeed,but that's also an open invitation for unlimited spamming and trolling :D
#gRegorLoveonline identity does not need to be your real-life, legal identity. For some people it's a matter of safety.
#gRegorLoveI don't know what I think about anonymous comments, per se. Speaking more broadly.
#miklbthat I understand, but you could have an online presence that is verifiable in the sense that you have an established "identity", albeit not necessarily legal identity.
#cmalgRegorLove: anonymity is unthinkable in terms of social networks, but pseudonymity is the goal in our case : the next step is ensuring your personal information stays disconnected from any of the only pseudonyms you use (onion routing, etc.)
#cmalCan be as little as a URL, but if we're trying to have authorship info about stuff (say, to handle social interactions), we need at least something so full anonymity is not really possible
#gRegorLoveStart the line with "pseudonym is" and Loqi will pick it up
#aaronpkspeaking of GPG, i was just trying to figure out if there's some way to combine webmention with GPG to send signed webmentions, allowing you to skip the verification check if the signature passes
#cmalpseudonym is another word for 'nickname'. A pseudonym is the name associated with an identity. Most common uses are for artists, activists and just about almost every one online.
#gRegorLoveOr at least overcoming the technical difficulties of /Vouch. ben_thatmustbeme and I have scripts validating referrers to use as Vouch URLs.
#aaronpkthe nice part of GPG is that there are a lot of tools around it already so you can use it without really needing to know how to implement crypto from scratch
#cmalgRegorLove: well I think noone is crazy worried about vouching because there isn't such a huge spamming/trolling problem on the Indieweb just yet, but as soon as it happens we'd better have some efficient solutions to tackle the issue :)
#gRegorLoveMine is built in to the ProcessWire plugin, so when/if its usage ever took off, everyone there has it.
#gRegorLoveI'd like to see similar in the WordPress plugin
#aaronpki'm also thinking about the scale problem, not just spam
#sknebelone could also use a sites HTTPS cert maybe? (I wish client-certificates were better supported, then that would be a way, but maybe you can use them to sign stuff as well)
#cmalsknebel: I don't think that's a solution as it only allows to identify the domain itself, but there may be several users sharing subfolders for instance
#gRegorLoveI guess my first thought/concern is the idea of putting all these GPG private keys on a server
#cmalgRegorLove: that's indeed profoundly stupid, but that's the best we've got. then again it's all about pseudonymity, not anonymity : we're NEVER going to use our real-life PGP keys on a production site exposed to the public :D
#aaronpkyou already have a bunch of secret keys on your server anyway, and you can always use a separate key for this stuff
#gRegorLoveBut managed by server software that I trust better :)
#cmalbut if you setup PGP keys associated to your identity on the Indieweb, with a specific subkey that you let the server use
#cmalthen if your site gets compromised, you can just revoke the subkey and generate a new one
#gRegorLoveaaronpk: Are you thinking for like, Telegraph, or for individual sites?
#aaronpkhere's a rough outline of what i'm thinking, minus the specifics
#gRegorLove(Not trying to poo poo the idea, just thinking out loud)
#aaronpk1) I want to send a webmention about a URL on aaronparecki.com to a URL on gregorlove.com. I first make sure my home page (author URL) has a rel=pgpkey to a public key
#aaronpk2) I create a payload containing the contents of my post, and sign it with my private key
#aaronpk3) I discover the webmention endpoint of gregorlove.com as normal, and send the webmention to it, including the signed payload
#aaronpk4) gregorlove.com's webmention endpoint sees the GPG message, unpacks it, and finds the author URL inside
#aaronpk5) if the endpoint already knows the public key for that author URL, it skips this step. if it doesn't know the key, it fetches the author URL and looks for rel=pgpkey
#aaronpk6) the endpoint then verifies the GPG message, and if it passes, can treat that as a successful webmention, and can skip fetching the source URL
#aaronpkright, that's part of the payload that gets signed
#aaronpklike imagine taking the mf2 json of your post and signing that
#sknebelI still can make that up, but if you require that author url and source are the same domain I can only make it up about posts on my site... where I could spam links to your domain anyways
#cmalalso, we could try to support different key types for different implementation needs : I'm thinking libsodium (way faster than PGP and very strong)
#aaronpkyou lose all the benefits of the GPG toolchain once you do that, and might as well be making up your own JSON signing spec at that point
#cmalaaronpk: I don't know, it could just be used as a signing mechanism (following the same procedure than you described with PGP) and then we could be back to using followers or XFN as a chain of trust
#cmalI mean, I see two downsides with PGP-everywhere : it's super slow (especially on tiny computers like raspberry pi), and the Web Of Trust is public by essence
#cmalso that means you cannot vouch for someone without your vouching being made public, which basically means it would be very easy to map around the whole web of trust of the indieweb (which in terms of privacy is disastrous)
#aaronpkyou don't need the web of trust aspect for what i outlined to work though
#aaronpkit's the same way you can use a gpg key to authenticate on indieauth.com
#cmalno indeed, but implementing different hashing algorithms wouldn't be that complicated and would match different needs
#cmalaaronpk: that would mean only one key per domain (so wouldn't work for subfolder installs) and would require the user to have control over the DNS (which I can only approve of but is unfortunately not so widespread)
#aaronpkyeah, you'd have to do subdomains for multiple users on a domain
#aaronpki'd love to talk to a large provider considering webmention to see what the sticking points are for them implementing it
#KevinMarksSubdomains are how a lot of hosts do it already - blogger, wordpress tumblr
#cmalmmmmm but then you're specifically relying on DNS as a means of accessing the content (although .onion is DNS-compliant I believe, some other resolution protocols like IPNS might not be able to provide TXT keys or rely on DNS infrastructure at all)
ChrisAldrich joined the channel
#ChrisAldrichaaronpk: Isn't kylewm at Medium? Is he trying to get them to implement webmention? It would be a killer feature for a major platform to have. Curious if he's brought it up there and what their response was?
#aaronpkI wouldn't be surprised if he has brought it up
#ChrisAldrichI suspect it would force the hands of WordPress, Tumblr and others to adopt it more widely if they did.