#dev 2016-08-12

2016-08-12 UTC
KevinMarks_, KevinMarks, chrisaldrich_, mindB and doesntgolf_ joined the channel
#
askmat2.tumblr.com
edited /site-deaths (+337) "/* Any Day Now */"
(view diff)
loicm and cmal joined the channel
#
cmal
ahoy
#
petermolnar
morning cmal
#
Loqi
good morning!
#
@borisschapira
@nhoizey même pas. Mais j'appelle un peu webmention.io, ce qui me pénalise de 100s environ. Il reste donc 6 min…
(twitter.com/_/status/764016491809296385)
#
cmal
what's up? :)
#
@nhoizey
@borisschapira ah oui, je dois ajouter webmention.io, pas encore fait… 😉
(twitter.com/_/status/764016676723490817)
#
petermolnar
aaronpk++
#
Loqi
aaronpk has 1089 karma (7 in this channel)
#
petermolnar
I wanted to write something really similar (flat file tsdb), but never really found a use case for myself
#
cmal
petermolnar: how about ActivityPub streams? or just the taxonomies (tags, categories, authors) on your blog?
loicm_ joined the channel
#
cmal
has anyone already worked with amp (async PHP framework)? https://github.com/amphp/amp
mindB2 joined the channel
#
cmal
or any other asynchronous PHP framework, for what it's worth
#
cmal
if somebody has experience and/or benchmark, I'm fairly curious about it :)
loicm_, doesntgolf_, doesntgolf, singpolyma, KevinMarks and gRegorLove joined the channel
#
gRegorLove
what is commentpara.de?
#
Loqi
commentpara.de is an anonymous commenting system for the indieweb https://indieweb.org/commentpara.de
#
miklb
anonymous and iIndieWeb seem incongruous
#
gRegorLove
My brain's a bit slow today. I kept reading that as "comment para de" like some sort of Spanish, haha
#
Loqi
hehe
#
gRegorLove
I don't know about incongruous. There's good cases for anonymity and pseudonymity (sp?)
mindB joined the channel
#
cmal
gRegorLove: do you know if the code for commentparade is anywhere on the Interwebs?
#
cmal
thanks :)
#
miklb
gRegorLove what's the case? I thought IndieWeb was about owning your identity.
#
sknebel
miklb: if I understand right you could point people there to allow non-indiewebified people to comment on your site, without having to implement anything extra? (although you could see it as a feature that they can't ;))
#
cmal
sknebel: indeed,but that's also an open invitation for unlimited spamming and trolling :D
#
gRegorLove
online identity does not need to be your real-life, legal identity. For some people it's a matter of safety.
#
gRegorLove
I don't know what I think about anonymous comments, per se. Speaking more broadly.
#
miklb
that I understand, but you could have an online presence that is verifiable in the sense that you have an established "identity", albeit not necessarily legal identity.
#
cmal
gRegorLove: anonymity is unthinkable in terms of social networks, but pseudonymity is the goal in our case : the next step is ensuring your personal information stays disconnected from any of the only pseudonyms you use (onion routing, etc.)
#
aaronpk
that's known as a pseudonym
#
gRegorLove
What is pseudonym?
#
Loqi
It looks like we don't have a page for "pseudonym" yet. Would you like to create it?
#
cmal
miklb: the GPG trust web does that perfectly, we just need more practical uses of it :-/
#
cmal
gRegorLove: a pseudonym is a nickname
mindB joined the channel
#
cmal
Can be as little as a URL, but if we're trying to have authorship info about stuff (say, to handle social interactions), we need at least something so full anonymity is not really possible
#
gRegorLove
Start the line with "pseudonym is" and Loqi will pick it up
#
aaronpk
speaking of GPG, i was just trying to figure out if there's some way to combine webmention with GPG to send signed webmentions, allowing you to skip the verification check if the signature passes
#
gRegorLove
Aw, sandeep's site is offline.
#
gregorlove.com
edited /anonymity (+80) "Wayback archive of Sandeep's post"
(view diff)
#
cmal
pseudonym is another word for 'nickname'. A pseudonym is the name associated with an identity. Most common uses are for artists, activists and just about almost every one online.
#
loqi.me
created /pseudonym (+210) "prompted by gRegorLove and dfn added by cmal"
(view diff)
#
gRegorLove
What is nickname?
#
Loqi
It looks like we don't have a page for "nickname" yet. Would you like to create it?
#
cmal
aaronpk: that would be great!
#
cmal
that would actually solve many of the current shortcomings with vouching
#
gRegorLove
Wow, plurk.com is still around
#
miklb
aaronpk would something like keybase.io help with that?
#
aaronpk
keybase certainly makes it easier to deal with managing gpg keys
#
aaronpk
i don't think there's any connection other than that
#
gRegorLove
I feel like the /Vouch barrier will be easier than GPG, heh
#
cmal
gRegorLove: you mean in regards to adoption?
#
gRegorLove
Or at least overcoming the technical difficulties of /Vouch. ben_thatmustbeme and I have scripts validating referrers to use as Vouch URLs.
#
aaronpk
the nice part of GPG is that there are a lot of tools around it already so you can use it without really needing to know how to implement crypto from scratch
#
cmal
gRegorLove: well I think noone is crazy worried about vouching because there isn't such a huge spamming/trolling problem on the Indieweb just yet, but as soon as it happens we'd better have some efficient solutions to tackle the issue :)
#
gRegorLove
Mine is built in to the ProcessWire plugin, so when/if its usage ever took off, everyone there has it.
#
gRegorLove
I'd like to see similar in the WordPress plugin
#
aaronpk
i'm also thinking about the scale problem, not just spam
#
sknebel
one could also use a sites HTTPS cert maybe? (I wish client-certificates were better supported, then that would be a way, but maybe you can use them to sign stuff as well)
#
cmal
sknebel: I don't think that's a solution as it only allows to identify the domain itself, but there may be several users sharing subfolders for instance
#
gRegorLove
I guess my first thought/concern is the idea of putting all these GPG private keys on a server
#
cmal
gRegorLove: that's indeed profoundly stupid, but that's the best we've got. then again it's all about pseudonymity, not anonymity : we're NEVER going to use our real-life PGP keys on a production site exposed to the public :D
#
aaronpk
you already have a bunch of secret keys on your server anyway, and you can always use a separate key for this stuff
#
gRegorLove
But managed by server software that I trust better :)
#
cmal
but if you setup PGP keys associated to your identity on the Indieweb, with a specific subkey that you let the server use
#
cmal
then if your site gets compromised, you can just revoke the subkey and generate a new one
#
gRegorLove
aaronpk: Are you thinking for like, Telegraph, or for individual sites?
#
aaronpk
hadn't thought about delegated sending
#
aaronpk
but you could use subkeys for that too
#
aaronpk
here's a rough outline of what i'm thinking, minus the specifics
#
gRegorLove
(Not trying to poo poo the idea, just thinking out loud)
#
aaronpk
1) I want to send a webmention about a URL on aaronparecki.com to a URL on gregorlove.com. I first make sure my home page (author URL) has a rel=pgpkey to a public key
#
aaronpk
2) I create a payload containing the contents of my post, and sign it with my private key
#
aaronpk
3) I discover the webmention endpoint of gregorlove.com as normal, and send the webmention to it, including the signed payload
#
aaronpk
4) gregorlove.com's webmention endpoint sees the GPG message, unpacks it, and finds the author URL inside
#
aaronpk
5) if the endpoint already knows the public key for that author URL, it skips this step. if it doesn't know the key, it fetches the author URL and looks for rel=pgpkey
#
aaronpk
6) the endpoint then verifies the GPG message, and if it passes, can treat that as a successful webmention, and can skip fetching the source URL
#
aaronpk
i guess you'd need some way to check whether the key has been revoked, so not sure where that fits in to things
#
gRegorLove
So it alleviates traffic on the sender for webmention verifications
#
aaronpk
yeah and saves a step for receiving if the receiver has communicated with the sender in the past
#
cmal
aaronpk: this is about keeping your local keybase updated (cron or something?) then GPG will automatically "fail" if the key has been revoked
#
sknebel
so once I completed the dance sucessfully I can then spam you with invalid webmentions?
#
aaronpk
yeah haha
#
sknebel
or only with invalid webmentions from the same domain as before?
#
aaronpk
from your domain yeah
#
Loqi
awesome
#
aaronpk
actually it's based on your author URL
#
sknebel
but then you either have to add that to the WM payload
#
sknebel
or fetch the source anyways
#
sknebel
to find it
#
aaronpk
right, that's part of the payload that gets signed
#
aaronpk
like imagine taking the mf2 json of your post and signing that
#
sknebel
I still can make that up, but if you require that author url and source are the same domain I can only make it up about posts on my site... where I could spam links to your domain anyways
#
sknebel
and for other domains you don't accept it
#
cmal
also, we could try to support different key types for different implementation needs : I'm thinking libsodium (way faster than PGP and very strong)
#
aaronpk
you lose all the benefits of the GPG toolchain once you do that, and might as well be making up your own JSON signing spec at that point
#
sknebel
webmention over SOAP with WS-security
#
gRegorLove
What step does it save for the receiver? Still need to fetch the source URL to verify it links?
#
aaronpk
no, that's the point, the webmention data is in the GPG message
#
gRegorLove
Ohh, so it's like a fat ping
#
Loqi
[aaronpk] 2) I create a payload containing the contents of my post, and sign it with my private key
#
aaronpk
yeah, a signed fat ping
#
gRegorLove
Huh. Interesting.
#
cmal
aaronpk: I don't know, it could just be used as a signing mechanism (following the same procedure than you described with PGP) and then we could be back to using followers or XFN as a chain of trust
#
aaronpk
pubsubhubbub made up its own signature method for fat pings https://superfeedr-misc.s3.amazonaws.com/pubsubhubbub-core-0.4.html#authednotify
#
cmal
I mean, I see two downsides with PGP-everywhere : it's super slow (especially on tiny computers like raspberry pi), and the Web Of Trust is public by essence
#
cmal
so that means you cannot vouch for someone without your vouching being made public, which basically means it would be very easy to map around the whole web of trust of the indieweb (which in terms of privacy is disastrous)
#
aaronpk
you don't need the web of trust aspect for what i outlined to work though
#
aaronpk
it's the same way you can use a gpg key to authenticate on indieauth.com
#
cmal
no indeed, but implementing different hashing algorithms wouldn't be that complicated and would match different needs
#
cmal
encryption*
#
cmal
signature*
#
cmal
(or both)
#
loqi.me
created /common_crawl (+72) "prompted by KartikPrabhu and dfn added by KartikPrabhu"
(view diff)
#
aaronpk
come to think of it, you could probably overlay DKIM on top of webmention too https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail
#
aaronpk
tho even DKIM doesn't verify the message contents, only the headers
#
gregorlove.com
edited /common_crawl (+82) "dfn, see also"
(view diff)
#
gRegorLove
what is common crawl
#
Loqi
common crawl is an open repository of web crawl data https://indieweb.org/common_crawl
#
loqi.me
created /scutter (+65) "prompted by AngeloGladding and dfn added by AngeloGladding"
(view diff)
#
gRegorLove
What is Loqi?
#
Loqi
Loqi is a friendly and useful bot present in the IndieWeb discussion channels https://indieweb.org/Loqi
#
gRegorLove
Who is Loqi?
#
Loqi
Loqi is a friendly and useful bot present in the IndieWeb discussion channels https://indiewebcamp.com/User:Loqi.me
#
gRegorLove
Who is gregorlove?
loicm_ joined the channel
#
KevinMarks
The other pattern I'm seeing with the decentralized web stuff is the public key being how you look up the homepage
#
KevinMarks
So posts are keyed by content hash, and signed, and you can look then up by public key of the signer
#
KevinMarks
Zeronet uses Bitcoin public keys, so you can send coins to the post author out of band
#
sknebel
right, because linking names to keys is difficult without a central authority
#
sknebel
TOR onion-service adresses are the same
#
sknebel
(adress is hash of the public key of the server running the service)
#
loqi.me
created /lobsters (+127) "prompted by gkbrk and dfn added by gkbrk"
(view diff)
KevinMarks_ and KevinMarks joined the channel
#
cmal
aaronpk: that would mean only one key per domain (so wouldn't work for subfolder installs) and would require the user to have control over the DNS (which I can only approve of but is unfortunately not so widespread)
#
aaronpk
yeah, you'd have to do subdomains for multiple users on a domain
#
aaronpk
not ideal
#
cmal
so I don't know, why not fetch possible keys be fetched by the mf2 parser and then let the endpoint implement whichever/whatever hash?
#
aaronpk
yeah i don't know
#
aaronpk
i'd love to talk to a large provider considering webmention to see what the sticking points are for them implementing it
#
KevinMarks
Subdomains are how a lot of hosts do it already - blogger, wordpress tumblr
#
cmal
mmmmm but then you're specifically relying on DNS as a means of accessing the content (although .onion is DNS-compliant I believe, some other resolution protocols like IPNS might not be able to provide TXT keys or rely on DNS infrastructure at all)
ChrisAldrich joined the channel
#
ChrisAldrich
aaronpk: Isn't kylewm at Medium? Is he trying to get them to implement webmention? It would be a killer feature for a major platform to have. Curious if he's brought it up there and what their response was?
#
aaronpk
I wouldn't be surprised if he has brought it up
#
ChrisAldrich
I suspect it would force the hands of WordPress, Tumblr and others to adopt it more widely if they did.
#
ChrisAldrich
I still remember thinking the Indieweb community should pile onto this post [https://medium.com/inside/hey-ev-what-about-mentions-37aa9313e9d9#.vxzx5vs6t] last year to push them to adopt it web-wide rather than just internally.
KevinMarks joined the channel
#
loqi.me
created /Clef (+137) "prompted by gRegorLove and dfn added by aaronpk"
(view diff)
cmal and chrisaldrich1 joined the channel