#dev 2021-04-25

2021-04-25 UTC
# 00:00 
aaronpk i wonder if at some point i'm going to regret not using a database for this... right now i'm continuing on the path of hacky filesystem-only solutions
# 00:00 
aaronpk (adding some new features to oauth.net that require maintaining state and some dynamic lists)
# 00:48 
jacky throw sqlite at it! lol
# 00:48 
aaronpk i think that might actually make it worse haha
# 00:49 
jacky ohno lol
# 01:34 
lahacker is there a standard or a general name for using your TLS cert to sign/encrypt things other than HTTPS sessions?
# 01:37 
jacky hmm
# 01:38 
jacky a standard, I don't know
# 01:38 
jacky but the name gives me some sort of "Web of Trust" kind of vibe
# 02:02 
vilhalmer you might poke around ssh documentation, it has cert auth
# 02:03 
vilhalmer I don't know of a general term off-hand
# 02:45 
lahacker JSON Web Token relies upon JSON Web Signature and JSON Web Encryption; "The tokens are signed either using a private secret or a public/private key."; the Python library FAQ discusses using a x.509
# 02:45 
lahacker thanks jacky right when you said "web" i remembered
[schmarty] joined the channel
# 02:48 
[schmarty] lahacker: do any of those standards mention using a site's TLS keys for signing? I'd expect them to be separate keys.
# 02:48 
lahacker https://pyjwt.readthedocs.io/en/stable/faq.html
# 02:49 
lahacker i'm no cert expert and i haven't yet tested it
# 02:49 
aaronpk mixing TLS with application logic is a dangerous path to go down
# 02:49 
vilhalmer yeah using the same cert seems like a recipe for accidental exposure
# 02:50 
aaronpk e.g. as soon as you deploy to a CDN like cloudflare the whole thing breaks down since you no longer have access to your TLS key
# 02:51 
lahacker looks like let's encrypt somehow forbids it too: https://community.letsencrypt.org/t/x509-cert-for-signing-files-digital-signatures/67799
# 02:52 
KartikPrabhu we should use NFTs
# 02:52 
KartikPrabhu jk jk :P
# 02:53 
Loqi yea!
[snarfed] joined the channel
# 04:03 
[snarfed] lahacker: obligatory, https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standard-that-everyone-should-avoid and https://paseto.io/
KartikPrabhu joined the channel
# 04:58 
jacky ah thanks for the reminder re: PASETO
dhanesh, loicm, __minoru__shirae, [fluffy], Pommy and KartikPrabhu joined the channel
# 14:10 
@indigitalcolor I set up a fork of @mxbck’s webmention analytics and it provides a better view of some of the more bespoke webmentions I’ve gotten directly from creators outside of Twitter (like a convo across sites about me debugging http://brid.gy on @LWJShow) https://github.com/maxboeck/webmention-analytics (twitter.com/_/status/1386321024984043533)
# 14:10 
@indigitalcolor I set up a fork of @mxbck’s webmention analytics and it provides a better view of some of the more bespoke webmentions I’ve gotten directly from creators outside of Twitter (like a convo across sites about me debugging http://brid.gy on @LWJShow) https://github.com/maxboeck/webmention-analytics (twitter.com/_/status/1386321024984043533)
shoesNsocks, [KevinMarks], vilhalmer, [snarfed], [chrisaldrich], Paul[m]5, Caleb[m]1, Seirdy and minoru_shiraeesh joined the channel
# 19:55 
@rtaylormcknight .@indigitalcolor love the webmentions section and design of your site https://aboutmonica.com/blog/adding-environment-variables-to-github-actions (twitter.com/_/status/1386407664964440068)
[Rose], indri, alex11, [chrisaldrich] and Seirdy joined the channel