#dev 2021-05-07

2021-05-07 UTC
IWSlackGateway2, [Emma_Humphries] and [tantek] joined the channel
#
[tantek] would this be considered a single point of failure? https://www.bbc.com/news/world-europe-56978344
#
[tantek] Is anyone regularly exporting / purging data from their modern "car"? Per the data collected by the vehicle as noted here: https://theintercept.com/2021/05/03/car-surveillance-berla-msab-cbp/
#
aaronpk if i owned a car i might do that :)
#
aaronpk my bike doesn’t collect any data
#
[tantek] my car doesn't have any USB ports. after reading that article, I feel like I need to pick up packs of USB data blockers and just leave them in friends cars plugged into their USB ports
#
[tantek] going to #indieweb-chat to for specific products
[tantek]1, nertzy, samwilson and [tw2113_Slack_] joined the channel; ShadowKyogre left the channel
#
petermolnar my car is too old for this, but I do have a bluetooth ODB-II port connector; if that was constantly connected I could log things like engine rpm for trips.
#
petermolnar *OBD
#
petermolnar so if someone is looking for mere logging, take a look at devices like https://www.ebay.co.uk/itm/363322230987 combined with https://play.google.com/store/apps/details?id=com.pnn.obdcardoctor
tomlarkworthy joined the channel
#
tomlarkworthy my first two users to the indieweb login could not figure it out at all. I am wondering how I can quickly get them up to speed quicker.
#
tomlarkworthy is this a dev topic or a general topic?
#
tomlarkworthy 1st had http website. 2nd had a github page linked to a "collective" homepage
#
petermolnar (no snark or offense intended) I'm genuinely curious how much of the newcomer issues could be boiled down to have they ever written html by hand
#
tomlarkworthy yeah the 2nd one is very technical bordering on famous
#
tomlarkworthy I am using indieauth for login to a service though, not for building homepages or anything to do with blogging
#
tomlarkworthy So the users want to login to their cloud console using indieauth
#
tomlarkworthy they are not interested in blogging, they want services
#
tomlarkworthy so this is maybe why learning about bidirectionally linked identity graphs is not on their minds
#
tomlarkworthy but the chances that a random has a homepage ready to go it quite low
#
tomlarkworthy I have some ideas on how to get people up to speed ASAP, jsut wondering if anyone else has pondered this
samwilson joined the channel
#
petermolnar semi-offtopic: camera lens identification via EXIF sucks, but I now know a few tricks.
[Ana_Rodrigues] joined the channel
#
tomlarkworthy oh there was also a casing issue too. I wrote some notes
[grantcodes], [KevinMarks], [Murray], samwilson and alex11 joined the channel
#
GWG petermolnar: If I used lenses, I'd want to post that
KartikPrabhu, [tantek], [schmarty], [aciccarello], shoesNsocks and ShadowKyogre joined the channel
#
sknebel aaronpk: reword that question please? not 100% sure what you mean
#
sknebel do you mean from a script in the page, or ...?
#
aaronpk my question in -chat?
#
sknebel whops, yeah
#
sknebel belongs here :P
#
aaronpk only vaguely :)
#
sknebel (saw it in the summary across all channels and though it was -dev)
#
sknebel there is ServiceWorkerRegistration.unregister(), or are you wondering what to do if yoi have a stuck cache?
#
aaronpk yeah
#
aaronpk say i launched a website with full offline support
#
aaronpk then removed the SW code, the browser would still serve the offline page right?
#
aaronpk so how do i un-stick it so that i can remove the old page in order to update it?
#
sknebel afaik it shouldcheck the service worker file for updates every day or so
#
sknebel so you can update it with one that disables the caching
#
aaronpk hm i don't even see the browser making a request for that file when i reload the page
#
sknebel *once a day or so
#
aaronpk oh right
#
aaronpk found this: https://github.com/NekR/self-destroying-sw#how-to-use
#
Loqi [NekR] self-destroying-sw: Code-snippets and guides on removing ServiceWorker from a websiste.
#
aaronpk wow that worked instantly
#
aaronpk i didn't even reload the browser and it ran the new SW code and uninstalled itself
#
sknebel what is service worker?
#
Loqi service workers are scripts that run in the background, separate from tabs with the site open, and are commonly used for offline functionality and push notifications https://indieweb.org/service_worker
#
aaronpk service worker << how to remove a "stuck" service worker https://github.com/NekR/self-destroying-sw
#
Loqi ok, I added "how to remove a "stuck" service worker https://github.com/NekR/self-destroying-sw" to the "See Also" section of /service_worker https://indieweb.org/wiki/index.php?diff=75626&oldid=68185
[chrisaldrich] joined the channel
#
jacky would one think that musings around a /follow page would belong in here? especially on #FollowFriday lol?
#
jacky I'm still pondering on _what_ that kind of page should or could show - (hints as to how many people followed me over the last month? Something I posted recently that's "trending" on my site because it got the most reactions in a particular time window?)
#
jacky I also still wonder if it should be able to hint/sniff at someone's Microsub setup and use that to add themselves to their subscriptions
#
aaronpk bahaha i love the idea of a "trending" section
#
aaronpk it's so ridiculous
#
jacky lol tbh I don't know if I'd use _that_ word, maybe like "High Engagers" or something with a small link explaining how I get that info
#
jacky maybe even some sort of a sparkline to hint at its rate of 'engagement'
#
aaronpk i have "top posts" on my monthly archive pages
#
jacky peeks
#
aaronpk https://aaronparecki.com/2021/04
#
aaronpk ranked by a combination of likes, reposts and replies
#
aaronpk it's done per month tho, i kind of like the idea of specifically a "trending" section that's just persistently updated
tomlarkworthy joined the channel
#
tomlarkworthy I am thinking of a wizard which will find the shortest path for getting you a usable identify URL using the oauth provider of choice. So you fill in questions like "I have a homepage at ____" "I have a github account" and it list actions you still need to take.
#
tomlarkworthy like a linter
#
jacky aaronpk: yup
#
[KevinMarks] like a varaint on indiewebify.me?
#
jacky I'm thinking about running the stats often (like once a day or every two days)
#
jacky maybe longer might be needed
#
aaronpk jacky: would you do it based on view count too? or just interactions?
#
tomlarkworthy oh wow, thats awesome @KevinMarks I had not seen it yet
#
jacky hmm I never considered that (mainly because I don't collect that info explicitly - I think Matomo might have it)
#
jacky but nah, I think solely engagement
#
tomlarkworthy I would prefer it a bit more goal directed, like I want to login with ____ using Oauth profide ____ so it gives you the minimum steps for that goal. Coz at the moment, even that IndieWeb tells you what things are not backlinked but my users are missing the motivation for backlainks
#
jacky hm okay I _ can_ get view counts from Matomo
#
jacky but I think I'd need to have view count + duration
#
jacky waves hand at math
#
aaronpk that'd be interesting too
#
aaronpk tho for me there's only one page that gets the majority of my traffic still, and it's always at the top by an exponential amount
#
aaronpk so i might have to always exclude that from the stats
#
[KevinMarks] a more goal oriented version of indiewebify me could make sense, or beefing up the web login section there
#
tomlarkworthy yeah I don't really want to be replicating work. Though I check for a specific social profile on the graph to unlock additional permissions on the account, so its a bit beyond the normal usecase
#
tomlarkworthy Hey @Kevin I remember you saying it be nice to have a self hosted ObservableHQ
#
tomlarkworthy I can extract fully encapsulated notebook tars now https://observablehq.com/@tomlarkworthy/notebook-backups
#
tomlarkworthy and I am very close to having a service worked being able to unpack and serve them on the fly https://observablehq.com/@tomlarkworthy/offline
#
tomlarkworthy service worker
#
tomlarkworthy the idea being I am able to suck all my content off and put on my website soon
#
tomlarkworthy or mirror it
#
tomlarkworthy so my website would be a read only mirror for observable. Observable remains the editing platform.
#
tomlarkworthy Observbale is the CMS front end to my personal website
#
tomlarkworthy does anyone understand service workers? I ahve a problem that the first time you visit I serve a page that installs the service worker. The second time you visit the service worker serves the dynamic content. I would prefer to serve the dynamic content in one go. Worse comes to worse I will do a clientside redirect but seems liek there should be a better way?
#
aaronpk haha see convo from earlier above
#
jacky aaronpk: yup!
#
jacky I do want something like this to kinda exist b/c it'll help from a microsub perspective when you come across someone new and want to find something potentially interesting (that being, what their current audience seem to engage with a lot)
#
GWG Zegnat, aaronpk, sknebel That reminds me. Private posts, webmentions and autoauth came up at HWC and I came to a realization
#
GWG The question of private posts, regardless of the auth mechanism, is how many people have the ability to have a private post unlocked by a token? Regardless of how you get a token
#
aaronpk requires server side code of some form
#
aaronpk even if that is at the web server, e.g. an nginx config thingy
#
Zegnat I am not sure I understand the question with "how many people"? Surely in OAuth terms it is: infinite amount of people, until the token is revoked? Could you rephrase and help me understand if that was not the question being asked :)
#
jacky yeah re: private posts - I really have been trying to find a 'easy' solution and it all points to the server
#
aaronpk only exception is if you do some tricky stuff with encryption and decrypt it in JS
#
aaronpk but that's like, a whole thing
#
GWG I meant, do we have enough people with the infrastructure?
#
Zegnat AMP paywall is an interesting example of that, actually. I was thinking of giving implementing that a go at some point.
#
GWG I don't have the ability to issue a token to give access to a specific page
#
GWG So, isn't that something we can encourage as a step? So that we'd have a pool of people to test the auth part
#
aaronpk i don't know, i kind of think it has to happen all together
#
tomlarkworthy Here is how I encrypt payloads so I can store private stuff in public spaces https://observablehq.com/@endpointservices/notebook-secret
#
aaronpk or there has to be some other benefit you'd get by doing that
#
Zegnat I am not sure what infrastrucure to encourage first. Wouldn‘t the best thing to encourage be the making of private posts in general, without the focus on the specific infrastructure like issuing tokesn and what type of tokens etc?
#
aaronpk i think so yes
#
Zegnat Just encouraging the existence of private posts in general.
#
aaronpk also we should probably stop calling them private posts ifthey are intended to be shared with anyone
#
Zegnat I think sebsel did it right on https://seblog.nl/ where you can use the login link at the top to login with any indieauth enabled site (or Twitter, which I think he also supports). Then you are logged in and might be able to read certain posts that are otherwise locked.
#
aaronpk yeah i think that's a better first step, since that way there's benefit regardless of any site to site interop plumbing
#
GWG That's sort of what I'm proposing. I don't have a good system for this right now , so I have nowhere to go but up
#
[aciccarello] Sebsel's flow is nice
#
[aciccarello] I've looked briefly into private posts with a static site generator. The best idea I could come up with was either some encryption scheme or a JS API call to a server hosting private content.
#
aaronpk the blocker for me right now is figuring out how to store/index posts internally such that i can generate feed pages depending on who is logged in
#
[aciccarello] Ah, yeah. I forgot about the feed page part
#
GWG aaronpk: Who other than you can login to your site?
#
aaronpk noone right now
#
aaronpk there's no reason for anyone to log in until they can see something different
#
aaronpk at least i have an internal contact list now so i can link logins to that database
#
GWG I have private post capability built into my system, but there's a bunch of missing features...namely a way to decide who gets to see what to start.
#
GWG Also, private posts in WordPress 404, and I might want a 401
#
Zegnat The HTTP code is also an iffy one. I feel like that was brought up a couple of times in the autoauth discussions. You may want to both signal with a header that your site supports logging in to see more things, while also giving 404 responses because URLs might leak informatoin
#
sknebel fairly sure we said hiding it is fine
#
jacky wow okay
#
GWG sknebel: It is. My point was the feature is not usable to me
#
jacky went on a random rabbit hole on https://seblog.nl and landed here https://write.as/matt/towards-a-commenting-system
#
Loqi Sebastiaan Andeweg
#
jacky The bit under "The idea so far" is solid
#
Zegnat From that post: "It'll show up in a list of comments". Is that what [tantek] used to do on his blog? I mean the 15 year old blog? I don’t seem to have a link at hand, but something is itching at my memory
#
Zegnat "It'll show up in a list of comments as only: Post Title [linked] and Author Name. Readers will need to click through to read the reply." = to add more context
peterrother, themaxdavitt, stacktrust_, ludovicchabant, jbove and [sebsel] joined the channel
#
[sebsel] I heard my name, but I wanted to note that my Twitter login might be broken for a while now but nobody uses it anyway given how few error notifications I get 😅
#
[aciccarello] Well your indieauth works 😁 sebsel++
#
Loqi sebsel has 5 karma in this channel over the last year (9 in all channels)
#
jacky the indieauth agena
#
jacky *agenda
[chrisaldrich] joined the channel
#
jacky this is not what I thought it'd be https://litestream.io/
#
tomlarkworthy woah service workers FTW!!!!! https://endpointservice.web.app/notebooks/@tomlarkworthy/offline/https://storage.googleapis.com/o_tomlarkworthy_toms/backups/notebooks/%40tomlarkworthy/animated-kirigami.tgz/index.html
#
jacky is on a link-spree
#
jacky https://github.com/h2non/imaginary looks like something that can go with benmorris's imageproxy
#
jacky camo was the name?
#
Loqi [h2non] imaginary: Fast, simple, scalable, Docker-ready HTTP microservice for high-level image processing
gxt and [tantek] joined the channel
#
[tantek] what is trending
#
Loqi Trends is a feature on social media silos that shows the some of the most popular hashtags (AKA Trending hashtags), links, news articles, words, or phrases that are being used or cited in posts, and have been criticized on Facebook & Twitter for being manipulated by bots and/or showing conspiracy theories at the top https://indieweb.org/trending
#
[tantek] ^ aaronpk, jacky, et al that could use a new Brainstorming section with some of the comments you made above about what you want for your personal site
#
[tantek] I also view a "Trending" section on a personal site as pretty funny
#
[tantek] (if that means "which posts have received the most webmentions in the past 24-72hrs", perhaps weighting replies more than quotes more than likes)
#
aaronpk added myself as an example of my monthly archive pages. close enough until we have a "top posts" page or something
#
[tantek] though I'd expect for most folks, that "Trending" list might just show their list of n most recent posts, so it wouldn't be that interesting
#
[tantek] I could see it being interesting for aaronpk, who has A LOT more "recent posts"
#
aaronpk trending tags are interesting too
#
aaronpk like what are the most popular tags i've used in posts recently
#
[tantek] assuming you count backfeeds from Twitter and perhaps HN/Reddit (is anyone backfeeding from those?) as responses on your posts, that could surface when some old(er) post of yours gets picked up on those sites
#
aaronpk especially because when i favorite other posts, if they have hashtags, i pull the hashtag into my own post
#
[tantek] maybe? if you're going to do trends based on content, use all the text content, not just hashtags
#
aaronpk sure but that's a lot harder :)
#
[tantek] (with a stopword list for common terms obv)
#
[tantek] "the" is trending 😄
#
[tantek] "trending tags" has at least one existing presentation: tag cloud
#
[tantek] tag cloud for the past day / week could be interesting maybe?
#
aaronpk https://monkeylearn.com/keyword-extraction/
#
aaronpk everything you ever wanted to know about keyword extraction ^^
#
aaronpk runs away
#
aaronpk it does a decent job on some posts of mine
#
aaronpk wow, Amazon Comprehend does a good job too
#
aaronpk https://ai-service-demos.go-aws.com/comprehend
#
aaronpk now i kind of want to run every post through that and index the results
barnabywalters and alex11 joined the channel
#
aaronpk now i'm thinking of things to put on a "trending" page
#
GWG Wouldn't a 'trending' page be those with the most recent webmentions?
#
jacky it could be
#
aaronpk add some more thoughts here :) https://indieweb.org/trends#Brainstorming
[tantek] joined the channel
#
jacky heh still torn on it
#
barnabywalters back before I used tweetdeck, I switched my trending location to somewhere in russia, so the trending items were in cyrillic and I couldn’t understand them
#
barnabywalters that worked fine except that my partner at the time spoke russian, so I switched it to Kuwait so all the trends are in arabic
#
jacky haa
#
jacky using that as a counter-discovery flow seems to be a popular method for people
#
barnabywalters tbh I’m surprised twitter even lets you change the trending location
#
barnabywalters but then I suppose they keep tweetdeck running, where there are no ads and no timeline algorithm, so who knows what their strategy is
justBull joined the channel
#
sknebel Bhutan doesn't really have trending topics ever
#
barnabywalters ooh that’s a good tip
jamietanna joined the channel
#
jamietanna Re private/friends only just gonna throw out https://www.jvt.me/posts/2020/08/26/static-site-private-posts/ but am also thinking that now I'm on CloudFront I could use Lambda@Edge/CloudFront Functions to render it at the edge, based on someone auth'd to my site in a cookie
#
Loqi [Jamie Tanna] Investigating Solutions for Private/Friends-Only Posts on a Static Website
#
jacky I think I like your last custom solution
#
jacky esp if the static page then just serve as a means of passing the right information to the service that'll then present the final result
justBull joined the channel
#
jamietanna the single-use page-specific authorization code?
#
jacky yeah!
#
jamietanna I feel like UX wise that could get pretty painful i.e. logging in multiple times just to view a few posts, whereas Seb's "log in once and see all in the feed" is nicer for a user
#
jacky I think you can still do that in the service
#
jamietanna but authZ code is probably easiest for a static site!
#
jacky dang okay
#
jacky the more I think about this, the more I'm realizing that it might be kinda impossible to have a solution that works for both static sites and non-static ones
#
jacky like that solution requires changing one's internal representation of content
#
jacky whereas I'd like to aim for a solution that doesn't do that
#
aaronpk static sites really aren't meant for this
#
jacky (it's not a problem - if anything, it makes the problem space smaller!)
#
jacky yeah
[KevinMarks] joined the channel
#
[KevinMarks] Well it's going to have to cheat somehow for static sites by running something somewhere, or you end up in self issued cert land
#
aaronpk even if you have a way to restrict access to individual pages, you'd have to go through a bunch of hoops to make feed pages work in a smart way
#
[KevinMarks] The wormhole trick is neat - put the key in the fragment so the server doesn't see it
#
aaronpk IMO it's just not worth the trouble
#
aaronpk there are already so many issues dealing with adding interactivity to static sites
#
[KevinMarks] https://wormhole.app/security
#
jacky heh I just got an e-mail about someone asking for this on micro.blog
#
jacky hmm there's https://tools.ietf.org/html/rfc8188 mentioned there (w.r.t [KevinMarks]'s mention of a key - said key could be used to decrypt an encrypted page)
#
jacky example response https://tools.ietf.org/html/rfc8188#section-3.1
#
aaronpk IMO you'd be better off building in some smart caching and on-the-fly rendering into a dynamic site
#
jacky yeah that's def the more direct path to something that works
#
jacky hm
#
sknebel yeah, please dont try shoehorn encryption in, that is going to be trouble
#
sknebel sigh, I dont even remember where I put the notes on the last autoauth iteration. argh!
#
[KevinMarks] So you can do it with a lot of client crypto code in js. There are also tricks with service workers, like https://every-layout.dev/ does
#
aaronpk okay again, restricting access to a single page is not the main problem
#
jamietanna also yes... I do need to think about moving away from static as I kinda want things to be as quick as possible
#
aaronpk let's say you've created 3 posts visible to me, and 2 posts visible to jacky, and 10 public posts. when I'm logged in you'd want to show me the 10 public posts and 3 visible to me. jacky would have a different view of that feed, as would anyone not logged in. that means for every feed you'd need to bake N number of versions of it depending on who's viewing it
#
jacky my interest really is for micro.blog, lol (mainly because static sites in the way [manton]'s taken it makes so much sense and simple to scale)
#
jacky oh yeah feed generation for a static site would be gnarly
#
jacky I wouldn't even generate feeds with anything that isn't publicly readable if I was doing this tbh on a static site
#
aaronpk individual posts as protected replies via webmention is much more straightforward
#
aaronpk but if you want to be able to follow someone's posts, there has to be a feed somewhere
#
jacky yeesh hm
#
[KevinMarks] Every layout sends a you a link that populates the service worker cache with the hidden pages, which beat the "you need to pay to see these" versions on the static site.
#
aaronpk or if you want to really flip things on their head, you switch to push delivery of protected posts, that way they can be sent at static site build time. but that's a totally different thing and much more like activitypub
#
jacky okay I'm glad you said that b/c once feeds were mentioned, the concept of individualized 'inboxes' came to mind
#
jacky agh
#
[KevinMarks] This is messy - it's why twitter stopped the "see someone else's view" feature
#
jacky I didn't even know they did that tbh
#
aaronpk you mean facebook?
#
aaronpk facebook had "view your profile as someone else"
#
jacky tbh I would imagine facebook to have a solution for this - kinda have to do this kind of resolving for every post, reaction and what not on view
#
jacky such a hot cache lol
#
barnabywalters whenever I see discussion like this about adding dynamic features to static sites, I always end up thinking “do people really hate PHP so much”
maxwelljoslyn joined the channel
#
maxwelljoslyn from python docs (https://docs.python.org/3.8/library/urllib.parse.html?highlight=urlparse#urllib.parse.urlsplit) I learned of the URI syntax given in RFC 2396 https://tools.ietf.org/html/rfc2396.html
#
maxwelljoslyn which allows query parameters at *each* level in a hierarchical path .... anyone seen that used in the wild, for any type of URI?
Tomlark joined the channel
#
jacky sadly yeah lol
#
jacky mainly for PWAs that are passed in information from an API
#
jacky (like to do quick hydration, pass in a nonce value, etc)
#
jacky the URL was like http://api/web#/wow/okay?this=is&not=cool
#
jacky _BUT_ it is handy since `URLSearchParams` makes that easy to parse
#
jacky is using this for Sele
sparseMatrix joined the channel
#
sparseMatrix been dancing with a pycurl/beautiful soup interaction today
#
sparseMatrix dunno why I got pycurl involved, should just stick to requests.text
#
Tomlark No it's semi colons, that's amazing: http://example.com/pa/th;param1=foo;param2=bar?name=val#frag
#
Tomlark https://stackoverflow.com/a/2163937/862295
#
sparseMatrix @barnabywalters yes, yes I do lol
#
Tomlark "Each path segment may include a sequence of parameters, indicated by the semicolon ";" character."
[girrodocus] joined the channel
#
[KevinMarks] Twitter has with friends view that showed the users posts along with the ones that they followed eg https://web.archive.org/web/20070214143818/http://twitter.com/ijustine/with_friends
#
[KevinMarks] *had
[aciccarello] joined the channel
#
aaronpk ah that's right
#
aaronpk barnabywalters: lol exactly
#
aaronpk it's really diminishing returns with static sites after a point
#
[KevinMarks] Oh, even one of mine https://web.archive.org/web/20080303002719/http://twitter.com/kevinmarks/with_friends
sparseMatrix joined the channel
#
barnabywalters it’d be pretty easy to have a mostly static site where private posts aren’t rendered to publically accessible HTML, and requests to them get routed to a PHP file which handles access control
#
barnabywalters managing the feeds gets a bit more complicated
#
aaronpk right, it's always the feeds that complicate things
#
aaronpk maybe push-based delivery _is_ the right solution
#
barnabywalters when I was considering going semi-static, my plan was to have static monthly archives, and then the main feed would always be dynamic
#
barnabywalters so all public content would still be navigable if the dynamic parts broke or were disabled
#
aaronpk that's cool
#
aaronpk since protecting a single URL is much more straightforward, using a push delivery mechanism to notify your subscribers of the private post could simplify things
#
aaronpk think like a webmention to your home page as a way to get a notification that someone published a new non-public post at that URL
#
barnabywalters activitypub-esque push-based delivery of private content makes a lot of sense, but it doesn’t solve the problem of having private content at an access-controlled URL
#
aaronpk right but that problem is much simpler
#
aaronpk and also has been implemented at least a little bit as described here https://indieweb.org/Private-Webmention
#
aaronpk one benefit of that for static sites is that you could decide you're okay with not actually making things private, just putting them at unguessable URLs, and it would all still work
#
aaronpk also note that i'm not proposing sending the actual post content in the push payload, just the notification of the protected post at that URL, just like webmention
#
[KevinMarks] So you could have the posts at unguessable urls, and generate a feed that collates them from that per user and finesse with service worker caching
#
barnabywalters yeah, the private webmention draft makes a lot of sense to me
#
aaronpk (i'm also not 100% convinced that latest draft is the best solution, but I did implement it)
#
barnabywalters although I wish it was easier to use asymmetrical encryption for web authentication
#
barnabywalters I already have my GPG public key on my site, I wish that both my browser *and* my personal site could sign requests with my private key, and then consuming sites could fetch my public key and authenticate the requests based on that
#
barnabywalters does anyone know if browser client certs would make this possible? I’m only superficially familiar with them
#
aaronpk browser certs are dead
#
barnabywalters that’s a pity
#
aaronpk there's a new javascript API for dealing with crypto stuff now though, that has promise
#
barnabywalters seems like it’d be a good use of asymmetric encryption
#
aaronpk the key with any asymmetric encryption is you really want the private keys to live in hardware security modules of some sort, and never share the private key with anything else, otherwise you can't really trust it anyway
#
aaronpk the key, heh
#
aaronpk the JS api lets the browser sign stuff with the key, but it doesn't give the javascript access to the key itself
#
barnabywalters but in order to allow my server to also sign requests, it’d need access to the key
#
aaronpk right, which is not a good pattern sorry :)
#
barnabywalters or another key for which the corresponding public key is also discoverable
#
aaronpk you'd want different keys for different purposes
#
barnabywalters yeah, sure
#
aaronpk this is a big topic in the OAuth group right now
#
barnabywalters but it’d still mean that requests from browsers and from servers could be authenticated the same way
#
aaronpk there's also been a new push on the HTTP signature spec (an evolution of the early one mastodon half-adopted-then-abandoned) which is hopefully going to move forward in the HTTP group itself now
#
barnabywalters oh that sounds cool
#
barnabywalters maybe I just have to be patient for a few more years then
#
aaronpk the end goal of that is it'd be built into the HTTP layer of everything, so you'd generate a private key and tell curl about it and it would do the work
#
aaronpk being patient is not the only option! you could participate in the development of the spec too :)
#
barnabywalters and by then I might actually have a day-to-day need to be able to publish private content on my personal site
#
barnabywalters that sounds like exactly what I’ve wanted for years!
#
aaronpk ha
#
aaronpk the good news is the meetings are all virtual right now so it's easy to attend them :)
#
barnabywalters heh
#
barnabywalters not sure I’d have much to offer tbh, but it’s definitely something I’d like to stay informed about
#
barnabywalters I’m trying to imagine how the UI for this would look
[Murray] joined the channel
#
barnabywalters AFAIK there’s not much user-focused vocabulary for the various parts involved in asymmetrical encryption
#
barnabywalters I’ve heard “lock” and “key” for public and private key before, but that only covers the encryption use case, not the signing and verifying use case
#
aaronpk pretty sure it would need to be completely invisible
#
aaronpk like imessage
#
barnabywalters I’m thinking specifically about the flow for setting up a private key on a server which is given similar privileges to the local private key to use to sign browser requests
#
barnabywalters and then for getting both of their corresponding public keys discoverable on your personal site, and managing them
#
barnabywalters I think the concept of delegation fits pretty well to the overall situation
#
barnabywalters i.e. you’re delegating some power to your personal site, and allowing it to do things i.e. fetch private pages on other sites for you
#
aaronpk i would probably flip it around actually, where the server has the main key, and then i can delegate some power to a particular browser
#
aaronpk since i might have more than one browser or switch between them frequently
#
aaronpk in which case, that sounds a lot like OAuth :)
timculverhouse, [chrisaldrich], barnabywalters and [tantek] joined the channel
#
barnabywalters aaronpk: after reading this https://indieweb.org/Private-Webmention#why_is_there_an_extra_step_of_exchanging_an_auth_code_for_an_access_token I still don’t get why the extra access token acquisition step is required
#
barnabywalters if an access code is logged somewhere, then isn’t it exactly as risky as the access token being logged, as it only takes a single HTTP request to exchange one for the other?
#
sknebel if you capture it in the short time it is valid
#
barnabywalters or is the benefit that access codes are much shorter lived than tokens?
#
sknebel yes.
#
sknebel the newer ideas go more into doing a full token exchange at some point and not submitting any codes or tokens that work without further steps
#
aaronpk this is the key: "The authorization code is not requested by the receiver, so you cannot guarantee they will be protecting it if they aren't expecting it"
#
aaronpk in other words, don't go throwing the keys to your house around
#
barnabywalters yeah I got that bit
#
barnabywalters but it’s not the key to your house, it’s more like the key to a box which has the key to your house in
timculverhouse joined the channel
#
aaronpk maybe this isn't spelled out on the page explicitly, but the idea would be that the access token itself could be much longer lived than for this one request, so you could continue to use it for other things later without doing the initial negotiation again
#
sknebel and the key is made out of ice
#
aaronpk it's in https://indieweb.org/Private-Webmention#Verifying_the_Webmention
#
sknebel (that *twang*-noise? that's just an overstretched metaphor, ignore that...)
#
aaronpk lol
#
barnabywalters yeah I did read all the way through
#
barnabywalters (I thought it was a pretty good metaphor)
#
aaronpk so if i'm going to make an access token that lasts for 30 days or something, i woudln't want to just throw that out there into the ether. i'd want to only return it to someone who has explicitly asked for it
timculverhouse joined the channel
#
barnabywalters I can see how that’d be useful, but providing a long lived access token seems a bit out of scope for the private webmention use case, and maybe a bit too powerful?
timculverhouse joined the channel
#
aaronpk it's meant to optimize for sending webmentions between the same people frequently
#
barnabywalters as opposed to, for example, sending a token in the webmention which gives access to only the private source post, for 5 minutes
#
aaronpk IIRC that was an earlier version of it
#
barnabywalters ah okay
#
barnabywalters (and only send the webmention to an https webmention endpoint to make sure it’s protected in transit)
#
aaronpk good lord the first version of that page was published in 2016
#
jacky heh, it's 10 in 5
#
barnabywalters yeah that’d explain the use of barnaby.example as an example URL :D
#
aaronpk 😂
#
barnabywalters aaronpk: where should I look for up-to-date information about HTTP request signing efforts?
#
aaronpk ah now i remember
#
barnabywalters is https://tools.ietf.org/id/draft-cavage-http-signatures-08.html also dead?
#
jacky IIRC this is the stuff used in ActivityPub
#
aaronpk wait no... there's some notes about the timing of the first authorization code since you don't know when the webmention receiver wil go use it
#
barnabywalters because I could easily shoehorn the server-side part of what I want to do into what that draft suggests
#
jacky wait no lol, I'm thinking of something else
#
aaronpk ok i need to make a page on oauth.net that explains the HTTP signature stuff
#
aaronpk it's confusing
#
barnabywalters that’d be great! aaronpk++
#
Loqi aaronpk has 56 karma in this channel over the last year (172 in all channels)
#
aaronpk the cavage draft is what mastodon started with, then added and changed some things to make whatever they're doing now, and people basically have to follow what mastodon does which isn't really in a spec
#
barnabywalters lol, https://docs.joinmastodon.org/spec/security/ links to https://w3c-dvcg.github.io/http-signatures/ which is a 404
#
barnabywalters so yeah, it really isn’t in a spec
#
aaronpk looks like that got moved to https://w3c-ccg.github.io/http-signatures-audit/
#
aaronpk which isn't a spec anymore haha
#
barnabywalters ooh it’s like a widescreen version of the ietf one
#
aaronpk this is the most recent version of the current HTTP signatures draft in the HTTP WG at IETF https://tools.ietf.org/html/draft-ietf-httpbis-message-signatures
#
barnabywalters ah yes, now that looks more like an IETF spec
#
barnabywalters slim and monospace
#
aaronpk fancy version if you want https://www.ietf.org/archive/id/draft-ietf-httpbis-message-signatures-04.html
#
barnabywalters the mastodon signature description seems to be pretty consistent with the old IETF one I linked, except that they say “The signature string is then hashed with SHA256 and signed with the actor's public key.” where I’m pretty sure public key should be private key?
#
barnabywalters and they have a JSON format for the keys
#
aaronpk the cavage spec doesn't say anything about how to get the keys, that's something mastodon added
#
barnabywalters yeah, the cavage spec leaves it very vague, but allows a URL in the keyId field
#
barnabywalters looks like mastodon just built on that in a fairly practical way
#
barnabywalters if a spec doesn’t provide enough detail to be useful, then of course people are going to fill in the gaps themselves
#
aaronpk at some point i should just convert oauth.net to a mediawiki because every time i go try to add a page i find myself wanting to cross-link and inevitably have to add a bunch more pages too
#
aaronpk alright hope this helps sort things out and make this more discoverable https://oauth.net/http-signatures/