#dev 2022-04-07

2022-04-07 UTC
nertzy, sebbu, jacky, [timothy_chambe], trig[d], jjuran, [denschub]1, [fluffy]1, [KevinMarks]1, gRegor and mro joined the channel
#
[tantek]1 tl;dr of BlueSky's "Self-Authenticated Social Protocol": trust stuff users sign with their private key per "Using public keys and content-addresses, we can sign content by the user's key to prove they created it." — so yeah, first, assume everyone has public/private keys and tools/infra to use them seamlessly, presto "Self-Authenticated Social Protocol" 🙄
#
[tantek]1 Am I missing something [snarfed]?
#
capjamesg[d] Continued from #indieweb...
#
capjamesg[d] A web crawler could easily find a lot of those h-cards -- something like Google could find most.
#
[tantek]1 Thanks capjamesg[d], much more productive discussion than my above question 😂
#
[tantek]1 capjamesg[d] while at Technorati I helped build an h-card search engine that did that
#
capjamesg[d] I was thinking about this after talking with a friend who isn't an active developer about the IndieWeb.
#
capjamesg[d] People freely give away their information to social platforms. But large-scale aggregation is the kind of thing that might not be perceived well in the news.
#
capjamesg[d] Of course, one can still be pseudonymous.
#
[tantek]1 s/h-card search/hCard search
#
[tantek]1 it was opt in
#
[tantek]1 https://web.archive.org/web/20070703044130/http://kitchen.technorati.com/contacts/tag/1.1.1
#
[tantek]1 ooh here's the front page of the contacts search UI: https://web.archive.org/web/20070703043636/http://kitchen.technorati.com/contact/search
#
[tantek]1 also hCalendar events search: https://web.archive.org/web/20070704010424/http://kitchen.technorati.com/event/search/
#
sknebel and I wouldnt trust "it doesnt have structured markup" as "it wont be crawled and aggregated"
#
sknebel i.e. IMHO the concern is primarily "decide what you want to make clearly public", not necessarily the marking it up?
#
[tantek]1 agreed sknebel. primarily about the content, markup is secondary
#
capjamesg[d] I agree sknebel.
#
capjamesg[d] That was my thought too because there is an entire discipline related to identifying information in documents.
#
capjamesg[d] For me at least, posting something on Instagram feels different than it does on the web.
#
capjamesg[d] Does anyone else feel like this?
#
capjamesg[d] Strangely, I feel I have more control on Instagram than I do on the web. I don't really know why.
#
capjamesg[d] Part of me thinks this is because I know there are so many web crawlers out there scanning and indexing the web but then again that also includes Instagram.
#
capjamesg[d] The idea of a "private" website appeals to me quite a lot.
#
capjamesg[d] But my website is not dynamic and I am not in the mood for a rewrite 😂
#
sknebel :D
#
sknebel for me its more the reverse, I feel e.g. twitter is more "exposed"
Caesar[m] and gRegor joined the channel
#
petermolnar there are solutions for authorization/authentication that work as transparent proxy in front of your content, the simplest being basic http authentication (eg https://httpd.apache.org/docs/2.4/mod/mod_auth_basic.html or https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/).
mro joined the channel
#
[KevinMarks]1 one of the things danah found was that people feel the web is less exposed than facebook, because facebook instantly tells your entire family what you posted, instagram will recommend your new alt account to everyone who knows you
#
sknebel yeah, that plays a role. + immediate feedback, and the amlification to a large audience
#
sknebel (potentially)
tetov-irc and mro joined the channel
#
petermolnar > instagram will recommend your new alt account to everyone who knows you - oh, that is very nice of them.
#
petermolnar Zuckerberg being a somewhat functioning sociopath should really read www.roughtype.com/?p=8724 <http://www.roughtype.com/?p=8724>
#
petermolnar it would help him understand humans
jacky joined the channel
#
@billywhizz1970 ↩️ does anybody use indieauth these days? i played around with it a while back and liked the idea a lot. seems like it would be pretty easy to integrate with something like tailscale, but haven't thought much about possible failure modes/attack vectors. https://en.wikipedia.org/wiki/IndieAuth (twitter.com/_/status/1512029247384301568)
#
capjamesg[d] I am going to experiment with having a private section on my website. Let's see what happens 🙂
mro and jacky joined the channel
#
@mauricerenck Finally the #kirbycms IndieConnector plugin allows you to cycle through the webmention stats: https://github.com/mauricerenck/indieConnector (twitter.com/_/status/1512038478485282820)
mro and Asaf_Agranat[d] joined the channel
#
[timothy_chambe] #Bluesky issues it’s first description of what it’s building….https://t.co/qOe3f2TaAF
#
[manton] Doesn’t mention the IndieWeb directly but it does link to the wiki. Guess that’s a partial win.
#
[manton] I’m worried about complexity (the public-key stuff in ActivityPub is already a pain) but this does sound pretty interesting.
#
jacky yeah tbh I think they're accepting that as a level of complexity since there's a strong focus on low trust comms
#
jacky things like TLS is too 'high-trust' so no use of things like IndieAuth for them (it seems like but doesn't rule it out)
#
jacky and DNS is also too 'high-trust' for them (so that removes anything Web facing - critical for the IndieWeb as it stands)
#
jacky so pkey management prob seems 'easy' for them (lol)
#
[manton] Really curious how this will evolve. Could I support this in Micro.blog in the same way that I support ActivityPub without changing the blogging/IndieWeb/RSS roots of Micro.blog? Dunno.
#
[manton] I have a big problem with this line in the document, though:
#
[manton] > With email, if you change your provider then your email address has to change too.
#
[manton] Custom domain names solves this. True most people just use gmail.com or whatever, though.
#
jacky Yeah and most people tend not to know about that option
#
jacky (which I think is both intentional - free marketing, meant to keep costs down, increases lock-in and probably helps users who aren't the best with credentials)
#
aaronpk there are plenty of people working on public/private key stuff right now, i don't like that twitter is pretending this is something super novel
#
[KevinMarks]1 if mastodon has supported account migration by using 301 redirects like we told them to originally, that example wouldn't work
#
[tantek]1 aaronpk++ exactly
#
Loqi aaronpk has 36 karma in this channel over the last year (142 in all channels)
#
[KevinMarks]1 https://github.com/mastodon/mastodon/issues/177#issuecomment-291688638
walkah joined the channel
#
Loqi [kevinmarks] The way to connect accounts is XFN - rel information on links. You use [rel=me](http://microformats.org/wiki/rel-me) to say "this is also me" and if both urls do that to each other it's confirmed. rel="friend" will do for following (there are other...
#
[manton] Mastodon does support migration now with alsoKnownAs and a “move” verb. I haven’t implemented it yet but probably should. (Wonder if it works for renaming a username on the same instance.)
mro joined the channel
#
jacky the more I read this bluesky doc, the more I keep seeing "smart contracts but wrapping data"
gRegor joined the channel
#
[tantek]1 !meme historyguy: So, "Public Key Cryptography"
#
jeremycherfas Anyone here into OSMap? They are re-starting meetings near me https://osmcal.org/event/1287/ and I would like to know what to tell them to add to the event markup so that my IndieWeb RSVP shows up?
#
[tantek]1 use Meetable?
#
jeremycherfas That might be a stretch as they already have a system in place, but worth a try.
#
[tantek]1 half-joking, my initial guess is that they’re using a wiki-like backend for this which is kinda sorta what we used to do
#
jeremycherfas There is some ld+json in the source, so they're doing that much. No sign of an endpoint thought.
#
jeremycherfas If I am able to go, I will float the idea of doing something. And yes, it does look a lot like a wiki thing of some sort.
#
jacky I wanna do mapping for OSM
mro joined the channel
#
jeremycherfas It is quite fun, and also quite difficult because it is complicated. I like checking entries when I am somewhere and have a few minutes.
#
[tantek]1 [jeremycherfas]++ the folks that contribute to OSM are amazing
#
Loqi [jeremycherfas] has 1 karma in this channel over the last year (7 in all channels)
#
jeremycherfas I don't deserve kudos for the little I do. Though I did update a street near me that went one-way overnight.
#
jeremycherfas is trying to remember why I copied rather than cloned Compass and whether I can fix that easily after the event.
#
[KevinMarks]1 OSM is great. There's an app called Street Complete that asks you about places you pass to correct their signage and road type etc. I've also added various footpaths and so on to it
#
sknebel hm, seems OSMCal doesnt have an authenticated API. which I guess makes sense, given its an Oauth client
#
sknebel (i.e. to RSVP you log in with your OSM account - cant easily give an external client a token then for it. otherwise a bridgy-like thing wouldve been possible)
#
jeremycherfas I use the ios app Go Map
#
jeremycherfas Yeah. I haven't actually added myself as I cannot see a Maybe.
#
sknebel (OSM is also interesting re the discussion of what to expose this morning. i.e. its not impossible to find out my OSM account if you know what to look for, but I havent clearly linked it to me because the editing activity reveals things)
#
jacky yeah true
#
jacky and there's no concept of a 'private' edit on there
#
jacky kinda annoying but it makes sense
#
jacky I would need a private account to fix things near me
#
[aciccarello] Or you just get _really_ active so there's so much editing you can't tell where someone's house is 😉
mro joined the channel
#
jacky lol
#
[aciccarello] jacky, just saw the "now" link on your site header. Very engaging!
#
jacky heh thank you!
#
jacky def a h/t from aaronpk's own clock on his site
#
[aciccarello] I haven't bothered with a /now page yet as I don't think I'd update it often enough.
#
[tantek]1 yeah, seemed like work
#
[snarfed] [KevinMarks] just fyi, looks like kevinmarks.com is now serving a Heroku wildcard SSL cert, which doesn't match your domain. that will cause problems, eg Bridgy webmentions are no longer going through: https://brid.gy/twitter/kevinmarks
#
aaronpk that's why my /now page is entirely automated :)
#
[tantek]1 jacky++ for https://jacky.wtf/thoughts-bluesky-social-protocol
#
Loqi jacky has 27 karma in this channel over the last year (69 in all channels)
#
Loqi Thoughts on BlueSky's "Self Authenticating Social" Protocol
#
[tantek]1 That needs to be IndieNewsed
#
[tantek]1 lol just noticing that BlueSky messed up their date slug with a 3 instead of a 4
#
[tantek]1 the 3-6-2022 here (though actual article was written 4-6-2022) https://blueskyweb.xyz/blog/3-6-2022-a-self-authenticating-social-protocol
#
[tantek]1 what is DRY
#
Loqi DRY is an acroynm for Don't Repeat Yourself https://indieweb.org/DRY
#
aaronpk also wtf that date format
#
[tantek]1 aaronpk, I believe it is "lazy American date format"
#
aaronpk lol
#
jamietanna If you do a /now page and get it on the official site, they tweet out your page regularly, so it's a good reminder to update it :)
#
[tantek]1 made an example of that BlueSky post permalink: https://indieweb.org/URL_design#DRY_violation
#
[KevinMarks]1 [snarfed] I don't have https setup because too many subdomains from different servers, but somehow people link to https anyway
gRegorLove_ joined the channel
#
[KevinMarks]1 I should shave the https yak somehow, but it is a faff
#
Loqi yea
#
sknebel [KevinMarks]1: even on heroku?
#
[snarfed] [KevinMarks] right, but your site recently changed. it used to not serve SSL at all, but now it does, with a cert that doesn't work
#
[tantek]1 is that /HTTPS level -1?
#
[snarfed] heh
#
sknebel (assuming you use paid heroku it seems like they added it by default for setups created after a certain date, but old ones need to update? https://devcenter.heroku.com/articles/automated-certificate-management )
mro and ShinyCyril joined the channel
#
[KevinMarks]1 i use aws for route53, but would need separate certs for subdomains. I can serve my site as www to get around that
#
sknebel hm, shouldnt need DNS changes I thought. but maybe I'm missing something
Ruxton, Jeremiah[d], tracydurnell[d], indieweb-irc-bri, hoenir, balupton[d], capjamesg[d], Nan[d], shaunix[d], wackycity[d], corenominal[d], jacky and laker[d] joined the channel
#
[fluffy]1 I’ve been chatting with some folks from the Resonate music streaming cooperative as one of their goals is to have a music streaming platform as a federated/distributed thing. This thread started out as a critique of Funkwhale (yet another “fediverse” attempt at doing this sort of thing) but then quickly drifted over to IndieWeb-adjacent things: https://community.resonate.is/t/funkwhale/2874
mro joined the channel
#
[fluffy]1 The most interesting thing from it is that they’ve been working on “Co-op Credentials” which is apparently a W3C thing. Does anyone here know anything about it?
#
jacky TIL to me
#
jacky oh wait
#
[fluffy]1 It feels like it’s in a similar space to IndieAuth although it’s based on “wallet”-type identities rather than URL-as-identity.
#
jacky yeah
#
jacky I think this is the progenitor of things like WebID and the like
#
[tantek]1 huh? never heard of "Co-op Credentials"
#
[tantek]1 and jacky, which "WebID" lol
#
[fluffy]1 This post in particular talks about that stuff with some handy links: https://community.resonate.is/t/funkwhale/2874/7?u=fluffy
#
jacky https://github.com/w3c-ccg/w3c-ccg.github.io is what I'm following
#
Loqi [w3c-ccg] w3c-ccg.github.io: COMMUNITY: Landing site for W3C Credentials Community Group.
#
[tantek]1 ah, CCG I'm familiar with. never heard it called "Co-op"
#
jacky https://coopcreds.com/ looks nice
#
[fluffy]1 I don’t really have the mental bandwidth to try to understand yet another distributed identity thing right now but it seemed interesting at a glance and possibly up the alley of folks here.
#
jacky some interesting points made at https://coopcreds.com/the-problems/
#
jacky tbh this feels like some rel=me/asKnownAs and a bit of signed jSON-LD would be good enough here (lol)
#
[fluffy]1 At the very least I’d be interested in supporting it as an auth mechanism in Authl (alongside IndieAuth and the various silo providers it also supports)
balupton[d], hoenir, Jeremiah[d] and tracydurnell[d] joined the channel
#
[fluffy]1 I think they’re trying to support the use case of “I don’t have a homepage or silo identity”
corenominal[d], capjamesg[d], Nan[d], shaunix[d], wackycity[d] and indieweb-irc-bri joined the channel
#
[fluffy]1 or at least not placing trust in the authority of HTML pages.
#
[fluffy]1 but keep in mind I only learned about this literally 15 minutes ago and I haven’t done a deep dive on it 🙂
samhenrigold[d] and hepphepp[d] joined the channel
#
jacky tbh it's not a bad assessment
gRegor joined the channel
#
gRegor Was just playing with the FB Share Debugger. It falls back to `meta name=description`, so I don't think we need this bit on https://indieweb.org/The-Open-Graph-protocol#How_to_set_description
#
gRegor "If for some reason you need to provide a custom summary just for Facebook in particular (e.g. to encourage folks to leave Facebook), you may use og:description like this:"
#
gRegor I think the page used to indicate you could use only meta description
#
gRegor Ah it does, just above where I was looking, hah
#
[tantek]1 key phrase there: "just for Facebook in particular"
#
gRegor I get it now, but it's kind of confusing.
laker[d] joined the channel
#
[KevinMarks]1 it's the partialsilos trick
#
jacky re: h-card and the UK, capjamesg[d]; where were you going with that?
#
jacky 100% going down https://github.com/indieweb/microsub/issues and replying to what makes sense as well as updating my list of things to implement when it makes sense to
mro and ShinyCyril joined the channel
#
[schmarty] jacky++
#
Loqi jacky has 28 karma in this channel over the last year (70 in all channels)
#
[KevinMarks]1 A fix for twitter embed fail https://twitter.com/markjaquith/status/1512156984774213639?s=20&t=2QRUYpgwiOCrmx0BGO7K-g
#
@markjaquith @kevinmarks @film_girl Yep! Unfortunately they use CORS so I had to proxy that check through a Cloudflare Worker. Here's a proof of concept of a Tweet Saver script that only renders tweets that still exist. 404 ones will keep the blockquote. https://codepen.io/markjaquith/pen/gOovNPR?editors=1010 (twitter.com/_/status/1512156984774213639)
dovedozen[d] and jacky joined the channel
#
jacky anyone using a graph database for their site?
#
jacky the more I look into them, it'd make sense for something running Microsub if you wanted to do some more processing on the kind of interactions data can have
Asaf_Agranat[d], jacky, cygnoir[d] and aspenmayer[d] joined the channel
#
Caesar[m] Hey all, hope this is the right place to ask… can anyone tell me what the `p-` and `u-` prefixes on h-card properties are? Doesn't seem to be documented anywhere. I'm guessing a data type because most of the `u-` seem to be URLs, and I also see `dt-bday` which is obviously a date. But I can't think what data type `p-` could be…
#
[tantek]1 they are parsing directives, not data types. see https://microformats.org/wiki/microformats2-prefixes
#
Caesar[m] Ahh thank you!
#
Caesar[m] So `p` for (plain) text, cool 😄
tetov-irc joined the channel
#
Caesar[m] Which tells me that `u-key` must be the URL of a key, not the fingerprint (doesn't seem to be otherwise specified in the docs which it should be)
#
[tantek]1 u-key means parse the property as a URL. either way the result is a string
adstew joined the channel
#
Caesar[m] Right, but if a parser is expected to parse it as a URL, I guess that means the author is supposed to put a URL there...
#
Caesar[m] Though I guess it could still be an `openpgp4fpr:...` URL... 🤔
#
[tantek]1 the author is the one choosing to put "u-propertyname" vs "p-propertyname" so the author is choosing how they want it parsed and thus what they are supposed to do
#
Caesar[m] Oh, so the list at https://microformats.org/wiki/h-card#Properties is not exhaustive?
#
[tantek]1 the list of properties is exhaustive for that vocabulary. which parsing prefix an author uses is up to the author, the ones shown are typical uses, others may have other uses
#
Caesar[m] Interesting! So (for example), could I choose to mark up a PGP key fingerprint as `p-key` rather than marking up a link to a key as `u-key`?
#
jacky yup! and this reminds me to update https://jacky.wtf/contact
#
jacky you could use `p-key` for a fingerprint and then `rel=key` for the actual PGP key
#
jacky (in my case, my PGP key's embedded as a data URI b/c the public key is less than 2k)
#
jacky needs to put his OEMEO keys on there too
#
Caesar[m] Good to know, thanks. I was also thinking maybe `p-key` might be better suited as the full ASCII-armoured key rather than a fingerprint – but I guess maybe either is ok, since it's not even specific to PGP anyway...
#
jacky yup
#
jacky which, in that case, I marked mine as `p-pgp-fingerprint` (which makes adding my OMEMO fingerprint non-colliding lol)
#
Caesar[m] Is that a standard property or something you came up with yourself?
#
jacky I _think_ i got from the wiki
#
jacky lemme check
#
jacky what is pgp
#
Loqi OpenPGP (Pretty Good Privacy) is a message exchange format that uses public key cryptography to enable people to exchange encrypted and/or signed data; on the IndieWeb, you can use PGP to setup your IndieAuth without depending on any silos https://indieweb.org/pgp
#
Caesar[m] I didn't see anything specific to PGP at https://microformats.org/wiki/h-card
#
Loqi Tantek Çelik
#
jacky okay so the linking I got from https://indieweb.org/OpenPGP#Link_to_your_public_key for sure
#
Caesar[m] Yep that bit makes sense
#
Caesar[m] (fwiw apart from my personal interest, the PGP focus is because I'm working on a PR to add h-card markup to Keyoxide)
#
[tantek]1 there is "key" from the h-card (originally vCard) vocabulary but we haven't seen a lot of uptake of consuming code and thus people publishing it
#
[tantek]1 everything else is experimentation at best
#
[tantek]1 https://microformats.org/wiki/h-card notes u-key for linking to a separate standalone public key file "cryptographic public key e.g. SSH or GPG" — I could mention "PGP" there explicitly as well
#
Loqi Tantek Çelik
#
[tantek]1 need to fix the h-entry on microformats specs at least to be about the spec, not the editor
#
jacky Caesar[m]: nice! that'd be a dope consuming case
#
Caesar[m] [tantek]1: Yep I found that, just meant I didn't see anything like jacky 's `p-pgp-fingerprint` that's explicitly PGP (GPG/whatever) versus "any kind of public key"
#
Caesar[m] But also yeah I totally get that there's not much in the way of consuming code (yet!)
#
[tantek]1 and property name is the wrong place to put type information like "pgp"
#
[tantek]1 this is why it's a u-key, to point to a file that can be returned with the right mime type for pgp
#
Caesar[m] Yes, that makes sense
#
[tantek]1 or for p-key, the text value should be properly "armored" (I believe that's the term) to contain discoverable type information for PGP
#
[tantek]1 either way, in no case does it make sense to have "p-pgp-fingerprint" as a standard property. please don't use that
#
Caesar[m] Got it. 👍 Though I'd say a way to mark up a fingerprint would also be useful since it's something a lot of people publish on their sites / contact pages.
#
[KevinMarks]1 https://github.com/markjaquith/stabletweet/
#
jacky yeah - it's a "out of band" check of sorts
#
jacky I think I can put the textual form as the title (like <link rel="key" title="0xabcdefghi" type="thingy/php" href="pgp.asc" />)
#
jacky although that passively becomes 'invisible'
#
jacky so it'd make more sense to put the text of a link whose rel is key and links to the armored public key
#
jacky hmm
#
jacky ah this reminds me
#
jacky h-card transclusion (that's the word I think that makes sense) is what I wanted
gRegor joined the channel
#
jacky this might be more suited for #microformats
#
Caesar[m] I was also considering whether `<link class="u-key" rel="pgpkey" href="openpgp4fpr:..." />` makes any sense (bearing in mind that the `openpgp4fpr` URI scheme has almost zero client support…)
#
jacky tbh I'd just link to it as a URL over the Web (the same tool can fetch it accordingly)
#
jacky (currently embeds but has linked in the past)
#
Caesar[m] Yeah that's what I do on my own site currently
#
jacky the scheme could trip people up
jacky joined the channel