Loqi[Richard MacManus] It’s early days for decentralized social networks, despite the recent bump in Mastodon users due to Elon Musk buying Twitter. But if you’re a developer looking for the next big thing, what better time to experiment with a platform? The “fediver...
jackybut I do wonder what else could be made app-wise (like if we had the guts of a Micropub client in a very rudimentary form, could people make a distributed tic-tac-toe game? a way to implement 'poking'?)
[tantek]I'm with petermolnar skepticism on the "passwordless" promises. I don't think these folks have actually thought through the user-unfriendliness and unforgivingness aspects of their proposed dependencies on rando hardware bits
[tantek]Even harsher take: what happens when you lose that single-point-of-failure hardware dongle thing? or your phone is stolen (both things I hear happening to friends frequently enough)
[tantek]TBH I don't think the failure modes of all this have been well thought through, except for engineers that spend all their time at home or at their desk. Or post-pandemic, all their time at home.
[tantek]nah, there's well-worn history of a "bunch of technical folks in a room" completely screwing up the usability-in-practice of a proposed new interaction
[tantek]also, all of these phone/hardware-dongle based solution are crap for delegation, like when I went to go on vacation and have someone else handle a *specific* set of accounts for me (not all my accounts), while I still retain direct control of some of my accounts
[tantek]aaronpk, it's a crap response to say "you're not the first to think of these problems". Better would be: here's the FAQ (link) for that problem.
[tantek]and if that FAQ/link is not easily findable? then once again, the folks working on that proposal haven't really done a thorough job. If it's not written down somewhere easily referenceable, then no, they haven't really thought it through.
[tantek]delegation should be done purely by user desiring to do so, without requiring permission of the identity provider OR the relying party, that's the fundamental problem here.
[tantek]these proposals shift that power dynamic to the IdP or RP too much for users to actually be able to delegate as much as they can today using user/pass
[tantek]"They are not recoverable in today’s FIDO model. This presents issues for deploying FIDO at scale to consumers who are constantly moving between devices and updating to new ones."
[tantek]^ that's the blog post I want to see someone write-up. A thorough analysis of how these proposals shift power dynamics, and who benefits (economically, politically) from those shifts.
[tantek]btw this naïveté (or willful neglect) of power dynamics in the identity space isn't unique to FIDO, whenever I’ve asked about shifting power dynamics in discussions of Google’s WebID (nothing to do with RDF WebID), it has also been ignored
walkah[tantek]: at the risk of self-promoting, but in the vein of "lots of people are working on this problem", I'm curious what you think of UCANs (see https://ucan.xyz/ and/or https://github.com/ucan-wg/spec). I/we share a lot of your concerns
[tantek]aaronpk, LMK when you see documentation of these "experts" considering and writing down the "what happens if at an international airport, CBP (or whoever) seizes everything on your person, are they then able to impersonate you because they have your hardware dongle / phone etc. ?"
[snarfed]but it doe still depend on unlocking devices, and afaik it doesn't prohibit passwords or PINS for that. the getting rid of passwords push is more for online accounts than physical devices, since online accounts are where the main threats and drawbacks of passwords are
[snarfed](also if you pose physical coercion for biometrics, that's not far from physical coercion to get you to tell them your PIN or password. it's real, but a pretty extreme situation, and hard to protect against in general)
[snarfed]aaronpk one thing I haven't heard much about is re-enrolling if you lose _all_ your devices, eg phone and computer at the same time. do you know how that works?
aaronpkand that would of course depend on the type of account (consumer gmail acct, corporate account, etc) and for something self-hosted it's no different than forgetting your password anyway
[snarfed]ok! I'll have to read more. curious how account recovery works passwordless (and biometric-less, since they explicitly rule out server-side biometric auth)
aaronpkaccount recovery is already possible without passwords for people who forget their password, so i don't think there's anything particularly new needed
aaronpkor sending a code via SMS, which is why sim swapping can be so dangerous, because in some cases the SMS is all you need for account recovery (takeover)
aaronpkIMO if you care so much about imap then go use an email provider that actually supports imap. and if you can't because you're stuck with gmail, then the problem was using a gmail.com address in the first place instead of your own domain.
[tantek]"that's not far from physical coercion to get you to tell them your PIN or password" --> nah, at least in the US, both legally and in practice, it's VERY FAR
[snarfed]yes! absolutely right, apart from physical force, there are legal differences between whether you can be compelled to disclose/use a biometric vs a PIN
[snarfed]again though, the point was that FIDO doesn't change any of that. with or without FIDO, if you're compelled to unlock your device, authorities can get your data and impersonate you. otherwise, they can't.
[tantek]snarfed, there's also the massive difference that under duress you can reveal a data destructive password, whereas no such equivalent exists for biometrics
[snarfed]again, my point is not password vs biometrics. my point is that FIDO doesn't obviate unlocking devices. FIDO doesn't mean that possession of a locked device gets you access to it.
[snarfed]ok! glad to hear it. just correcting the claim that "if...CBP (or whoever) seizes everything on your person, are they then able to impersonate you because they have your hardware dongle / phone etc. ?"
[snarfed]yeah, the marketing should maybe more clearly distinguish online account passwords vs device unlocking. simple messages are powerful though. tradeoffs.
gRegorA lot of times we ask what the use-case is for things. For schema it seems to mainly be for search engines, and even then it's limited. Contrast with microformats which helps us use social readers, cross-site interactions, etc.
[tantek]notes petermolnar's take on RDF is in our https://indieweb.org/RDF page (which itself could use some gardening to incorporate some of the See Alsos into more structured Criticism (sub)sections)
cybi, chrisaldrich1, jacky, tetov-irc, mlncn, gRegor and [benatwork] joined the channel; jacky left the channel
mlncnSchema Metatag has 25,000 modern Drupal sites using it (that's D8+, which itself has a much smaller install base than Drupal 7). Certainly everyone is just doing it in the hopes of SEO. This module, Schema Blueprint, makes it much, much easier to do that. But the reason i bring it up is not to have Indieweb stuff more Schema.org-ish but because the Schema Blueprint module will be producing Schema.org metatags, RDFa, and JSON-LD??
mlncn? so it's giving the website a deeper understanding of relationships between data, and i thought it might as well be producing microformats where relevant while it's at it
[tantek]interesting. maybe? is this an instance of "if we build it [produce a bunch of marked up data] they will come [parse and do something interesting]" ?
@mountain_ghosts oauth 1.0: all this signing request data is too hard oauth 2.0: [adding JWT and public key crypto and DPoP and PKCE] yes I agree (twitter.com/_/status/1524710178884657153)
superkuh OAuth is for human persons. OAuth2 is for corporate persons.
petermolnar that passwordless future idea is horrible
jacky reading https://thenewstack.io/why-developers-should-experiment-with-the-fediverse/ makes me want to see if there's more things like indiekit but in the vein of https://github.com/immers-space/activitypub-express to let people 'quickly' tinker with IndieWeb standards/protocols
aaronpk the point of the announcement i linked is that the credentials sync across your devices https://fidoalliance.org/charting-an-accelerated-path-forward-for-passwordless-authentication-adoption/
mlncn Has anyone been keeping track of overlap with Schema.org? With https://www.drupal.org/project/schemadotorg likely to make a splash in Drupal it would be lovely to piggyback on its structured data (same anywhere Schema.org is used). (Our wiki page https://indieweb.org/schema.org is a tad dismissive lol)
[tantek] notes petermolnar's take on RDF is in our https://indieweb.org/RDF page (which itself could use some gardening to incorporate some of the See Alsos into more structured Criticism (sub)sections)
[aciccarello] I would probably put that in https://indieweb.org/colophon