#dev 2023-10-23

2023-10-23 UTC
bret and [jacky] joined the channel
#
[jacky] Was thinking about how to implement the interface for my projects (one day I'll be done) and this part stuck out to me for the dialog tag https://developer.mozilla.org/en-US/docs/Web/HTML/Element/dialog#caveats_of_creating_a_dialog_using_only_html
#
[jacky] This makes the act of making action dialogues need JS a lot less (maybe zero tbh)
[aciccarello] joined the channel
#
[aciccarello] The dialog element looks really nice to work with
#
omz13 GWG I did not write a different protocol solution per se. I implemented *all* the components of "Ticket Auth" (viz. Ticket Wanted; Ticket Deposit; Ticket Grant). As there was no concrete specification, but instead a bunch of ideas and proposals floating around that were 90% there but somewhat theoretical in nature and very much not end-to-end, I made some implementation decisions. When implementing my end-to-end and real world solution I fully
#
omz13 documented it as I went, and used appropriate terminology for the sake of my own sanity (because trawling through the various ideas and notes was not my idea of fun) and I called it "Ticketing" because "Ticket Auth" is not a good name; you'll find it at https://github.com/omz13/indieauth-ticketing-dist. I looked at my immediate use cases and Ticketing met most needs, but for one case it did not so I simply used Ticketing as a transport mechanism and
#
omz13 some choreography and called it AC-OBO grant (and that you could consider to be an application layer).
#
rubenwardy has anyone written a guide on ActivityPub and making a mastodon-compatible server? I vaguely recall someone signing a book contract for that
#
Zegnat omz13: that is a nice write-up on tickets! Added to my reading list before the upcoming IndieWebCamp in Nürnberg!
[sebsel] and geoffo joined the channel
#
[KevinMarks] Evan Prodromou got the book contract
#
[tantek] omz13++ I like "Ticketing" better than "Ticket Auth" and agree with your reasoning.
#
Loqi omz13 has 1 karma in this channel over the last year (2 in all channels)
#
GWG The omz13 ticketing proposal goes far beyond the older ticket auth protocol... it tries to address multiple things as opposed to the single aspect...
#
GWG Re ticketing versus ticket auth, why not just Tickets?
jeremycherfas joined the channel
#
GWG Like Resource Indicators, PKCE, Device Grant...none of them have -ing
gerben joined the channel
#
[KevinMarks] I read the Ticketing spec and it is still a bit confusing, especially the stuff about impersonating people. Can you state the user goal earlier?
#
omz13 [KevinMarks] is §1.1.3 not early enough?
#
omz13 GWG normally I don't like using gerunds because non-native speakers can find them difficult; however, Ticketing refers not just the thing being passed around (the Ticket) but to the active way that it is passed around the various actors, hence Ticketing.
#
aaronpk "In this case, Carol is playing the role of Felicity who is a feed reader." confused me, why is a feed reader a person?
#
aaronpk and why is a person impersonating a feed reader?
[schmarty] joined the channel
#
GWG I'm still back to proposing we go back to the scope of the original proposal and address that, even incorporating new elements to do so before adding new elements as the Ticketing proposal does.
#
GWG omz13: That's why I'm calling it a different solution... because you added ticket wanted and such and we only originally scoped for ticket offered. I didn't want to try to solve the... asking for a ticket till we solved sending and redeeming one.
#
sknebel is getting annoying flashbacks to 4-5 years ago :/
#
GWG sknebel: Oh?
[manton] joined the channel
#
GWG I'm getting flashbacks to Vouch.
#
[tantek] aaronpk I agree, tools != people
#
GWG aaronpk: Could I ask you about the issuer parameter in this https://github.com/indieweb/indieauth/issues/127 as it relates to the property in IndieAuth?
#
Loqi [preview] [dshanske] #127 Where does the ticket endpoint go looking for the token endpoint?
#
aaronpk not at the moment
#
aaronpk today is IETF publication deadline so I am working on some OAuth specs
#
GWG aaronpk: I'll ask you at a future time then.. good luck with the specs
geoffo_ and AramZS joined the channel
#
[tantek] aaronpk++ go go go
#
Loqi aaronpk has 45 karma in this channel over the last year (114 in all channels)
#
aaronpk one down https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-15.html
#
[schmarty] aaronpk++
#
Loqi aaronpk has 46 karma in this channel over the last year (115 in all channels)
#
[tantek] aaronpk++ standards++
#
Loqi standards has 1 karma in this channel over the last year (2 in all channels)
#
aaronpk in other news, i'm seriously considering shutting off pingback support in webmention.io entirely
#
aaronpk i don't have a precise number, but i'm pretty sure 99% of them are spam
#
[tantek] that's worth a blog post as a heads-up and general warning to the broader ecosystem about Pingbacks
#
aaronpk good idea
#
aaronpk i will do some representative sampling and spot checking to get better data
#
aaronpk i am always surprised at the random non-blog websites that are using webmention.io
#
aaronpk e.g. https://domain.glass/
#
AramZS Yeah, I would miss that in a bunch of places but I agree there's a lot of spam going through there.
#
AramZS Maybe there's some better way to detect spam on that front or do you think it's mostly just a lost cause? It's been a while since I turned them on anywhere for the spam reason.
#
rubenwardy won't webmentions have similar spam issues when it see wider adoption?
#
[tantek] rubenwardy, possibly. webmention has some additional measures that pingback lacked. it will depend on the cost/benefit analyses of spammers
#
[tantek] this is why we already have additional measures in development like the Vouch protocol
#
rubenwardy what is vouch
#
Loqi The Vouch protocol is an anti-spam extension to Webmention that can also be used to customize how your site accepts responses from different audiences https://indieweb.org/Vouch
#
GWG [tantek]: Vouch has been a challenge for us as a community to iterate on
#
[tantek] GWG, the incentive/need for use-cases has been low, I suspect that will grow over time.
#
rubenwardy vouch seems like it is more of a whitelist than a spam prevention measure
#
aaronpk interestingly a lot of the pingback spam is actually from spam wordpress sites
#
aaronpk rubenwardy: depends on your definition of "spam prevention measure"
#
[tantek] you can do an allow list for webmention receiving without Vouch
#
rubenwardy I already manually moderate all my webmentions. I guess I could use vouch to allow some to be published immediately,and continue to moderate the rest
#
GWG [tantek]: I have something I proposed for my Webmention code to enhance what we have already... have to find time with [pfefferle] to plan
#
[tantek] what you can't do is a dynamic allow list that includes sites you never heard of, and that's what Vouch enables
#
AramZS I suspect you could prob do some detection at the level of the webmention.io site as well tho? Something like domain age, domain name, registrar, host checks etc.?
#
[tantek] rubenwardy re: "could use vouch to allow some to be published immediately,and continue to moderate the rest" YES, very much so a Vouch use-case
#
aaronpk AramZS: I don't think I want to get into that business
#
[tantek] GWG, the biggest enhancement I think we need to add is a way to allow multiple vouch URLs
#
aaronpk sounds like a lot of opportunity for people filing support tickets when things are unexpectedly blocked or unexpectedly let through
#
[tantek] AramZS, do you know any OSS for doing things like domain age, domain name, registrar, host checks?
#
AramZS aaronpk: legit concern, I know that can get messy and complicated fast. tantek: I feel like there should be? This sort of check is something that happens pretty frequently in a bunch of different use cases across the web. Domain authority is a frequent anti-spam/anti-fraud measure.
#
AramZS [tantek]: I don't know of one off the top of my head though. It seems like something the OSS community *should* have, even though all the examples I can think of are private.
#
rubenwardy webmention,io can always provide a spaminess float 0-1 and let the receiver decide what to do with it
#
aaronpk doesn't akismet do that?
#
aaronpk i thought i remembered a service like that but now i can't find it
#
AramZS I think Akismet does something like that yes, or at least it used to. The last time I dug into Akismet's functioning was pre-Jetpack
#
r​ubenwardy oh interesting, it suggests using http://indieweb.org/irc-people as a default vouch url
#
AramZS There's something like https://www.domcop.com/openpagerank/ I suppose but to your point aaronpk it def isn't a perfect solution and people--especially new sites that might be legit--will likely get into complaining
#
AramZS It's the same problem with email domain authority. In theory it is a great idea, but in practice it ends up being a difficult barrier for new entrants. I feel like someone must do the work of maintaining something like this for open source use, but other than the above link I'm not sure I've found anything yet. I guess the question is what the tradeoff is, limited function in particular ways that are not great vs not
#
AramZS working at all.
#
rubenwardy side note - the wiki really should proxy images rather than loading them directly from peoples websites, leaks ip addresses and view times
#
epoch is there a good method of doing auth against arbitrary fediverse servers?
#
sknebel for what purpose?
#
aaronpk not until they add support for indieauth 🙃
#
aaronpk until then you have to read each project's OAuth docs
#
sknebel i.e. the mastodon client api is supported by a few other servers as well and has oauth, but its not universal
#
sknebel if you just want someone to proove they have an account you could something with messages over AP as an alternative
#
epoch I was thinking something in their profile attachments
#
aaronpk that's what owncast did: https://owncast.online/docs/chat/chat-authentication/#fediverse-authentication
#
epoch but I should be able to just take their word for it that they are who they say they are for my use
#
[snarfed] depends on what "who they say they are" means
#
[snarfed] for our purposes here, if you don't need to actually make API calls of some kind to the instance, rel-me may be enough, and it's already well known and used in the fediverse
#
epoch so when you click a follow button or whatever and it asks who you are
geoffo joined the channel
#
epoch I'm wanting to do one of those
#
epoch so that I can grab templates from their webfinger response to make the buttons do whatever they want
#
[snarfed] ohh sure, that's not auth, that's just webfinger and an HTML form
#
[snarfed] https://socialhub.activitypub.rocks/t/what-is-the-current-spec-for-remote-follow/2020 , https://github.com/snarfed/bridgy-fed/issues/60#issuecomment-1325589750
#
epoch I know remote-actions don't need the auth just to get templates from webfinger, but I figured it might be a good idea if I want to do other things with the acct they provide that should require auth.
#
[schmarty] jacky - moving here before i set off Loqi in main. a tool to manage a personal GIF reaction store could go really far with a micropub media endpoint plus image / video proxy. definitely need to store that "where'd i get this?" metadata and probably collaborate w/ the media endpoint and proxies to allow quick takedowns in cases like the one you mentioned.
#
[schmarty] jacky: i'm also curious what features of phanpy you'd like for an indie reader.
#
[schmarty] i started my own indie reader project over the weekend. look at this hot progress lol https://media.martymcgui.re/50/19/7e/23/5de78c3c48ca76407756bead9e28a902a1f2e630cdadb49242544065.png
#
aaronpk [schmarty] doesn't even see the code anymore, just sees a note, an article, a bookmark... 😎
#
[schmarty] 😂
#
[jacky] Ah see having some means of reporting problematic content would be great because I've had to do that manually a few times for my site via embeds and reply contexts
#
[jacky] Tbh the fusion of multiple hashtags following and its way of signifying network engagement (which also opens the door for a bit of a self care of avoiding viral content) is big for me
#
[schmarty] Oh those are all interesting!
geoffo joined the channel
#
Zegnat [schmarty]: that reader is perfect to read the posts on https://sink.zegnat.net/ ! :D
#
[schmarty] 😄
#
c​apjamesg I can’t remember if I ever posted to the sink.
#
GWG By the way, would anyone object if I renamed the Ticket Auth page Ticketing then and did some redirects?
#
aaronpk what is ticket auth?
#
Loqi Ticket Auth is an extension to IndieAuth that enables a publisher to send authorization, known as a ticket, that can be redeemed for an access token https://indieweb.org/Ticket_Auth
#
aaronpk i don't hate that
#
GWG aaronpk: Which that?
#
GWG The name change?
#
GWG I think auth in there is misleading
#
GWG I'm fine with omz13's suggestion of Ticketing, or the Ticketing extension to IndieAuth as a better one
#
GWG I'm just looking to see if there is some consensus?
gRegor joined the channel
#
[KevinMarks] I am being annoyed by event bubbling in js because I can't work out which event to eat. I have a link inside the `summary` of a `details` and an event handler on the link. I want to stop the details being opened too, but I can't work out what kind of event triggers the details to open, so I can call stopPropagation
#
gRegor I don't know best practices for spec names but "Ticketing" alone sounds pretty generic. Maybe "Ticketing for IndieAuth"
#
GWG gRegor: That's the full name I'm proposing.
#
GWG Most of the oauth extensions seem to be blank for Oauth 2.0
#
gRegor Scrollback: Akismet returns a true/false for spam or ham. In addition it can return a header `X-akismet-pro-tip: discard` if it's "blatant spam" and it's safe to discard without going in a moderation queue.
#
aaronpk gRegor: my akismet question was whether it works with only a URL as input rather than comment text
#
gRegor oh, not afaik
#
GWG I'm always confused about what constitutes consensus to change in this situation, especially since I'm the only one actively trying to refine the page at the moment.
#
[tantek] I'm ok with Indieauth: Ticketing, just as I'm ok with Webmention: Vouch
#
gRegor I recently finally added the ability to report spam that got through Akismet. Not sure if it's helped yet. I only get 3-5 each week or two. It tends to come in a burst.
#
GWG Okay, 3-4 person consensus... I'm changing it
#
GWG I'm redirecting /Ticketing to it as well though to aid in finding it
#
gRegor Nice
#
GWG gRegor: Progress is still something
#
gRegor I'm going to add some alpha support to my IndieAuth plugin soon so hopefully can help try out some things
#
GWG I need to get some infrastructure in WordPress in... it has private posts, but no ACL per post...so I need that for this to work.
WeirdWriter joined the channel
#
[snarfed] anyone have any more background on this? https://www.tbd.website/blog/tbd-and-circle-announce-new-initiative-enabling-decentralized-identity
#
[snarfed] this sounds...bold. "The mission of the organization is to serve as the vendor neutral home for the development of open source standards and decentralized technologies to enable mainstream adoption of decentralized IDs, credentials, and digital currency and financial applications...A new standards organization for decentralized technologies, credentials, and open payments."
#
[snarfed] I assume the IETF would have something to say
#
aaronpk wat
#
aaronpk it's like !standards but for standards orgs
#
aaronpk !standards
#
Loqi http://xkcd.com/927/ http://imgs.xkcd.com/comics/standards.png
#
GWG There, that's done.
#
Zegnat GWG: no ACL per post in WordPress? I thought for sure you could have users that only had access to certain categories? That would not work?
#
epoch if I do full authentication against a fediverse ID when people enter it on my server, I should be able to then show them posts that are on my server that are meant for them.
#
s​tarrwulfe [snarfed]: Circle of USDC crypto fame and TBD aka Square aka Block.
#
IWDiscord <s​tarrwulfe#0>
#
s​tarrwulfe They were talking to the Stellar (XLR) people 2 years ago pre-pandemic about something similar to this. Of course the Ether guys though they'd be the one to do it with the whole .eth thing, but then the crypto-bois got hold of the NFT part and well... you know what happened....
#
epoch like, they'd be able to see any direct messages I've sent them
#
epoch so, I still want to do that, but I don't need to today
#
GWG Zegnat: There is a function to check for whether a user can access a post...and I'll have to hook in on that and tell it where to find the list of users. Then create a UI to set it
#
[tantek] [snarfed] anyone one party (or two in this case) can announce a new standards development organization (SDO). notice what's missing: specific implementations from each party that already interoperate from which to form new standards.
#
[snarfed] yet, maybe. they do explicitly say they're expecting reference implementations from each of (multiple) member orgs though
#
[tantek] LF is big on reference implementations as a way of doing standards. Obviously many (most?) of us think differently per /monoculture and W3C/IETF avoidance of any one so-called "reference" implementation (because that then implies that source is the reference, not the standard, so you no longer have a standard, you have implementation documentation)
[0x3b0b] joined the channel
#
s​tarrwulfe Exactly how many standards in this vein do we already have?? Seems like every other year some working group announces this. Especially when crypto went mainstream about 10 years ago.
bterry joined the channel
#
s​tarrwulfe are there some defacto standards already-- these would stand a chance and becoming THE standard. Just like how FeliCa near-field radio "tapping" became a defacto standard and was opensourced by Sony and allowed to become NFC-F
#
gRegor TBD is also the one behind "web5"
#
gRegor https://indieweb.org/Web_3.0#web5
#
s​tarrwulfe LOL at the post. It's just as cynical as I am about this.
gerben and [0x3b0b] joined the channel