#dev 2024-06-25
2024-06-25 UTC
lanodan, ludovicchabant, voxpelli, chenghiz_, Guest1350, ramsey, ttybitnik, barnaby, AramZS and ipv6rs joined the channel
# capjamesg[d] sknebel++ for all the help on understanding wildcards.
[jacky] joined the channel
# [jacky] the approach folks take in Cuba (SIM cards for timed access to the Internet, though all regulated via the US's sanctions on access) that go outside convention has been either being "seeding" news sites or using things like locally hosted forums only available in some shops (that are available over local WiFi)
[schmarty] joined the channel
jonnybarnes joined the channel
# [snarfed] DNS is absolutely difficult, but more and more hosts like http://micro.blog are bundling domain registration and DNS so that users don't have to do it at all
# [snarfed] I dunno, maybe. or we just treat it very practically and say, start with a http://wordpress.com or http://micro.blog or any other subdomain, start actually using a web site and interacting with the IndieWeb from it
# [Joe_Crawford] I think there's absolutely an opportunity for something like that. When I heard what Internet Archive was planning to do as a nonprofit I was skeptical, but they have set up a structure for how it works, how it's funded, and how it can continue that works. A creative institutional structure could do this.
# ptramo[d] The persistence of domain names feels like a technical problem that could « easily » be solved if platforms cared enough to remove that dependency. Use a name for discovery from perishable analog media, references to public keys (including QR codes for long-lived paper), store coordinates in kademlia à la libp2p to resolve a public key to a host. I think that’s roughly how onion domains work already but I know next to nothing about the
# ptramo[d] [edit] The persistence of domain names feels like a technical problem that could « easily » be solved if platforms cared enough to remove that dependency. Use a name for discovery from perishable analog media, references to public keys otherwise(including QR codes for long-lived paper), store coordinates in kademlia à la libp2p to resolve a public key to a host. I think that’s roughly how onion domains work already but I know next to n
# ptramo[d] I genuinely believe if Apple, Google, Microsoft, Mozilla wanted to solve this, domains would become the exception rather than the norm in URIs in no time
# ptramo[d] [edit] I genuinely believe if Apple, Google, Microsoft, Mozilla wanted to solve this collectively, domains would become the exception rather than the norm in URIs in no time
# ptramo[d] [edit] I genuinely believe if Apple, Google, Microsoft, Mozilla wanted to solve this collectively, ICANN domains would become the exception rather than the norm in URIs in no time
# ptramo[d] artlung[d] suboptimal but still better than no edits
# ptramo[d] I could write series of `s/domains/ICANN domains/` to make it a tad easier to understand the intent behind the edits, or I could contribute to the bot to offer `git diff --word-diff`-like outputs, or I could migrate to Slack if things are better the other way around?
# ptramo[d] artlung[d] wait, slack truncates my messages? that seems like a more serious problem
# [Joe_Crawford] I'm not suggesting any kind of technical solution is required. Just pointing out how they appear in Slack (and also in IRC).
# [Joe_Crawford] And yes, _move forward, don't edit_ is how I participate in this chat. If I have something I want to be precise about and edit and revise, for me that means I probably have enough of an opinion about it to be blogging it.
# ptramo[d] OK, I'll revise everything I just said with "see how .onion works, why don't we all .onion to begin with?"
# ptramo[d] (1) same problems are passkeys, being solved by the big platforms
# ptramo[d] (2) which infrastructure do you need? I'm not suggesting we stick to certificate chains or web of trust, if the domain is the public key, it's self-contained?
# ptramo[d] (3) yeah that's entirely on the web browser vendors though, isn't it?
# ptramo[d] BTW, I was wrong, it's not kademlia in the context of tor. need to dig more into it, but seems to be based on https://spec.torproject.org/rend-spec/rendezvous-protocol.html ?
# ptramo[d] the bittorrent DHT is responsible for what, 3% of Internet traffic?
# ptramo[d] what's the I for in PKI, and if it's infrastucture, what infrastructure do you need if the URI contains the public key already?
# ptramo[d] no, the "domain" part of the URI is a public key
# ptramo[d] you don't have to use DNS to look up domains. heck we started without it, and .onion works without it
# ptramo[d] that's what .onion addresses are today, a public key prefix
# ptramo[d] > OK, I'll revise everything I just said with "see how .onion works, why don't we all .onion to begin with?"
# ptramo[d] - generate a keypair, keep the secret key in your cloud-or-seriously-backups-backed keyring
# ptramo[d] I seem to have gotten some the details of .onion wrong… so. you want to publish something:
# ptramo[d] - your server has a certificate signed with your secret key and the corresponding private key, uses it to announce `(certificate, my public key, my SRV-style records signed with my private key)` in a kademlia where peers verify that such announcements are signed correctly
# ptramo[d] - browser vendors host bootstrap nodes for this kademlia baked into their browsers
# ptramo[d] - publish under `$
{publicKey}
.nodns`# ptramo[d] - browsers support this `.nodns` scheme by looking up in the kademlia from the bootstrap node, find signed SRV records for the domain, connect there over TLS pinned where the "root" CA for a domain is literally the public key it spells out
# superkuh Just pick a strong hash function for the public key used as address. It should expect to work for decades. torv2 made a mistake a picked a weak hash function that today prefixes can be brute forced for $50 of compute. So they abandoned the entire torv2 web and all the old domains no longer work, all the website hyperlinks are broken, it's just gone, poof.
# superkuh Er, $50k.
# superkuh Not $50.
# ptramo[d] don't hash at all. put a version number in front, 0 for now, and spell out the public key. tweetnacl public keys are 32 bytes, that's 52 characters in base32
# ptramo[d] well 53 with the version number
# superkuh I still host superkuhbitj6tul.onion on the remaining torv2 network but no modern torv3 client in any modern distro's repos can access it.
# ptramo[d] i don't onion, no. I want recruiters to find my stuff, chicken and egg 🙂
# ptramo[d] I did start with "I genuinely believe if Apple, Google, Microsoft, Mozilla wanted to solve this"
# ptramo[d] heck, we could buy a TLD for $100k/yr and operate infrastructure that does the work for browsers that don't, or operate it as a subdomain of whatever
# ptramo[d] heck I could hack https://api.ident.me DNS server to support a scheme like https://ttjqjfky6dorsynsgabarnzn4h4cuvinzwcxzm7dinhybu2tf67ja.ident.me (first t is for tweetnacl, rest of the name is a public key) with registrations/updating by POSTing a DNS zone to https://0pw.me. synergize my hacks 😄
# [tantek] I'm going to go out on a limb and say that $0/domain per year is actually *undesirable* UNLESS it is tied to say, a government provided service (like how healthcare should work) that has CONSEQUENCES for abuse (spam, breaking laws etc.), because anything that costs $0 will and does get abused as we have learned with email
# [tantek] I will also say that IMO that marginal benefit of reducing a domain cost from $5-15/yr down to $0/year is absolutely not worth the opportunity cost. Like if you believe that, go get data SIM prices down to $0 first which enable far more important use-cases for folks than a domain name by itself.
# [tantek] And until then, I think a reasonable goal is to get $/year of domain name cost to be less than the $/year of a data SIM. For most places in the world, $15/year is already there. If not, I want to hear of specific examples (countries, cities) where domain cost per year is MORE than data SIM cost per year
# [tantek] and then for me personally, I believe it is more important to spend time advocating for reducing the per year cost of healthcare to less than $15/year than the cost of a domain to less than $15/year. that's the opportunity cost I see for my time on this issue which specifically makes me also "lose patience pretty fast"
# Loqi It looks like we don't have a page for "passkeys" yet. Would you like to create it? (Or just say "passkeys is ____", a sentence describing the term)
chadsix joined the channel
# jimwins looks like only mention of passkeys in the wiki is on the Web Authentication page.
# jimwins and even that's just to Apple Passkey
# [schmarty] oh hello i missed some Tor talk. I have a .onion mirror of my site. if you visit https://martymcgui.re/ in the Tor browser you should see an ".onion available" button pop up which will take you to http://martymcgfuraocsgy2a25btl5srhifcdud6m4eiphz2mq6fafttwh7qd.onion/
# [schmarty] and yeah .onion addresses are based on a public key.
# [schmarty] Tor is neat. stuff built on Tor is neat. i have seen some pretty rad projects that use it, but none seem to ever get to a level where i could get the people i care about to adopt them.
# [schmarty] like i still cross my fingers for https://cwtch.im/ to get solid funding again. or for https://www.ricochetrefresh.net/ to shop
# [schmarty] *ship
gRegor joined the channel
# thepaperpilot Sounds like something that could be solved via pet names: https://spritely.institute/static/papers/petnames.html
# thepaperpilot Sort of. Petnames are designed to be decentralized
# thepaperpilot Sure, short of. But in practice are you going to change your DNS to any but the established players?
# thepaperpilot Same issue with the fediverse, where it's decentralized in theory but centralized in practice. Petnames are the agentic/client based alternative to names
# thepaperpilot Well if you're trying to become an influencer or whatever and need to be able to put a name on a billboard, you could use (or become) an authority that vouches for who that person is
# thepaperpilot E g. If apple says we have a social media account and it's called timcook@apple.com, then you can be confident they are actually tim cook from apple
# thepaperpilot And for smaller creators, some "influencers catalog" would allow people to freely register. Sure that entity would have less trust than apple.com, but for an influencer you don't need to verify anything other than that their identity is unchanging. The second you have to trust that identity to have done something specific, the authority on that something should be able to vouch. E.g. a university having a name server that v
# [tantek] right, and we already have had such "influencers catalogs" over the years that allowed people to freely register, e.g. http://Blogger.com, http://Tumblr.com (subdomains) or even Twitter @-names.
# thepaperpilot Fwiw I think with how Twitter is going, you are going to start seeing domains after usernames anyways. A lot of governments and large corporations even already run mastodon accounts that are effectively an authoritative name server (but with the drawback of enforcing how each person on their can use the platform, and not handling the issue of having my multiple authoritative sources being able to vouch for the same identity
# thepaperpilot I'll let you know. I really think it's only a matter of time
# jimwins This sort of goes back to the discussion we were having the other day about identifying non-web resources as a rel="me". If you see @jimw@mefi.social in the wild, will you know it's a Mastodon/Fediverse account? What about @jimw.tmky.us, is that obviously a Bluesky id?
# thepaperpilot It shouldn't matter
# jimwins Sure, but saying it shouldn't matter doesn't mean it doesn't matter.
# thepaperpilot E.g. all of you wouldn't even need an @-@ within the context of this server. I have no need to verify anything about any of our identities to have a casual conversation, so I'd just use your "unverified" self-defined nickname, and my client would auto add that as the nickname and inform me if I see another person with the same name that they are actually different people
# [schmarty] looks like i missed some zooko's triangle discussion and i just have to add: :zany_face:
# ptramo[d] Looking for a reasonable html streaming (à la SAX or not) parser for C, zig, or lua. Currently only to extract link rel=…
# [schmarty] i'm wary of using whether or not something has widespread adoption as a primary metric of whether it is worth considering.
# [schmarty] passkeys seems to be a good example of something that (appears to be) gaining widespread adoption, but no two passkey implementations are the same and there are deep philosophical divides among standards folks and implementors as to whether you should be allowed to even make backups. doesn't sound like a done deal to me!
# superkuh There's always namecoin. There's a decent chance Tor v3 gains arbitrarily named onion services through Namecoin integration soon'ish. There's a proposed implementation on the Tor issue tracker and I've heard it's already partially implemented with certain nightly builds.
# [schmarty] namecoin-- having used namecoin it is a messssss
# [schmarty] if you think it's easy to lose DNS control because of a forgotten renewal, give namecoin a try! expiration happens by counting blocks, which usually* happen every 10 minutes, so i guess "just" :abacus: calculate that out and set a 📆 calendar reminder to open your namecoin wallet and give it a few hours to sync up the blockchain so you can renew :zany_face:
# jimwins Sounds like fun!
# superkuh Not wrong. I managed to lock myself out of a .bit forever by sending a malformed transaction.
# [Joe_Crawford] domains are good, but a little bird icon, or little instagram square, or little X, or a lowercase "f" in a square, or just the text "Venmo" are find replacements to namespace some identifier. And I do see email addresses on cars for services: fairly often. Plumbers, housekeeping services, other contractors.
# [Joe_Crawford] more hotmail and yahoo usage than I ever would have guessed, but we have the world we have.
# [schmarty] i used namecoin+zeronet to have a .bit site. it was kind of neat but the zeronet community was, uh, not great. and my .bit got squatted the moment it lapsed. zeronet has, i think, collapsed since with the creator going silent. maybe back in 2019?
# [schmarty] my .onion mirror has been pretty good, but as was mentioned earlier, Tor has abandoned the "v2 onion services" domains, so they just don't work anymore. i updated to v3 and it's the ridiculously long .onion URL I shared above.
# [schmarty] i agree that .onion URLs are ugly. but! if there's anything that dining in the US in the early years of COVID taught us, it's that people will scan any old QR codes 😂
# [schmarty] IPFS seems to still be a thing for folks hoping to host decentralized web content. but while the network is content-addressable, they seem to have settled pretty hard on using DNS for having named pointers to stuff!
janboddez, btrem and [dshanske] joined the channel
# jimwins Looks like the company that acquired polyfill.io last year has pivoted to using it to serve up malware. https://sansec.io/research/polyfill-supply-chain-attack
Guest8163, Yummers and sp1ff joined the channel
# [tantek] Original warning from 2024-02-25 https://fosstodon.org/@haubles/111995201660738714
geoffo joined the channel; Yummers left the channel