#social 2015-04-22

2015-04-22 UTC
#
bblfish Google has huge resoures. Trying to follow them will just allow them to win that game
#
bblfish "large datasets of "serious logical foundations" doesn't sound very *social* to me, which is what this WG is for"
#
aaronpk yes, the point of this group is to make an API for social communications, right?
#
bblfish why do you think that social and logical are not compatible?
#
aaronpk i guess because facebook and twitter dominated the entire space without any concept of it
#
aaronpk turns out peopel want to talk to each other, and people mostly do that with text, whether or not the text is well structured
#
bblfish Facebook is just a centralised blog reader with access control
#
bblfish You are confusing what people do with the tool and how the tool is built
#
bblfish It's a bit like saying "people in large buildings do weird and seemingly illogical things therefore large buildings haved to be illogical"
#
aaronpk no it's not at all
#
aaronpk maybe we can ship an API that describes how people can build a "blog reader with access control"
#
aaronpk that sounds like a good goal, not overly complex, and would allow people to replace the majority of their use of Twitter and Facebook
#
bblfish yes, it is. Facebook is a huge machine built by very advanced engineering. All of the UI is built using JSON and rendered in JavaScript in the browser. None of that uses markup in html. So by your own example that should give you evidence that maruip in html is not the way to go
#
bblfish Thats why I think both rdfa and microforamts are about 20 years ahead of time
#
bblfish you need to seperate the data and the UI
#
bblfish to do anything that can compete with facebook
#
aaronpk you really should check out reader.kylewm.com, it has realtime updates and everything
#
bblfish I get an internal error going to that page
#
aaronpk http://tmp.cweiske.de/phubb-woodwind-xmppbot.ogv
#
aaronpk oh dear, kylewm the logged-out home page of reader.kylewm.com is busted!
#
aaronpk well the video gets the point across anyway
#
aaronpk it's getting pretty close to a facebook-like experience! the "like" button works and everything!
#
kylewm aaronpk: sorry :( fixed now
#
bblfish ok, let me look
#
bblfish ah yes, xmpp. But that's just another complex protoocol where the web could do just as well it seems to me
#
KevinMarks xmpp?
#
elf-pavlik kylewm i tried to do distributed indieauth on http://reader.kylewm.com/ with https://indiecert.net/ and it failed on redirect to non HTTPS :(
#
Loqi aww, cheer up
#
kylewm elf-pavlik: try https://reader.kylewm.com/ ?
#
elf-pavlik 400 Bad Request from https://indiecert.net/auth
#
elf-pavlik some result
#
bblfish I looked at the xmppbot. I suppose the demo is based on xmpp
#
KevinMarks oh
#
elf-pavlik bblfish i can use WebID+TLS certs with IndieCert and distributed IndieAuth!
#
bblfish cool. That's nice
#
elf-pavlik fkooman did some nice work on that
#
bblfish I suppose. I'd have to look at it in more detail
#
bblfish :-)
#
elf-pavlik he also got it working with Nitrokey (former CryptoStick) https://www.tuxed.net/fkooman/blog/indiecert_nitrokey.html
#
elf-pavlik i already have http://nitrokey.com/ on my wishlist (RDF using schema.org goodrelations) one of them and will keep my private key on it
#
KevinMarks did you get to sign in to reader.kylewm.com yet?
#
elf-pavlik bblfish I also look forward to try Linked Data Signatures with keys on a SmardCard using WebCrypto API :D https://twitter.com/manusporny/status/568091383686414336
#
Loqi @manusporny :: Video explanation of how Linked Data Signatures work (JSON-LD + Cryptography): https://www.youtube.com/watch?v=QdUZaYeQblY #jsonld #w3c
#
elf-pavlik aaronpk, with likes from the reader. how do you verify that someone really liked something if you have 100k likes? https://github.com/jasnell/w3c-socialwg-activitystreams/issues/89
#
kylewm elf-pavlik: I wonder if you would try logging in with indiecert one more time?
#
kylewm I changed so that the redirect_uri is https instead of http
#
elf-pavlik kylewm i got same 400 Bad Request but maybe some caching involved?
#
KevinMarks the like sends a webmention pointing to the page with the like on
#
elf-pavlik client_id=http%3A%2F%2Freader.kylewm.com
#
kylewm elf-pavlik: too bad, no there shouldn't be any caching. thank you for trying
#
elf-pavlik KevinMarks I people sign them I can verify it with crypto without network latency if i can cache keys efficiently
#
KevinMarks the recipient then loooks on thta page for a link to them with u-like-of on http://indiewebcamp.com/like
#
elf-pavlik aaronpk any idea where indieauth sets: client_id=http%3A%2F%2Freader.kylewm.com
#
KevinMarks that kind og premature optimisation is why no-one uses Salmon
#
elf-pavlik this one has http not https
#
kylewm elf-pavlik: yeah I can change it to https, I would be surprised if it helps
#
elf-pavlik KevinMarks++ i need to read spec again and brush up on magic signatures :D
#
KevinMarks solve problems of scale once you start to have them; if you try and solve them first you never get there
#
Loqi KevinMarks has 103 karma
#
elf-pavlik KevinMarks I didn't use best example, i encourage you to check out for example Use Cases drafts from Credentials CG
#
elf-pavlik https://twitter.com/manusporny/status/568139303102099456
#
Loqi @manusporny :: A video introduction to verifiable credentials on the Web (JSON-LD + Cryptography + Identity): https://www.youtube.com/watch?v=eWtOg3vSzxI #jsonld #w3c
#
elf-pavlik going to sleep, almost 3AM here @|@
#
elf-pavlik kylewm we can try again tomorrow if you like with this https issues, i can also invite fkooman to check indiecert.net logs
#
kylewm elf-pavlik: ok sounds good. I got it to work for me, but definitely only on https://reader.kylewm.com, not on http://
#
bblfish yes, I need to go to dentist tomorrow morning
#
aaronpk oh the xmpp thing was just to demonstrate a different kind of PuSH consumer
#
aaronpk elf-pavlik: the likes are posted to the individual's website by the reader
#
aaronpk so you could go look at the URL that the author claimed "liked" their post to check
bblfish, Arnaud, shepazu, tilgovi, the_frey, bblfish_ and kasi joined the channel
#
kasi hello. what can i do here?
cwebber2` and danbri1 joined the channel
#
Loqi Pelf made 2 edits to [[Socialwg/2015-05-04]] https://www.w3.org/wiki/index.php?diff=83773&oldid=83748
#
Loqi Pelf made 1 edit to [[Socialwg/2015-05-04]] https://www.w3.org/wiki/index.php?diff=83774&oldid=83773
#
Loqi Pelf made 1 edit to [[Socialwg/2015-05-04]] https://www.w3.org/wiki/index.php?diff=83775&oldid=83774
#
Loqi Pelf made 1 edit to [[Socialwg/2015-04-28]] https://www.w3.org/wiki/index.php?diff=83776&oldid=83747
bblfish joined the channel
#
elf-pavlik trackbot, start meeting
#
trackbot is preparing a teleconference.
RRSAgent joined the channel
#
RRSAgent logging to http://www.w3.org/2015/04/22-social-irc
#
trackbot RRSAgent, make logs public
Zakim joined the channel
#
RRSAgent I have made the request, trackbot
#
trackbot Zakim, this will be SOCL
#
Zakim I do not see a conference matching that name scheduled within the next hour, trackbot
#
trackbot Meeting: Social Web Working Group Teleconference
#
trackbot Date: 22 April 2015
#
elf-pavlik Zakim, this will be SOCIG
#
Zakim ok, elf-pavlik; I see T&S_SOCIG()11:00AM scheduled to start in 8 minutes
#
elf-pavlik RRSAgent, generate minutes
#
RRSAgent I have made the request to generate http://www.w3.org/2015/04/22-social-minutes.html elf-pavlik
#
elf-pavlik RRSAgent, make records public
#
RRSAgent I have made the request, elf-pavlik
harry joined the channel
#
Zakim T&S_SOCIG()11:00AM has been moved to #socialig by trackbot
AdamB and guangyuan joined the channel
#
elf-pavlik trackbot, end meeting
#
trackbot Zakim, list attendees
#
trackbot is ending a teleconference.
#
Zakim sorry, trackbot, I don't know what conference this is
#
trackbot RRSAgent, please draft minutes
#
RRSAgent I have made the request to generate http://www.w3.org/2015/04/22-social-minutes.html trackbot
#
trackbot RRSAgent, bye
#
RRSAgent I see no action items
AnnB, ht, the_frey_, the_frey, tantek, tilgovi and shepazu joined the channel
#
cwebber2` aaronpk: interesting, is oauth basically specified in micropub?
#
aaronpk sorta
#
cwebber2 I ask because we've been debating what to do since the group seems to not want to specify an auth mechannism
#
cwebber2 and in reality it's hard to make interoperable stuff without agreeing on that layer
#
aaronpk micropub expects to be presented with a Bearer token
#
aaronpk how you get that token is not part of micropub, and can be accomplished with OAuth or IndieAuth
#
cwebber2 it looks like it does specify authentication though
#
cwebber2 "Authorization should be handled via the IndieAuth protocol (built on top of OAuth 2.0)."
#
aaronpk authentication yes, using bearer tokens
#
cwebber2 so are we allowing specifying authentication in the specs?
#
cwebber2 I'm confused now, I thought we agreed at the face to face that this was out of spec, which was a confusing decision to me anyway
#
aaronpk hmm I hadn't really considered that would be a problem, but good point
#
cwebber2 but this affects how we construct activitypump
#
cwebber2 personally I think saying "that's out of scope" will make interop... tricky
#
aaronpk i mean you can't have an interoperable spec unless it specifies how to do authentication
#
cwebber2 right
#
cwebber2 I agree aaronpk
#
tantek no I think there's a misunderstanding of scope
#
cwebber2 I think the group basically wanted to avoid another conflict
#
cwebber2 but that might be the wrong decision
#
tantek we're not going to specify as in write a spec for an auth mechanism in the socialWG - we have to reference an existing mechanism
#
tantek in terms of charter scope
#
cwebber2 oh
#
cwebber2 tantek: we did not understand that
#
cwebber2 that's good to know.
#
tantek cwebber2: there's also a desire to avoid conflict yes
#
cwebber2 tantek: thanks for clarifying
#
tantek but it will be inevitable as we consider different proposals
#
tantek which is ok as long as we keep an open respectful dialog going
#
tantek this is inevitable any time there are multiple working approaches to solving a problem
#
tantek hopefully by way of that dialog all of the approaches can be improved
#
cwebber2 tantek: got it, thank you for clarifying the process for us!
#
tantek for example, we're not going to redesign OAuth2 in the WG
#
tantek hoping that various proposals do converge on using *some* OAuth2-like/using mechanism, but maybe that's too much to expect
#
Tsyesika oauth2 is good
#
Tsyesika i'd be for that
#
cwebber2 Tsyesika: maybe we can view what subset of oauth2 indieauth is using and see if there's a way for us to engage in dialogue on that?
#
Tsyesika yeah definitely
#
aaronpk pretty much anything can be called OAuth 2 ;) so that should make everyone happy
#
Tsyesika i was about to go look at indieauth
#
aaronpk turns out OAuth 2 implementations aren't guaranteed to be interoperable
#
cwebber2 tantek: since we just came to know this now I don't think we'll get this fully integrated into our draft next week. It'll probably be a bit vague.
#
Tsyesika we removed the authorization part out of the activitypump draft
#
Tsyesika s/we/i/
#
cwebber2 Tsyesika and I were operating under the mistaken assumption that the group declared it out of scope.
#
cwebber2 that's what we thought we heard at the face to face
#
tantek sorry about that cwebber2
#
Tsyesika no problem tantek
#
cwebber2 at least we know now!
#
tantek I don't know how we can do a write API *without* some form of auth!
#
cwebber2 yeah I agree
#
cwebber2 we were wondering that ourselves ;)
#
tantek sorry I thought that was obvious but apparently we failed to clarify that during the f2f - again apologies
#
cwebber2 no worries tantek, miscommunications happen :)
#
Zakim excuses himself; his presence no longer seems to be needed
#
tantek I have a feeling there's going to be a WebID vs. OAuth2 debate at some point. :/
#
aaronpk well OAuth 2 isn't an identity/authentication protocol, so that might be a short debate ;)
#
aaronpk cwebber2: Tsyesika: the best way to get a sense of how IndieAUth works is to attempt to sign in to https://quill.p3k.io which has a built-in tutorial
#
Tsyesika oh cool thanks
#
cwebber2 thank you aaronpk !
#
cwebber2 tantek: and you are probably right ;)
#
cwebber2 tantek: avoiding that was why I thought the group was saying "keep it out of scope" ;)
#
tantek cwebber2: I believe that was Harry you were hearing keep saying keep it out of scope - because he's been burned by many years of arguing about WebID
#
tantek he knows just how many ratholes that can uncover
#
elf-pavlik aaronpk what do you think about signing data as alternative option to obtaining a Barer token? https://twitter.com/manusporny/status/568091383686414336
#
Loqi @manusporny :: Video explanation of how Linked Data Signatures work (JSON-LD + Cryptography): https://www.youtube.com/watch?v=QdUZaYeQblY #jsonld #w3c
#
elf-pavlik s/Barer/Bearer/
#
aaronpk OAuth 1 used signing for all requests, and there were a number of reasons that method was dropped in OAuth 2
#
elf-pavlik do you have links to more background by any chance?
#
aaronpk checking...
#
cwebber2 tantek: aha
#
aaronpk i suspect most of that discussion took place on the oauth mailing list
#
tantek shudders
#
elf-pavlik actually with https://indiecert.net in practice I use SSL key (similar to WebID+TLS) to get my token?
harry joined the channel
#
aaronpk i'll try to find some citations for that... sadly my book is not published yet but that would be one citation ;)
#
aaronpk off to lunch, back in a bit!
#
tantek aaronpk - has your book been announced?
#
tantek samesies soon
#
harry what book? on indieweb?
#
elf-pavlik harry, have you looked at https://indiecert.net ? it looks like like nice connection between IndieAuth and WebID+TLS, i may try to also demo it very shortly in Paris
#
elf-pavlik https://github.com/linkeddata/SoLiD mentions WebID, WebID-TLS and WebID-RSA
#
elf-pavlik IndieCert also works with Nitrokey (former CryptoStick) https://www.tuxed.net/fkooman/blog/indiecert_nitrokey.html
#
elf-pavlik and implements distributed IndieAuth
#
aaronpk tantek: harry: not yet, but should be announced in a few weeks I think
#
aaronpk i just sent off "marketing materials" to the editor
#
harry Re certs, "Let's Encrypt" (free certs in browser trust chain) plus CertTrans seems to me the way to go. Is IndieCert transparently trusted by the browser?
#
harry If not, it's fine to use but you'll still get the browser errors
#
harry In terms of WebID+TLS, people are not using client certs to authenticate for the above mentioned reason
#
harry and it's in general a bad idea to use client certs with user-data in it sent in the clear is a terrible idea.
#
harry So no vendors to my knowledge want to standardize WebID+TLS. In terms of WebID+RSA, I spoke with deiu over his use of the same key for sig verification and encryption and explained why this is a bad idea, I hope he's fixed that.
#
harry In general, I'd discourage amateur cryptography for any high-value data. Over the next few months the browser vendors will likely push out increasing FIDO support which will solve the authentication issue in a sane way that is compatible both with UX issues and the Web Security model - so I'd like to keep that out of scope for Social WG.
#
aaronpk +1 to discouraging amateur cryptography
#
aaronpk it's bad enough getting people to set up sane HTTPS servers
#
aaronpk oh hey they did get the page up for it now http://shop.oreilly.com/product/0636920037248.do
#
harry Yes, the problem with architecture astronauting is that it encourages amateur crypto-usage, which then it seems certain people get emotionally attached to, despite a relatively sane pushback from industry.
cwebber2` and the_frey joined the channel
#
aaronpk that's a great description
#
aaronpk aaaaaand favorited: http://aaron.pk/f4an2
tantek, bblfish, KevinMarks and the_frey joined the channel
#
elf-pavlik aaronpk++
#
Loqi aaronpk has 777 karma
#
tantek dingdingding - jackpot
the_frey joined the channel
#
elf-pavlik reading http://w3c.github.io/modern-tooling/
the_frey, tantek_, tantek__ and bblfish joined the channel