#social 2017-04-25

2017-04-25 UTC
timbl joined the channel
tantek joined the channel
#
@accessiblestef
Webmention - too complicated for me technically, but conceptually great. https://www.w3.org/TR/webmention/ /v @w3c
(twitter.com/_/status/856787678662057984)
tantek, dmitriz, timbl, edhelas and elensil joined the channel
#
elensil
hello :)
#
cwebber
hi
#
elensil
I'm interested to know a bit more about the work currently done by the Social WG :)
tantek joined the channel
#
ajordan
elensil: wer you looking for something in particular? or just generally?
#
tantek
good morning #social
#
cwebber
hi tantek
#
ajordan
morning tantek!
#
sandro
trackbot, start meeting
RRSAgent joined the channel
#
trackbot
is preparing a teleconference.
#
trackbot
RRSAgent, make logs public
#
cwebber
it's about that time right?
Zakim joined the channel
#
RRSAgent
I have made the request, trackbot
#
trackbot
Zakim, this will be SOCL
#
Zakim
ok, trackbot
#
trackbot
Meeting: Social Web Working Group Teleconference
#
trackbot
Date: 25 April 2017
#
cwebber
elensil, well, we have a meeting now, it's socialwg participant early but you're welcome to lurk here on irc, could give you a good indication of what we're up to :)
#
tantek
cwebber: yes it is
#
tantek
present+
#
csarven
meeting now??.. did i get my tz wrong?
#
csarven
I thought it'll be in an hour
#
aaronpk
present+
#
tantek
csarven: yes now
#
ajordan
present+
#
csarven
okie dokie
#
ajordan
probably
#
tantek
present+ eprodrom
#
tantek
Zakim, who is here?
#
Zakim
Present: tantek, aaronpk, ajordan, eprodrom
#
Zakim
... lambadalambda, aaronpk, bigbluehat, mattl, trackbot
#
Zakim
On IRC I see RRSAgent, tantek, elensil, timbl, dmitriz, ajordan, wilkie, ben_thatmustbeme, KjetilK, dwhly, bitbear, rhiaro, csarven, wseltzer, raucao, sandro, cwebber, Loqi, jet,
#
cwebber
present+
#
csarven
present+
#
cwebber
I can scribe
#
tantek
chair: tantek
#
rhiaro
present+
#
tantek
scribenick: cwebber
#
sandro
present+
#
sandro
Zakim, who is here?
#
Zakim
Present: tantek, aaronpk, ajordan, eprodrom, cwebber, ben_thatmustbeme, csarven, rhiaro, sandro
#
Zakim
On IRC I see RRSAgent, tantek, elensil, timbl, dmitriz, ajordan, wilkie, ben_thatmustbeme, KjetilK, dwhly, bitbear, rhiaro, csarven, wseltzer, raucao, sandro, cwebber, Loqi, jet,
#
Zakim
... lambadalambda, aaronpk, bigbluehat, mattl, trackbot
#
cwebber
tantek: let's get started with first item, which is to review minutes from last week, had a brief telcon to discuss activitypub issues
#
cwebber
tantek: let's see what the rest of the folks who were here, see if the minutes are good
#
dmitriz
present+
#
sandro
waves to dmitriz !
#
rhiaro
waves to dmitriz!
#
ben_thatmustbeme
needs to remove the DRAFT header and we usually remove the footer stuff too
#
cwebber
would it be safe to do PROPOSED now?
#
cwebber
#
aaronpk
i can do that
#
cwebber
+1
#
cwebber
was there
#
ben_thatmustbeme
majority of those that were there are here
#
cwebber
TOPIC: next telecon
#
cwebber
tantek: with excepttion of last week we've done them every other week, that would place next telecon on May 9th
#
cwebber
tantek: how does that sound for folks?
#
rhiaro
I won't be here but y'all can carry on without me
#
cwebber
evan: I think it makes sense
#
cwebber
sandro: I'd propose doing every week
#
cwebber
would prefer every week at this point, but can do every other
#
csarven
can't next week
#
cwebber
evan: could we do half hour every week instead of an hour?
#
aaronpk
can't make next week
#
cwebber
sandro: I don't think we've been wasting time in meetings
#
cwebber
evan: I'm happy to do a full hour I just don't want to take up more of peoples' time than we need
#
rhiaro
we can always finish early if it happens..
#
cwebber
evan: and we are down to one to two specs at this point
#
cwebber
sandro: we only need the people who are there
#
cwebber
sandro: maybe we can wait till the end of this meeting and see how we're doing
#
cwebber
tantek: I'll offer my opinion, the key thing I think is to actually have progress on the things we've made progress on
#
cwebber
tantek: if we don't have a test suite that's ready, a meeting is not going to change that
#
cwebber
tantek: so that's why I have my doubts about meeting every week
#
ajordan
gotta drop out, forgot I had something else right now. sorry!
#
cwebber
tantek: I'd like to allow people to have their time to focus
#
ajordan
present-
#
cwebber
tantek: maybe I should ask chris and aaron
#
cwebber
tantek: do you think it'll be done in 2 weeks? or will it be done in a week?
#
cwebber
aaronpk: I don't think I can guarantee having it done in a week... two weeks yeah
#
sandro
cwebber: Probably two weeks for the test suite, realistically, probably.
#
Zakim
sees no one on the speaker queue
#
Zakim
sees sandro on the speaker queue
#
cwebber
evan: we also need to get implementations done, 2 weeks sounds right
#
cwebber
sandro: if I remember right last week we decided to do breaking changes on ActivityPub
#
cwebber
sandro: and the absolute final deadline for doing breaking changes is 3 weeks from now
#
cwebber
sandro: so there's a lot of deadline pressure
#
cwebber
sandro: maybe we're not doing any more deadline pressure
#
cwebber
tantek: let's at least put up the we need to do in two weeks or three weeks
#
cwebber
sandro: if there are any open issues in AP, we should do it next week
#
cwebber
tantek: why not in two weeks
#
cwebber
sandro: in theory we could do it in two weeks
#
cwebber
sandro: in a four hour meeting in two weeks? some of these take a while
#
cwebber
tantek: here's the other side of that... if we're seeing a rate of normative substantiative issues come in, then it might make more sense to give chris and others more time to wrap them up
#
cwebber
tantek: that was going to be the second question I was going toa sk
#
cwebber
*ask
#
rhiaro
We're using a lot of meeting time talking about scheduling meetings.
#
cwebber
tantek: if we have a high rate of substantiative meeting
#
sandro
*23* open issues need to be closed
#
cwebber
+1 to rhiaro
#
cwebber
tantek: not all these issues need to be discussed in the telcon
#
cwebber
tantek: if editors and people who raised them can resolve them, we can quickly knock them out
#
Zakim
sees sandro, rhiaro on the speaker queue
#
tantek
ack sandro
#
Zakim
sees rhiaro on the speaker queue
#
cwebber
rhiaro: in the interest of this meeting to use this week to do things, can we agree to do a meeting next week and see if we need it
#
ben_thatmustbeme
+1 to schedule it and can always cancel
#
cwebber
tantek: you're right, let's do a straw poll to see
#
cwebber
tantek: just enter into irc
#
rhiaro
+1 all the weeks
#
cwebber
cwebber: I'd prefer a meeting next week
#
sandro
+1 to long meetings for the next three weeks, until all issues are dealt with
#
cwebber
cwebber: all weeks :)
#
aaronpk
i don't mind every week in general, but i can't make next week's call
#
csarven
+1 sandro said.. in the interest of minimising risk. show up for those that need to get their stuff moving.
#
ben_thatmustbeme
do we want to schedule it as an activitypub meeting next week then?
#
rhiaro
i also think i'ts useful to have more than just core spec people in the meetings for better consensus making, but we can't force people to show up..
#
rhiaro
perspectives etc
#
cwebber
RESOLVED: will hold meetings on may 2nd and may 9th
#
csarven
Same bat channel
#
cwebber
tantek: please try to resolve issues outside of the call on github
#
cwebber
tantek: quick PR update status
#
sandro
but PLEASE try to keep time available after call so we can go long.
#
cwebber
tantek: we do have PRs for AS2 and MicroPub (congrats)
#
cwebber
tantek: any calls for changes or objections?
#
cwebber
rhiaro: we have mostly positive comments (?)
#
cwebber
tantek: we have until may 11th for people to review the PRs
#
cwebber
rhiaro: so that goes to the last one which is WebSub
#
cwebber
tantek: oh ok, can you give us a summary of the end date
#
cwebber
sandro: AP and WebSub don't have deadlines there because thye haven't gone to PR yet
#
cwebber
sandro: from the perspective of this, it's only the PR that gives us a deadline
#
sandro
(this = W3C AC Review)
#
cwebber
tantek: last I looked at it I saw a bunch of positive votes saying they like LDN, want to give it their support
#
cwebber
tantek: last I saw we could use a few more AC reps voting on AS2 and MicroPub
#
cwebber
tantek: so if you know member organizations, reach out
#
cwebber
tantek: encourage them to at least say hey, this is a good idea, make this recommendation
#
sandro
https://www.w3.org/Member/ACList List of W3C companies and their representatives
#
cwebber
tantek: they have till May 11th, so
eprodrom joined the channel
#
cwebber
tantek: so that's something everyone can do
#
cwebber
tantek: that'e enough on that...
#
cwebber
TOPIC: Websub
#
cwebber
tantek: any comments from the AC on websub and activity[streams]?
#
cwebber
tantek: it didn't sound like it, but figured I'd explicitly ask
#
cwebber
tantek: I assume rhiaro is muted or checking
#
cwebber
rhiaro: no explicit comments
#
cwebber
tantek: we'll assume if they are they're filing them in github, etc
#
cwebber
TOPIC: Social Web Protocols
#
cwebber
tantek: there's been revisions, suggesting publishing new version
#
cwebber
rhiaro: need to pull up changelog
#
cwebber
rhiaro: so I brought all of the websub stuff up to date
#
cwebber
rhiaro: I'd appreciate it if aaron, etc did so
#
cwebber
rhiaro: looked at it
#
cwebber
rhiaro: I also tidied it up a bit
#
cwebber
tantek: aaronpk, julian, did you look at it recently?
#
cwebber
aaronpk: I have reviewed it recently but not specifically for websub, I can go through that
#
cwebber
tantek: ok
#
aaronpk
micropub status PR, this still says CR
#
cwebber
tantek: let's give you a few minutes to do that; we'll come back to social web protocols
#
cwebber
tantek: we'll give a few minutes to do that
#
cwebber
tantek: I don't have any updates on post type discovery, we'll skip for this week
#
tantek
zakim, who is here?
#
Zakim
Present: tantek, aaronpk, eprodrom, cwebber, ben_thatmustbeme, csarven, rhiaro, sandro, dmitriz
#
cwebber
tantek: we don't have julian on the phone do we?
#
Zakim
... cwebber, Loqi, jet, lambadalambda, aaronpk, bigbluehat, mattl, trackbot
#
Zakim
On IRC I see eprodrom, Zakim, RRSAgent, tantek, elensil, timbl, dmitriz, ajordan, wilkie, ben_thatmustbeme, KjetilK, dwhly, bitbear, rhiaro, csarven, wseltzer, raucao, sandro,
#
cwebber
tantek: no, ok
#
cwebber
tantek: chris is minuting and has to do AP ;)
#
rhiaro
I can
#
rhiaro
scribenick: rhiaro
#
rhiaro
puts on her scribing gloves
#
rhiaro
scribing gloves gifted by cwebber
#
rhiaro
tantek: Walk us through the issues. Important ones first
#
rhiaro
cwebber: I've been focussing on the test suite
#
Loqi
[jaywink] #203 Linked Data Signatures + public key URI
#
rhiaro
... this one I'm not going to address what he said, but will discuss in the abstract
#
rhiaro
... this is something that there's a lot of stuf fhappening in this area, and actula convergence between linked data signatures and jose stuff
#
rhiaro
... so that seems useful to capture becuase I know we keep getting asked about how to handle signatures
#
dmitriz
(oh, awesome… re convergence between sigs & jose)!
#
rhiaro
... it's non normative
#
rhiaro
... one concern I have is people want us to address it in the spec, which means we'd need it in the test suite
#
rhiaro
... worried this will use a lot of time
#
Zakim
sees rhiaro, sandro on the speaker queue
#
eprodrom
q+
#
Zakim
sees rhiaro, sandro, eprodrom on the speaker queue
#
tantek
ack rhiaro
#
Zakim
sees sandro, eprodrom on the speaker queue
#
tantek
from before
#
rhiaro
... This is something I"ve been thinking about. I have some concerns.. we already knew the auth stuff was not going to be a permanent recommendation by the end of the group but i feel like this may be one of the things that needs to be updated as fast as possible
#
Zakim
sees sandro, eprodrom on the speaker queue
#
rhiaro
tantek: sounds like a process question
#
tantek
ack sandro
#
Zakim
sees eprodrom on the speaker queue
#
rhiaro
sandro: seems like the best we can do is claim this is a feature that's orthogonal to AP. The way people do auth may change over time. Over here is where you see guidence about what people seem to be currently doing
#
rhiaro
... 'over here' can be managed by the CG, on a wiki page or something
#
rhiaro
... that can reflect our bes tunderstanding of what people are doing in practice based on implementation reports and changes over time
#
rhiaro
... if next year something better comes along, it doesn't change AP at all
#
rhiaro
... we just try to give people advoice, or point them to a place to help them find out what is going on
#
rhiaro
cwebber: that makes sense
#
rhiaro
... this is in the spec currently, the endpoints section
#
rhiaro
... we got the oauth stuff wrong, we're missing an endpoint
#
rhiaro
... but we do provide endpoints for some of these things
#
rhiaro
... one possible option is to move the auth endpoint stuff to an extension
#
rhiaro
... a wiki page seems like a bad idea
#
rhiaro
... I'm wondering whether we should leave this in the normative part of the spec of giving these endpoints. On the other hand, people need them
#
rhiaro
... But as you said i tmight not be necessarily correct for the future
#
rhiaro
... Should we include those endpoints actually in there?
#
rhiaro
... or is there a better place?
#
rhiaro
eprodrom: if we're not sure how we're gonna use them I don't see a good reason to include them in the spec
#
rhiaro
... that doesn't seem like we should be throwing things into the spec that we're not actually using
#
rhiaro
... I agree with sandro. I think there is a big advantage to keeping those specs simple without auth being part of it
#
rhiaro
... There are two different kinds of auth that would be required, c2s and s2s, both important
#
rhiaro
... and part of the problem with combining the c2s and s2s in one spec is that we did complicate that a bit
#
rhiaro
... is there a way we could just kick it over to say oauth?
#
Zakim
sees eprodrom on the speaker queue
#
tantek
ack eprodrom
#
Zakim
sees no one on the speaker queue
#
rhiaro
... use oauth2 discovery and there you go?
#
rhiaro
tantek: I completely agree with what Evan just said
#
rhiaro
... specifically the endpoint question
#
rhiaro
... we should only include an endpoint if we are going to define precisely the implementaiton behaviour for that endpoint
#
rhiaro
... both for the person with the endpoint and the person discovering it
#
rhiaro
... kicking this to an extension or an example spec, ie wiki page or github
#
rhiaro
... if there's some part of a spec where we don't have the precise method defined, we should modularise that out of the spec
#
rhiaro
... saying that as me not as chair
#
rhiaro
cwebber: I have a suggestion on how to handle this
#
Zakim
sees no one on the speaker queue
#
rhiaro
... two sections that reference this. The actor endpoints part. Sounds like there's rough consensus that we shouldn't be defining those cos we'll possibly get them wrong and we can handle that in the CG or external to the AP as this spec process
#
rhiaro
... there's also a whole auth section
#
rhiaro
... I could just keep that there but dilute it heavily
#
rhiaro
... refer to the kind of directions that are possible, and very vaguely say how they might be used
#
rhiaro
... how do people feel about that?
#
Zakim
sees no one on the speaker queue
#
rhiaro
... removing the endpoints and referring to the possible directions but saying to look elsewhere?
#
rhiaro
sandro: why not cut a little more than that, and just say this is out of scope, here's some places you might look for how to do it?
#
rhiaro
cwebber: that's what I mean
#
rhiaro
... we could remove it as a whole header.. currently it's a whole section. We could jjust move it to the security considerations section just pointing at the things
#
rhiaro
tantek: I like the general approach
#
rhiaro
... How did micropub address this issue in terms of keeping the auth bits orthogonal? I don't quite remember
#
rhiaro
... is there some way to reuse similar text to indicate that it's something that's defined elsewhere?
#
rhiaro
... and point to a couple of specific approaches informally as what other implementaitons are looking at
#
rhiaro
aaronpk: one, micropub does explicitly say that bearer tokens are used for authentication
#
rhiaro
... that avoids having to have multiple different options. What it doesnt' say is how you get the access token, because that's outside of the scope of micropub
#
rhiaro
... that cleans that up
#
rhiaro
... where micropub and activitypub differ is that AP is also a server to server protocol, which means there's untrusted content going between the two, so a bearer token may not be the best approach for that
#
rhiaro
... this doesn't apply for micropub because we're not using it to federate between servers
#
rhiaro
tantek: I have this vague recollection of resolving to use bearer tokens in both? we can reconsider. What do you think of using th emicropub approach for the client to server piece of AP?
#
rhiaro
cwebber: we could reuse it, it's a lot more normative in micropub that it currently is in activitypub
#
rhiaro
... in micropub it's much more specifically baked in there
#
rhiaro
... we could try to bake in bearer tokens for c2s, but that doens't sovle the question people are asking the most which is about s2s
#
rhiaro
... we might patch over a part of it, but we're leaving just a big of a gap anyway
#
rhiaro
... at that poing i'd like to encourage the bearer token usage and describe how it's done in the more diluted security considerations section that we're talking about
#
eprodrom
q+
#
Zakim
sees eprodrom on the speaker queue
#
Zakim
sees eprodrom on the speaker queue
#
rhiaro
... but I think since the spec does say you have to... we can probabyl borrow some of it and pull it inot the non-normative section that we're talkinga bout here. Would that make sense?
#
rhiaro
tantek: what do you think is right for AP?
#
tantek
ack eprodrom
#
Zakim
sees no one on the speaker queue
#
rhiaro
cwebber: I think that removing the endpoints, have the watered down portion in the security considerations section, and borrowing some of micropub's terminology about how to use bearer tokens is probably the best way forward
#
rhiaro
eprodrom: cwebber, could we instead of taking this call, could we go over how pump.io does this process before we make this decision, and see if that's something we could translate into AP?
#
rhiaro
... pump.io started 4 yeares ago, uses early versions of oauth2 discovery, but the concepts are still the same
#
rhiaro
... should be possible to point out simply to use oauth 2 discovery or openid connect discovery to make this work
#
rhiaro
... and that should be sufficient
#
rhiaro
... but we'd need to step through it
#
rhiaro
... the other thing is saying 'it may be possible to use these for c2s, along with other auth systems'
#
rhiaro
cwebber: we can talk, do you immediatley after this call want to follow up?
#
rhiaro
eprodrom: stay on irc
#
rhiaro
tantek: important issue, time well spent
#
rhiaro
... sounded like we were close to consensus from teh group's perspective
#
rhiaro
... eprodrom, would you have any objection to resolving what chris said
#
rhiaro
... remove the endpoints, move the watered down portion of auth to the non-normative security considerations section, and borrow some of micropub's terminology about how to use bearer tokens, with details left up to editor
#
rhiaro
... that's the rough proposal
#
rhiaro
eprodrom: I'd like to more carefully walk through the possibilities for pointing out the features we could use at each stage of the server to server and client to server before we just punt on it
#
rhiaro
... i feel like this will take more work
#
rhiaro
tantek: I'll leave it to the two of you to follow up in the issue
#
rhiaro
... hopefully you'll resolve it in a way the commenter agrees to, or if we need to explicitly approve a proposal we can do that next week
#
rhiaro
... but we're not resolving it now
#
rhiaro
eprodrom: aaronpk, if you're not in a rush at the end of the call if you could stay on with us to discuss that would be helpful
#
rhiaro
TOPIC: SWP again
#
cwebber
scribenick: cwebber
#
cwebber
aaronpk: I have two issuses open on it, and I do think they should be addressed before publishing
#
Zakim
sees rhiaro on the speaker queue
#
cwebber
tantek: those are new issues, so instead of discussing them in realtime, I'd like rhiaro to look at them
#
tantek
ack rhiaro
#
Zakim
sees no one on the speaker queue
#
cwebber
tantek: would you be okay with delaying a decision to public next week
#
cwebber
rhiaro: would publishing with these issues be enough to keep a version from november up
#
cwebber
rhiaro: would you object with these issues aaronpk
#
cwebber
aaronpk: I guess I'd be willing to publish even with these issues
#
cwebber
PROPOSED: publish an update to Social Web Protocol with current draft
#
cwebber
tantek: one issue is to note the issues inline, or we could try to do another draft next week
#
cwebber
aaronpk: let's just do another draft
#
cwebber
cwebber: +1
#
eprodrom
+1
#
cwebber
RESOLVED: publish an update to Social Web Protocol with current draft
#
cwebber
tantek: appreciate the update rhiaro, and let's do more rapid updates too
#
cwebber
TOPIC: websub
#
cwebber
tantek: where are we at with normative issues aaronpk ?
#
cwebber
aaronpk: I believe we haven't had any issues come in
#
cwebber
tantek: as in terms of group decision issues, do you have any editorial issues that require republishing?
#
cwebber
aaronpk: one thing that came up two weeks ago, I'm trying to remember if this needs any editing of the text, just gimme a sec
#
Loqi
[kevinmarks] #98 Subscription migration is unclear
#
cwebber
tantek: basically is the editor's draft disparate from the CR
#
cwebber
aaronpk: I don't think there's any difference in the ED right now
#
cwebber
aaronpk: just trying to remember if this issue requires any editorial changes
#
cwebber
aaronpk: I remember it doesn't have any functional changes
#
cwebber
tantek: could you give us an update on the test suite
#
cwebber
aaronpk: no test suite yet, will work on it in the next 2 weeks
#
aaronpk
s/no test suite/no updates on the test suite/
#
cwebber
tantek: ok in the issue of moving forward, we're done with websub issues this week
#
cwebber
tantek: I think we can re-address this next week with whether to update with CR updates
#
cwebber
tantek: that brings us back to AP
#
rhiaro
scribenick: rhiaro
#
Loqi
[annando] #196 How to differentiate between posts and private (direct) messages?
#
rhiaro
cwebber: this is a big ... there's been this whole thread about whether to differentiate between posts and direct messages basically
#
rhiaro
... there has been discussion, but not clear progress since last week
#
rhiaro
... sandro what's your current understanding?
#
rhiaro
sandro: *remembering*
#
rhiaro
... I think I clarified what the issue was and then other people said what the solutions were... but I'm still confused about them
#
rhiaro
tantek: sounds like we need a specific proposal
#
Loqi
[donpdonp] #204 activitypub profile discovery
#
rhiaro
cwebber: this one is shorter, 204
#
rhiaro
... what it sounds like is he wants some sort of way to use a rel link from html to what would be their activitypub profile in activitystreams
#
rhiaro
... I'm not really sure.. the usual way we have this described is that probalby someone's homepage uses content negotiation to grab the activitystreams equivalent of what that page is
#
rhiaro
... we could add rel links to a page but that opens up the question of whether we should also add text to the page about whether you have to do further discovery
#
rhiaro
... feels like it would make it more complicated
#
eprodrom
+q
#
Zakim
sees eprodrom on the speaker queue
#
rhiaro
... I'm not against having a way to jump from someone' shomepage to their AP profile, but I'm hesitant about having an alternate way for somebody to have their profile linked in addressing or something like that
#
rhiaro
... but I also have not done the most amount of things with rel links of people in this group
#
rhiaro
tantek: I think the same reasonsing we used for the security endpoint discovery applies here
#
rhiaro
... if we're not going to have it well defined, we probably should not be adding it
#
rhiaro
... could be done in an extension
#
Zakim
sees eprodrom on the speaker queue
#
tantek
ack eprodrom
#
Zakim
sees no one on the speaker queue
#
rhiaro
eprodrom: chris, this rel="alternate" is a fine way to do it, I think you should respond and say it's a common way
#
rhiaro
... but that it's usually conneg
#
rhiaro
cwebber: do we add something to the spec?
#
rhiaro
eprodrom: no
#
Zakim
sees rhiaro on the speaker queue
#
tantek
ack rhiaro
#
Zakim
sees no one on the speaker queue
#
rhiaro
"To make content available as ActivityStreams 2.0 JSON, one could do so directly when requested with an appropriate Accept header (eg. application/activity+json or application/ld+json), or indirectly via a rel="alternate" type="application/activity+json" link . This link could be to a different domain, for third-party services which dynamically generate ActivityStreams 2.0 JSON on behalf of a publisher."
#
rhiaro
cwebber: No more normative issues
#
rhiaro
... Last week I linked this tutorial with ascii art
#
sandro
+1 amazing graphics !
#
rhiaro
... somebody provided amazing vector graphics to replace the ascii art
#
rhiaro
... I'm thinking of putting the tutorial with those graphics at the top of AP as a short introduction to all the concepts
#
rhiaro
tantek: this is an editorial change as far as I'm concerned
#
rhiaro
cwebber: right
#
eprodrom
q?
#
Zakim
sees no one on the speaker queue
#
rhiaro
tantek: up to rhiaro and sandro to deal with contributor agreement stuff
#
rhiaro
cwebber: they just need to indicate that it's okay to be the same copyright
#
rhiaro
tantek: congrats with 0 normative issues!
#
rhiaro
... goal to publish new cr next week
#
rhiaro
... Any other items?
#
Zakim
sees no one on the speaker queue
#
rhiaro
... See you next week, great work
#
cwebber
o/
#
eprodrom
cwebber, aaronpk : let's stay on the channel
#
aaronpk
cwebber: eprodrom: I will brb, need to make another coffee
#
tantek
cwebber++ for minuting!
#
Loqi
cwebber has 7 karma
#
aaronpk
give me like 3 minutes
#
tantek
rhiaro++ for minuting
#
Loqi
rhiaro has 139 karma in this channel (255 overall)
#
wilkie
cwebber++
#
Loqi
cwebber has 8 karma
#
eprodrom
I'd like to walk through the flows that we might need to execute to get some basic tasks done
#
cwebber
eprodrom, sounds good
#
wilkie
rhiaro++
#
Loqi
slow down!
#
tantek
trackbot, end meeting
#
trackbot
is ending a teleconference.
#
trackbot
Zakim, list attendees
#
Zakim
As of this point the attendees have been tantek, aaronpk, ajordan, eprodrom, cwebber, ben_thatmustbeme, csarven, rhiaro, sandro, dmitriz
#
trackbot
RRSAgent, please draft minutes
#
RRSAgent
I have made the request to generate http://www.w3.org/2017/04/25-social-minutes.html trackbot
#
trackbot
RRSAgent, bye
#
RRSAgent
I see no action items
#
cwebber
eprodrom: it's tricky also because we need to actually put these workflows into the test suite
#
rhiaro
dmitriz maybe wants to stick around for auth discussions. dmitriz knows lots about openid connect, eprodrom, cwebber :)
#
cwebber
....
#
dmitriz
@eprodrom / @aaronpk / @cwebber — I’d love to join in on the s2s auth conversation (I’ve been implementing s2s auth using oauth2/oidc for the last several months)&
#
cwebber
hopes eprodrom reappears
#
rhiaro
wow did evan forget
#
tantek
aside: cwebber I took a quick look at https://github.com/w3c/activitypub/issues and take your word for it that none of those require normative changes, however it would be good to process as many of those as possible (even for editorial changes to AP) for next week
#
cwebber
tantek: there's a lot of them with normative changes, but which we discussed last week and I didn't resolve yet
#
cwebber
we came to resolutions
#
cwebber
but they weren't incorporated
#
tantek
see how close we can get that 23 to 0 as it were for the next CR draft
#
tantek
resolutions in the issues at least?
#
cwebber
tantek: yes I think I recorded them
#
tantek
but not yet incorporated into the draft?
#
cwebber
yep
#
cwebber
tantek: was focusing on the test suite
#
tantek
if you could add "commenter satisfied" to the ones where the issue filer was ok with the resolution, that would be great too
#
tantek
I think we have a label for that
#
tantek
hmm did we lose eprodrom?
#
sandro
yes, I just pinged him on fb, too, no answer yet
#
dmitriz
i think he said he’s grabbing coffee?
eprodrom joined the channel
#
ajordan
dmitriz: that was Aaron I think
#
eprodrom
cwebber, aaronpk : are we stepping away for a couple of minutes?
#
cwebber
hi eprodrom, welcome back
#
eprodrom
thanks
#
tantek
cwebber, for next week, I'd say priority 1 is the updated AP CR (with all necessary normative changes and as many editorial changes as possible for open issues), and then priority 2 test suite
#
cwebber
tantek: kk
#
cwebber
eprodrom: I think aaron was grabbing test suite
#
cwebber
er
#
cwebber
grabbing coffee
#
cwebber
words!
#
eprodrom
OK
#
tantek
the more solid we can have this updated the CR the better!
#
eprodrom
cwebber: I'm going to come right back then
#
tantek
yes, all the words :)
#
tantek
thanks cwebber
#
ajordan
cwebber: if I have some extra time I can go through and send PRs for some of the editorial stuff; would that be helpful?
#
cwebber
np, thanks for chairing tantek
#
tantek
cwebber, our goal for this next CR is to not have to have another CR with normative changes :)
#
ajordan
sorry I missed today, will read the logs
#
cwebber
ajordan: yes that'd help, maybe ping me on irc with which ones you're hopping on first so I have a heads up and we don't duplicate efforts?
#
ajordan
cwebber: sure
#
ajordan
gonna do the Activity Vocabulary reference one right now
#
aaronpk
eprodrom: cwebber: what's the goal here for this auth discussion?
#
cwebber
aaronpk: I think "don't get the recommendations for what to do with oauth in the security considerations section wrong, even better, give something usable" :)
#
cwebber
I also want to leave in the possibility of signatures via LDS or etc, even if not specific
#
cwebber
because this is the #1 requested feature from existing federation systems
#
cwebber
so we don't have to be specific, I just want to reference it at least
#
cwebber
but I guess I don't need others to leave that vague part in there
#
aaronpk
is there a particular issue this discussion is happening on already?
#
dmitriz
speaking of signatures, I have a general auth question. if the specs are using so many components of oidc (oauth2, discovery, signatures), why not use oidc directly?
#
eprodrom
I'd like to step through some of the flows and make sure we can point to OAuth 2.0 specs that deal with them
#
tantek
cwebber, if you can leave it orthogonal enough that a separate spec can "plug in" to the AP spec to make this work, that would be ideal
#
tantek
(as far as goals go)
#
cwebber
tantek: +1
#
eprodrom
Nobody has to be part of this and if you'd rather handle it in an issue happy with that, too
#
aaronpk
OAuth 2 is really only going to be useful for the client-to-server part, since OAuth is about an application obtaining authorization on behalf of a user
#
tantek
(perhaps even more than one spec if there are groups of implementers that are exploring different possibilities, that's ok too - from our perspective for AP)
#
aaronpk
Bearer Tokens are used by OAuth 2, and can also be used by ActivityPub
#
eprodrom
aaronpk: there's 2-legged authentication too
#
eprodrom
At least in 1.0
#
aaronpk
eprodrom: that's still client-server tho!
#
eprodrom
That's what pump.io depends on
#
tantek
ducks out of the OAuth details :)
#
eprodrom
aaronpk: fair enough
#
dmitriz
oauth2 is very much usable for server to server
#
aaronpk
dmitriz: if you're talking about oauth2 bearer tokens then yes sure
#
tantek
considers getting some popcorn
#
cwebber
dmitriz: we resolved to not be super specific about the auth stuff in this group aside from a general recommendation of bearer tokens given the amount of churn happening
#
dmitriz
not just bearer tokens (which I’m generally against, since they’re only one step away from signed id tokens, which are much more secure)
#
eprodrom
Damn
#
cwebber
dmitriz: so right now the state in AP will be that we're going to recommend loosely a route for auth stuff in activitypub's security considerations section, but it won't be pinned down as normative
#
aaronpk
you could also wrangle a way to have the oauth2 authorization process involve users at both ends, but that's not really what it was made for
#
dmitriz
but s2s auth is possible if both servers are essentially peer nodes, both identity providers & clients. and dynamically register with each other
#
aaronpk
so the security implications of that aren't really well thought through for that use case
#
eprodrom
wow
#
eprodrom
lot of chatter
#
cwebber
yeah
#
aaronpk
auth is fun!
#
dmitriz
i’m not sure it’s even wrangling, though
#
cwebber
eprodrom: ok, I want to hear what pump does
#
eprodrom
maybe we could step through the flows? Seems like we're getting way ahead of ourselves here.
#
cwebber
yes
#
cwebber
+1
#
eprodrom
Thanks
#
aaronpk
yeah let's start with pump.io
#
eprodrom
Great
#
eprodrom
ajordan: are you still around? Maybe you can refresh my memory on some of this
#
eprodrom
Let's start with a typical client task: posting a new activity
#
ajordan
eprodrom: yea
#
eprodrom
The client only has the identity of the client user
#
ajordan
not super familiar with this stuff but I can try :P
#
eprodrom
in pump.io that's a webfinger ID like evan@example.com
#
eprodrom
but in AP it'd be a URI like https://example.com/evan
#
eprodrom
pump.io uses OAuth 1.0
#
elensil
hey
#
eprodrom
So we need an access token to make a post
#
eprodrom
ajordan: thanks
#
elensil
should I wait the end of your meeting to ask questions :) ?
#
eprodrom
So the first step is discovering the oauth 1.0 endpoints: getting a request token, making the authorization request, and then turning the request token into an access token
#
cwebber
elensil: yes please, we're having a tricky auth convo
#
ajordan
elensil: probably, sorry
#
eprodrom
pump.io does this using Host Meta discovery
#
elensil
ajordan, that's fine ;)
#
eprodrom
It also has a discovery method for getting a client ID
#
aaronpk
dynamic client registration?
#
cwebber
eprodrom: when pump.io clients continue to communicate with the server, they supply *just* the access token right?
#
eprodrom
which it needs for doing the 0auth 1.0 flow
#
eprodrom
cwebber: correct
#
cwebber
ok
#
eprodrom
cwebber: well, mostly
#
eprodrom
you need the client id and the access token for OAuth 1.0
#
eprodrom
in Oauth 2.0 it's just bearer tokens
#
cwebber
right ok
#
aaronpk
with oauth 1, you also send a signature which is calculated using the client ID and secret
#
eprodrom
Right
#
aaronpk
okay, i think we're all on the same page with that now
#
eprodrom
So that's the main parts of discovery for pump.io, if you're a client trying to post on behalf of a users
#
cwebber
has commentary but will wait until we finish the pump.io workflow
#
eprodrom
I think for AP, you could do the same thing starting out with the user ID as an URI
#
eprodrom
cwebber: go ahead with the commentary, I'm done on this one
#
eprodrom
Otherwise I'd like to step through it for AP
#
cwebber
so it's observable in desktop clients on gnu/linux how the oauth 1.0 workflow is kinda painful, and I tried to figure out if it can be less painful for oauth 2.0 and it still looks painful
#
cwebber
the initial setup
#
dmitriz
which part is painful?
#
cwebber
in pump clients, you're basically redirected to a uri where you authorize, and then you have to copy paste back the token you get into your client
#
cwebber
when I looked at how it could be done through oauth 2.0, the recommendation seems to be "use a redirect uri parameter"
#
dmitriz
oauth2 dynamic registration lifts the need for cutting & pasting
#
aaronpk
there is a lot of work in oauth 2 to address this
#
cwebber
but, that assumes that either a) you have a web server as a client
#
aaronpk
no it doens't, you can redirect to a native app
#
cwebber
or b) you have the id to set up custom myapp:// type things
#
cwebber
which you don't have on all systems
#
ajordan
cwebber: I think the way you're "supposed" to handle that is by popping up a web view in-app or something
#
cwebber
ajordan: that's also very wonky
#
ajordan
exactly
#
cwebber
embedding a browser is not great
#
eprodrom
So, are we going to fix this?
#
aaronpk
we're not going to fix this, there are lots of people working on this
#
eprodrom
I feel like this UI discussion is a distraction
#
cwebber
ok
#
aaronpk
it's a known problem, and plenty of people are working on it
#
ajordan
ah sorry, that's my fault
#
aaronpk
iOS already shipped a new feature to address it
#
eprodrom
Sweet
#
cwebber
fwiw I think having a signature direction for auth workflows could actually resolve this
#
cwebber
but
#
eprodrom
OK, so, the tricky part with this in pump.io is the client registration
#
cwebber
that's out of scope of this conversation
#
eprodrom
Unlike, say, Twitter, there's not an out-of-band mechanism for getting a client ID
#
aaronpk
with oauth2 you don't really need client registration because you don't even need a client secret
#
aaronpk
at the point that anyone can register a client with no authentication, there isn't a lot of benefit to having the secret at all
#
eprodrom
Right
#
cwebber
yeah client secrets don't make sense for FOSS projects anyway
#
cwebber
anyone can look at pumpa's source code to find out what its client secret would be
#
dmitriz
well wait though
#
eprodrom
Well, sorry kids, but they do
#
aaronpk
and for client_id, just use a URL!
#
dmitriz
for oauth2, you need client secrets for confidential clients
#
eprodrom
In this case, for s2s, we use the client id and secret
#
dmitriz
(ie, server-side apps).
#
eprodrom
That's the 2-legged auth
#
cwebber
eprodrom: ok for *server to server*
#
cwebber
yes
#
aaronpk
we're not talkign about server-to-server right now
#
cwebber
for client to server, no
#
aaronpk
we're talking about client-to-server
#
eprodrom
Fair enough
#
aaronpk
we'll get to s2s later
#
dmitriz
k.
#
dmitriz
client registration is still necessary though
#
eprodrom
So, I'm trying to remember how the client registration works in pump.io
#
dmitriz
because it’s essentially the only way to verify public clients (read: in-browser apps, desktop apps, etc)
#
eprodrom
If I remember correctly we used an early version of 0auth 2.0 client reg
#
aaronpk
no, you can use URLs for verifying and identifying
#
dmitriz
registration is the way to get those urls
#
aaronpk
and for the few cases where that doesn't work, again it's a known problem and we're not going to solve it faster than the oauth group is
#
eprodrom
ajordan: thanks!
#
eprodrom
for pump.io, we also use dialback authentication
#
Loqi
Evan Prodromou
#
eprodrom
Basically, it's a way for a server to say "I am this server" and be able to prove it.
#
aaronpk
this sounds like s2s again?
#
eprodrom
Yes
#
eprodrom
But it's the same client registration endpoint
#
eprodrom
OK, so I think that's it for C2S
#
eprodrom
I think for AP, it should be possible to go from a user's URI to a bearer token
#
eprodrom
First, by doing 0auth 2.0 discovery for the endpoints
#
eprodrom
I don't remember if a client id is necessary there
#
cwebber
eprodrom: what do you mean oauth 2.0 discovery for the dnpointts?
#
cwebber
oh
#
dmitriz
(this is what we’re doing in solid, fwiw. user’s uri -> token, via discovery)
#
dmitriz
(except using oidc discovery, which is basically a slightly more specified version of oauth discovery)
#
eprodrom
Do you have to do client registration, too?
#
dmitriz
yes
#
dmitriz
dynamic registration, if that helps
#
aaronpk
fwiw PKCE basically makes client secrets unnecessary, and google has already implemented this https://tools.ietf.org/html/rfc7636
#
eprodrom
So, uri -> (optionally client registration) -> (optionally endpoint discovery) -> oauth 2.0 authorization -> token
#
aaronpk
it's their solution to avoiding the use of secrets for mobile apps, while still having the security of avoiding common redirect attacks
#
dmitriz
so, PKCE is useful, but is often overkill for s2s
#
aaronpk
we're talking about c2s right now
#
aaronpk
we'll do s2s later because there's a whole host of different considerations there
#
eprodrom
I think we're done talking about c2s
#
dmitriz
oh, I thought eprodrom said that was it for c2s
#
eprodrom
Is there a part of the flow that isn't specified that we couldn't speak to?
#
dmitriz
sorry bout that.
#
aaronpk
do we have a plan for how to update this in activitypub then?
#
aaronpk
we're not done with c2s until cwebber has a path forward for what needs to change about that section of activitypub :)
#
cwebber
so
#
eprodrom
I think the only part I'd be concerned about is that if my id uri is https://example.com/evan then the host for oauth discovery would be example.com
#
dmitriz
that’s true
#
cwebber
we're describing some pretty complicated workflows
#
cwebber
and we had talked about watering down that section
#
cwebber
now it feels like it's going to actually get way more complex
#
cwebber
which, the reality is
#
cwebber
the implementation stuff is going to be complex
#
cwebber
the question is, where do we put this
#
eprodrom
Security notes section
#
eprodrom
cwebber: so, what I'm more concerned with is having an unimplementable spec
#
cwebber
eprodrom: I'm concerned about this too
#
aaronpk
activitypub can say that it uses oauth2 bearer tokens for c2s authentication, and point to the specs evan just linked for how to obtain that
#
dmitriz
why unimplementable?
#
eprodrom
So let's make sure there's one path through, and that we can describe in about a paragraph how to do this with Oauth 2.0
#
eprodrom
aaronpk: that sounds correct to me
#
aaronpk
and specifically call this out as client-to-server authentication otherwise it gets conflated with s2s
#
eprodrom
The only problem is that some of those oauth 2.0 specs are not yet final
#
dmitriz
which ones?
#
eprodrom
oauth discovery
#
cwebber
eprodrom: this stuff not only needs to be implementable, we actually also need to have it implemented in the test suite... in the next two weeks!
#
eprodrom
cwebber: yes
#
dmitriz
hmm, that’s odd. I didn’t realize that one was still in draft. fwiw, the OIDC discovery is 1.0, out of draft.
#
eprodrom
dmitriz: true
#
cwebber
so also, I'm just going to say that as an individual
#
eprodrom
We'll need to decide whether to go with one or the other
#
cwebber
about 9 months ago I sat down to try to learn how to do these oauth workflows and etc
#
cwebber
and I printed out a ton of docs
#
eprodrom
OK
#
cwebber
and it was one of the worst weeks of my life
#
dmitriz
(in fact, the list of authors on the oauth discovery spec is pretty much the same as the oidc discovery. so I think they just moved on.)
#
eprodrom
I don't know if this is a fruitful path for this conversation
#
eprodrom
Or a good way to use people's time
#
cwebber
what I'm saying is
#
cwebber
I want to have a single paragraph that describes a workflow
#
eprodrom
OK, I will write that paragraph for you
#
cwebber
*without* people having to traverse too many other docs finding out the right ways
#
ajordan
wait why are we discussing this being in the test suite? I thought we were putting this as a non-normative "this is how you'd _probably_ do this" thing in security considerations?
#
eprodrom
Could we move on to S2S?
#
cwebber
yes
#
ajordan
if I missed something during the meeting I'll shut up
#
eprodrom
ajordan: we have to have something in the test suite
#
ajordan
okay. I don't get why but it's not important so let's move on
#
eprodrom
Could be unauthenticated, could be HTTP basic, could be access token acquired out-of-band
#
eprodrom
I'm going to move on to s2s
#
aaronpk
i did out-of-band access token for hte micropub test suite
#
ajordan
ohh yeah okay I see
#
aaronpk
eprodrom: one sec
#
aaronpk
just to close on c2s
#
eprodrom
So for pump.io we use 2-legged Oauth 1.0 authorization
#
aaronpk
you'll write the paragraph for cwebber for that section?
#
eprodrom
OK, sure
#
eprodrom
Yes
#
Loqi
[eprodrom] So, uri -> (optionally client registration) -> (optionally endpoint discovery) -> oauth 2.0 authorization -> token
#
eprodrom
If that's OK with everyone, it seems like the right direction to go
#
cwebber
thank you eprodrom :)
#
eprodrom
No problem
#
cwebber
+1
#
aaronpk
okay great
#
eprodrom
So let's go to S2S
#
aaronpk
TOPIC: server-to-server authentication
#
eprodrom
[12:48] <eprodrom> So for pump.io we use 2-legged Oauth 1.0 authorization
#
eprodrom
Let's say a pump.io server needs to deliver an activity to the inbox of a user on another server
#
aaronpk
to clarify, that's basically using just the application's credentials right?
#
eprodrom
Yes
#
aaronpk
no user involved in obtaining a token in that flow
#
eprodrom
so, example.net is delivering an activity by evan@example.net to the inbox of jane@example.com on example.com
#
eprodrom
aaronpk: it's too hard to do
#
dmitriz
what is?
#
aaronpk
what? sorry i was just clarifying what 2-legged means
#
cwebber
bipedal
#
cwebber
(sorry)
#
eprodrom
I took the expedient of saying "If it's from example.net, and they say that it's by evan@example.net, it's probably actually by evan@example.net"
#
ajordan
cwebber++
#
Loqi
cwebber has 9 karma
#
dmitriz
are there signatures involved?
#
eprodrom
You could make a case for saying, "No, evan@example.net has to authenticate to example.com and the delivery should happen with that token"
#
dmitriz
as in, does example.net sign it?
#
eprodrom
But that's really tedious
#
eprodrom
dmitriz: Oauth 1.0 2-legged authentication
#
aaronpk
so there's an implicit trust that example.net can act on behalf of evan@example.net
#
eprodrom
So yes
#
eprodrom
aaronpk: yes
#
dmitriz
it’s tedious, but isn’t it kind of necessary? (for evan to authenticate to example.com) at very least, evan needs to consent to that trust relationship the first time that server is encountered?
#
eprodrom
Anyway the flow works kind of like this:
#
eprodrom
dmitriz: I think that's asking too much
#
dmitriz
go on, re work flow
#
eprodrom
If every time someone from somerandomserver.example follows me, I have to go authenticate to their server to allow delivery of activities, that's a big pain
#
dmitriz
oh, agreed
#
eprodrom
OK, thanks
#
dmitriz
I assume you allow that server once.
#
eprodrom
So, for delivery, flow goes something like this:
#
eprodrom
discovery via hostmeta -> client registration with dialback authentication -> 2-legged Oauth 1.0 authentication for delivery
#
eprodrom
I'm a little foggier for what we'd do for AP S2S
#
dmitriz
just to be clear, who is authenticating in that last 2-legged step?
#
aaronpk
the server
#
aaronpk
example.net
#
eprodrom
example.net server
#
dmitriz
k
#
aaronpk
proving that the later request came from it
#
eprodrom
Right
#
dmitriz
makes sense. what’s the difficulty for s2s for AP?
#
eprodrom
Well, I guess we'd do client registration the same way
#
dmitriz
yeah!
#
dmitriz
the servers just register with each other as clients
#
aaronpk
you can do the same client registration step, resulting in a bearer token which is then used when delivering activities
#
eprodrom
But
#
eprodrom
Is there a callback mechanism in OAuth 2.0 client registration?
#
dmitriz
there is
#
dmitriz
one sec
#
eprodrom
Or some way of knowing that the client registration came from example.net
#
aaronpk
i don't see anything in http://openid.net/specs/openid-connect-registration-1_0.html#RegistrationRequest which is where i'd expect to find it
#
dmitriz
ah, well, so, with oidc registration, the callback happens not at registration but at code exchange (getting the access token) step
#
aaronpk
oh interesting. where's that documented?
#
dmitriz
it’s postponed till that
#
dmitriz
should be just in the authorization code workflow
#
dmitriz
lemme find link
#
aaronpk
sorry there are like a dozen oidc docs so i don't always know where to look
#
dmitriz
yeah I hear you there
#
dmitriz
specifically...
#
aaronpk
but that involves a user
#
aaronpk
how does it work if there is no user, just a server authenticating?
#
cwebber
so
#
cwebber
this is why the diaspora and ostatus users from mastodon and etc want signatures I think right?
#
cwebber
because if you had a key tied to a user
#
cwebber
you could sign the message before shooting it over the wire
#
aaronpk
dmitriz: but again that involves a user at a browser
#
cwebber
and if the server can look up the user's key once
#
cwebber
it can verify posts coming over the wire
#
cwebber
and that's already how diaspora does it
#
aaronpk
what eprodrom is describing is a server-to-server mechanism for verifying the token request came from the server
#
aaronpk
which is pretty clever
#
dmitriz
the user at the browser part is not necessary for s2s
#
eprodrom
blushes
#
dmitriz
and yes, oidc relies on signatures on both sides
#
dmitriz
and the key discovery mechanism
#
aaronpk
you can't do an HTTP Location redirect without a user
#
dmitriz
I think there’s a POST response type also
#
dmitriz
but lets step back
#
aaronpk
i just don't see anything oidc that provides the same functionality
#
dmitriz
what’s the core meta-question? how do the two servers verify each other?
#
aaronpk
well there are essentially two different ways that this delivery request can be authenticated.
#
eprodrom
dmitriz: yes
#
eprodrom
Well, one-way
#
aaronpk
either the request includes something that can be used to prove the user created the request themselves, or that can be used to prove the server created the request and then you trust that the user's host can act on behalf of the user
#
eprodrom
Presumable example.net already knows that example.com is example.com
#
aaronpk
sounds like what pump.io did is the latter, with the dialback verification to establish an access token from server to server
JanKusanagi joined the channel
#
JanKusanagi
o/
#
eprodrom
JanKusanagi: yo
#
cwebber
so, I'm going to wait until this OAuth mechanism is fully described, but I do want to describe one alternate workflow at the end of this
#
ajordan
JanKusanagi: heya! logs if you want to read back: https://chat.indieweb.org/social/2017-04-25
#
cwebber
but there's productive discussion
#
aaronpk
what diaspora did is the former, using a public key in the user's profile to sign the objects so that the receiver doesn't have to worry about whether example.net actually sent that or not
#
cwebber
so I don't want to interrupt
#
cwebber
okay actually aaronpk just queued me to say it :)
#
cwebber
right exactly
#
cwebber
so here's a super simple workflow
#
cwebber
the linked data signatures route would be:
#
cwebber
the user has their public key embedded *in their actor profile*
#
cwebber
so a server either has already retrieved that user's profile
#
cwebber
or they do so when first seeing the user
#
cwebber
when you get a message
#
cwebber
the signature is *attached* to the message sent server to server
#
cwebber
and whammo, no need to look back and forth for any token things
#
cwebber
you just sign messages
#
aaronpk
okay now define the mechanism for serializing the JSON to sign ;-)
#
ajordan
cwebber: is the assumption that s2s profile lookups are mostly secure then?
#
cwebber
aaronpk: already done
#
eprodrom
So, I've always liked what Blaine Cook says about security specs
#
aaronpk
where?
#
eprodrom
Which is, "If you get to public key infrastructure, back up, because you've gone too far."
#
aaronpk
eprodrom++
#
Loqi
eprodrom has 43 karma in this channel (44 overall)
#
ajordan
eprodrom++
#
Loqi
eprodrom has 44 karma in this channel (45 overall)
#
cwebber
aaronpk: it's part of the LDS spec, it uses normalization of linked data
#
cwebber
I really don't agree with this eprodrom
#
cwebber
but I know others in the group feel strongly about it
#
cwebber
so
#
cwebber
I think we should provide the signature-less direction I guess
#
eprodrom
I understand
#
cwebber
and also provide this other route
#
cwebber
I'm willing to implement both
#
dmitriz
(ok, found the part in the OIDC spec for client verification)
#
aaronpk
heh, linked data signatures links to a 404 for how the json is canonicalized
#
cwebber
aaronpk: it moved
#
aaronpk
womp womp
#
cwebber
I informed them, they haven't updated the spec
#
aaronpk
someone should fix the link
#
cwebber
but here it is:
#
dmitriz
(it’s sort of hidden in https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata — the client passes its keys (either embedded or as a uri) that the server uses to verify it during registration)
#
dmitriz
(if you look at the jwks_uri section “ If the Client signs requests to the Server, it contains the signing key(s) the Server uses to validate signatures from the Client.”)
#
eprodrom
OK
#
aaronpk
cwebber: ? this looks easier to you than token exchanges? (honest question)
#
cwebber
aaronpk: looks easier once you have a library that already implements the normalization :)
#
cwebber
everything there on out I think is honestly easier
#
cwebber
but
#
aaronpk
i don't even know what half these words mean in the algorithm section https://json-ld.github.io/normalization/spec/#normalization-algorithm
#
cwebber
ok
#
cwebber
well
#
aaronpk
at least in the context of starting with a JSON document
#
cwebber
I'm not going to fight on this, at least we should move forward with a route that works and uses an oauth worklow resembling something like what the world currently uses
#
cwebber
I agree that LDS route needs to incubate itself more
#
eprodrom
So, I get foggy when I try to understand where LDN fits in here
#
aaronpk
LDS, not N :)
#
aaronpk
just the signature part
#
aaronpk
frankly "just use signatures" falls down pretty quickly here IMIO
#
aaronpk
s/IO/O
#
cwebber
ok
#
eprodrom
well, actually
#
cwebber
forget I raised it!
#
eprodrom
I meant LDN
#
aaronpk
cwebber: i mean if you can tell me how I can sign this example object in a paragraph then i'll reconsider https://www.w3.org/TR/activitypub/#obj
#
ajordan
eprodrom: got a one to two minute question for you when we're done with this discussion but don't want to interrupt
#
aaronpk
but so far i was linked to a spec that links to a 404 doc for how to normalize the document before even getting to the signing algorithm
#
eprodrom
It looks like LDN just punts on AuthC which is fine
#
cwebber
aaronpk: the signing algorithm itself is very short once you have it normalized
#
cwebber
aaronpk: and in fact it looks like jose will be used
#
aaronpk
and now my eyes are bleeding because i don't know what "Run the Hash N-Degree Quads algorithm, passing temporary issuer, and append the result to the hash path list." means in the context of that doc
#
cwebber
aaronpk: well, you shouldn't have to, any more than you should have to write an html parser
#
eprodrom
So, it seems we're at a bit of an impasse
#
cwebber
eprodrom: I guess it was a mistake to bring it up.
#
eprodrom
No, it's fine
#
cwebber
eprodrom: the LDS direction isn't ready yet, but
#
cwebber
eprodrom: this is also something *very specifically* asked for by the Diaspora and Mastodon communities
#
aaronpk
it sounds like really the only missing piece for using an analogous mechanism as pump.io is the server-to-server token exchange bit that pump.io uses the dialback for
#
eprodrom
cwebber: that doesn't make any sense for Mastodon since they use OStatus
#
aaronpk
eprodrom++
#
cwebber
eprodrom: they use salmon too, and I think they want to do more along that direction
#
eprodrom
aaronpk: I think we're there
#
eprodrom
cwebber: right
#
eprodrom
OK, so, if I can characterize the discussion so far
#
cwebber
I think the best direction is to support the workflow you have described for OAuth, but leave open the signatures direction
#
eprodrom
1) We have a path for C2S, which eprodrom will document for cwebber to include in security considerations
#
cwebber
+1
#
eprodrom
(Probably with group approval?)
#
tantek
perks back up again
#
eprodrom
2) We have a couple of paths for S2S authentication
#
eprodrom
UNFORTUNATELY, this happens to be a part of your spec where you don't want to have a lot of options
#
cwebber
totally agreed :\
#
eprodrom
A user can sit in front of their client and try a couple of different C2S auth mechanisms
#
eprodrom
Server implementations won't do that
#
eprodrom
It's better to have one
#
eprodrom
S2S, that is
#
dmitriz
+1
#
eprodrom
We don't have to decide today, but we should probably work up a couple of proposals for discussion for the next meeting
#
eprodrom
I'd suggest having one mechanism as a SHOULD and mention other mechanisms as a MAY
#
eprodrom
cwebber: does that sound about right?
#
tantek
any such SHOULD mechanism should have working implementations, or else we're incubating way too late in the game
#
cwebber
eprodrom: so you're suggesting we make it normative?
#
tantek
(and if it's not normative, then no need to say SHOULD or MAY, just point to stuff)
#
cwebber
eprodrom: it could also be a Very Strongly Worded section of the security considerations section :)
#
eprodrom
tantek: agreed
#
tantek
(trying to reduce risk here)
#
eprodrom
cwebber: I think you can just be suggestive for c2s
#
eprodrom
But for s2s it just won't work without some bedrock SHOULD
#
cwebber
eprodrom: we're going to need to implement like hell to make sure this works enough with a SHOULD
#
eprodrom
cwebber: I don't think we have a choice
#
cwebber
feels really nervous!
#
cwebber
I'm not saying you're wrong, I feel like we're dancing near the edge of a cliff on this though
#
eprodrom
I know!
#
aaronpk
shipping a spec with no implementations makes me more nervous ;-)
#
eprodrom
yeah
#
eprodrom
cwebber: we have to implement s2s
#
tantek
any way of modularizing that SHOULD into a separable spec?
#
cwebber
hey pubstrate implements server to server without any checks right now ;)
#
cwebber
isn't that good enough ;)
#
cwebber
I'm joking
#
tantek
really nervous about putting anything that new (yet to be implemented "like hell") into a CR
#
tantek
also is usually a sign that that aspect will reveal *more* normative issues
#
cwebber
so
#
cwebber
points gun footward
#
tantek
(as you implement multiple implementations for the first time and have them bang on each other)
#
eprodrom
I guess I just don't know what else to do
#
cwebber
we've been having a *lot* of recent activity and interest in activitypub right now
#
cwebber
but it's right up to the line
#
tantek
if we had another 6 months, even 3, I might speak differently
#
cwebber
it feels hard to believe we're going to make this without an extension
#
tantek
but we're literally supposed to be fixing normative *details*
#
eprodrom
If I were going to move stuff to a different spec, I'd move the whole S2S section with authentication
#
cwebber
we have the right level of interest and activity right now
#
cwebber
but it's happening all right up near the finish line
#
cwebber
and that's not great
#
tantek
(given just 2-3 weeks left to do *any* normative updates)
#
aaronpk
this is why we had talked about splitting the specs to begin with, because c2s and s2s have very different requirements and considerations, as we are now seeing very clearly
#
tantek
cwebber - well the flipside (positive) is:
#
eprodrom
aaronpk++
#
Loqi
aaronpk has 76 karma in this channel (1295 overall)
#
tantek
1. That level of interest and activity should be directed to the SWICG
#
tantek
(would help get more energy in there)
#
aaronpk
(speaking of swicg we still need to get cwebber to join it so i can make him a chair in the system)
#
dmitriz
see, I dont think the requirements are that different
#
cwebber
oops
#
cwebber
aaronpk: I'll do that this week
#
cwebber
hopefully today even
#
cwebber
so
#
cwebber
this is literally the one big gaping hole left open in the spec
#
tantek
2. If there is BOTH high level of interest and activity and evidence of something being converged and incubated quickly, that's data to push for possible new charter to cover the scope of those incubations.
#
cwebber
what's the shot of an extension? :)
#
cwebber
like seriously
#
cwebber
we're so close on this stuff
#
cwebber
but
#
aaronpk
0 without interest
#
cwebber
aaronpk: are you making an accounting joke or are you talking about community interest
#
cwebber
because right now I think the community interest level is high
#
aaronpk
community interest lol
#
tantek
like don't hope for it (especially without more W3C Member participation / positive votes on the CRs/PRS)
#
aaronpk
right, if we can't demonstrate community interest we won't get an extension
#
aaronpk
how to demonstrate community interest? join swicg!
#
cwebber
we have several *existing* federation communities actively talking about implementing activitypub
#
cwebber
so
#
tantek
aaronpk is right, showing a big spike in SWICG activity would help gives us maybe a fraction of a chance instead of 0
#
cwebber
I feel like with 3-6 more months? we'd have activitypub out the door for sure
#
cwebber
ok
#
cwebber
so are you saying, I should join the SWICG and ask people to join?
#
cwebber
but if the SWICG isn't doing anything yet
#
tantek
yes absolutely - you're a chair of SWICG!
#
cwebber
am I just asking them to fill seats?
#
eprodrom
cwebber: can I propose
#
eprodrom
That we make sure to publish the c2s part of AP
#
tantek
you're asking them to bring the discussion to W3C
#
eprodrom
It's the most mature and ready to go
#
cwebber
:(
#
eprodrom
And let's figure out whether we will also do the s2s
#
eprodrom
Again, if we get N implementations, I'm happy to see it happen
#
cwebber
I actually think that's a worse plan, becasue it gives a good shot at punting on AP's S2S as being a deliverable of this group
#
cwebber
and definitely seems to punt on an extension
#
cwebber
and I think AP S2S is the interesting thing
#
tantek
also - and I forgot to bring this up on the call - we really should start having perhaps monthly SWICG calls
#
cwebber
C2S I think is not as interesting without S2S
#
aaronpk
well we can't ship S2S without implementations of it
#
tantek
but running SWICG telcons is kinda up to the SWICG co-chairs. AHEM ;)
#
eprodrom
cwebber, client-to-server is a huge part of social
#
cwebber
aaronpk: but right, we're now at the piont where people ares starting to implement
#
cwebber
aaronpk: not sure if you saw
#
cwebber
but mastodon got a PR for the outbox
#
aaronpk
and C2S is certainly useful without S2S, cause without it, you can at the very least create activitystreams objects on your own server
#
cwebber
I'll say that I'm not interested in working on that, because it doesn't tell a useful story
#
eprodrom
cwebber: what do you mean?
#
aaronpk
cwebber: let's start inviting people to the CG and schedule regular meetings either on IRC or voice, in order to do regular checkins with everyone who is considering or actually implementing AP
#
eprodrom
Well, here's where I sit
#
cwebber
this is what I mean
#
cwebber
eprodrom: this justifies, and makes interesting, the whole inbox/outbox workflow
#
cwebber
aaronpk: +1
#
eprodrom
So, here's where I stand
#
eprodrom
We have a little under a month to get interoperating S2S versions going, under the auspices of this WG
#
eprodrom
I think it's possible to do, but we have a lot of hacking to do
#
cwebber
and it's probably true that we can do it if we implement the pump.io workflow
#
eprodrom
If it's not possible to get those interoperating S2S versions going, I'd very much like to ship the C2S stuff
#
cwebber
ok, can I modify that?
#
aaronpk
+1 modularity
#
eprodrom
Because I've spend about 10 years working with client developers and I can say very conclusively that they find client APIs interesting
#
cwebber
If it's not possible to get those interoperating S2S versions going, and we can't get an extension, I'd very much like to ship the C2S stuff
#
cwebber
(but, I'm not really excited about that)
#
cwebber
I know that C2S is interesting, but it's not why I'm here
#
eprodrom
Why not?
#
cwebber
and I feel like we're going to blow an opportunity
#
eprodrom
OK
#
cwebber
I'm not saying I'm opposed
#
eprodrom
Well, the opportunity is now to define and implement the S2S part
#
cwebber
I'm just not excited
#
eprodrom
OK
#
eprodrom
Oh, crap
#
eprodrom
aaronpk, dmitriz, cwebber : I forgot to talk about one flow
#
aaronpk
perks up
#
dmitriz
go on
#
eprodrom
It's c2s where the end user doesn't have an account on the server
#
tantek
perks up
#
tantek
onboarding!
#
eprodrom
Say, when evan@example.net wants to look at the contents of an object at https://example.com/note/note-by-jane-1
#
ajordan
tantek: not onboarding, think "sign in with an account on another server"
#
cwebber
eprodrom: (note we do have a workflow for that in the AP spec right now for reading)
#
cwebber
but keep going!
#
tantek
oh sorry yes
#
eprodrom
Cool
#
eprodrom
With pump.io we use proxies
#
ajordan
I think that ends up being painful though? JanKusanagi can comment on that
#
eprodrom
So evan@example.net's client requests from example.net to get the content, and then example.net requests the content from example.com
#
dmitriz
yeah, this is something i’ve been working on too, the foreign auth
#
eprodrom
ajordan: agreed
#
ajordan
eprodrom: this is what proxyUrl or whatever is right? I think it's kinda ill-defined too but maybe that's just an implementation detail
#
eprodrom
ajordan: right
#
cwebber
eprodrom: we have proxy stuff in AP too
#
JanKusanagi
well, in my experience the proxy thing works quite allright, except when there's an "API route" that's not proxied, or the fact that proxy errors don't carry the original error
#
ajordan
ah, interesting
#
JanKusanagi
also, double server load when you need to download media (say, a big video) through the proxy
#
eprodrom
JanKusanagi: yeah, that stinks
#
dmitriz
yeah. and the other problem w proxy is for “unattended” server side apps
#
dmitriz
the classical oauth2 use case
#
ajordan
dmitriz: how so?
#
dmitriz
just made harder with more actors in the mix
#
eprodrom
cwebber: so, the spec right now says s2s with LDS and/or JWKS
#
eprodrom
Again, PKI
#
eprodrom
But I'd rather ship with that then have nothing
#
eprodrom
s/then/than/
#
cwebber
eprodrom: yeah
#
tantek
eprodrom including making test suite tests for those? and getting impls to pass them?
#
dmitriz
well wait though. there’s two different kinds of PKI. there’s PKI for people, in which case sure, that saying holds true. and then there’s PKI for servers (for oauth2 discovery / oidc). which is an easy, and solved problem
#
cwebber
eprodrom: so what I was hoping for out of this
#
cwebber
was for you to define the oauth workflow
#
cwebber
in a couple paragraphs
#
cwebber
maybe a PR?
#
cwebber
and then I could implement it over this week
#
cwebber
both in the test suite and pubstrate's implementation
#
ajordan
dmitriz++
#
Loqi
dmitriz has 2 karma
#
cwebber
eprodrom: could we do that? That would be moving forward
#
eprodrom
Sounds fine-ish
#
cwebber
eprodrom: the current state of the test suite and pubstrate is that I've done the C2S, though obviously since I missed an endpoint
#
tantek
movingforward++
#
Loqi
movingforward has 1 karma
#
cwebber
I must have done the workflow wrong
#
cwebber
so I'd like to correct it, but I haven't done S2S
#
cwebber
so if I could get that in
#
cwebber
since pubstrate currently doesn't do any auth (and that's one reason I don't have a public instance up)
#
cwebber
and then I can also add it to the test suite
#
cwebber
and we can get moving
#
cwebber
and as for the LDS, I still uphold that it's interesting, and may be even the right way to go, but it shouldn't hold things back, and obviously bringing it up here is doing so
#
cwebber
eprodrom: could you make that an item you can deliver on today or tomorrow?
#
eprodrom
cwebber: I think if we can stick with just one kind of JSON signature, we'll be better off
#
cwebber
getting a PR with that workflow in the text?
#
cwebber
eprodrom: good news
#
cwebber
LDS and JWS are converging.
#
cwebber
so there's no conflict.
#
eprodrom
cwebber: the c2s workflow? ye
#
eprodrom
yes
#
cwebber
that's my rough understanding
#
cwebber
LDS will be probably using JWS, and will instead be how you embed the signature and key on the object
#
cwebber
sorta.
#
eprodrom
I don't get how JWK works so I don't think I can get it to you today or tomorrw
#
cwebber
eprodrom: ok, well you described a workflow today though
#
cwebber
do you think that workflow is worth putting down?
#
cwebber
into spectext?
#
eprodrom
Yes
#
cwebber
and is it understood enough to be sufficient/implementable?
#
cwebber
sweet
#
cwebber
eprodrom: then get a PR for that too!
#
dmitriz
(this is the single coolest thing I’ve learned today, that JWS and LDS are converging)
#
eprodrom
I think so
#
cwebber
dmitriz: that's my understanding, don't quote it as definitive
#
eprodrom
cwebber: could you explain to me how the S2S signature system works?
#
dmitriz
no worries. I just thought the LDS crowd was thoroughly opposed
#
eprodrom
Don't you have replay problems?
#
dmitriz
I’m happy to explain, too
#
eprodrom
I guess that's always a problem with bearer tokens too
#
dmitriz
it is. which is why I wanted to ask why the insistence on bearer tokens, for many of these specs
#
eprodrom
Developers like bearer tokens
#
dmitriz
and the solution is fairly simple (if not always easy in the details). which is to have an audience property in the token.
#
dmitriz
which is the route OIDC took. (and Facebook’s oauth2 implementation)
#
eprodrom
OK, I have to go
#
cwebber
dmitriz: I wonder if OIDC's use of signatures and linked data signatures' use of signatures aren't too different in the path they take
#
cwebber
not in implementation
#
cwebber
but for the direction they're used for
#
dmitriz
I think they’re very similar. (I’d need to look again at the LDS spec)
#
cwebber
eprodrom: ok, please get those PRs up there
#
ajordan
eprodrom: see ya
#
cwebber
eprodrom: thanks for taking the time, and to everyone else who did too :)
#
dmitriz
from what I understood from talking to Manu & crowd, LDS considered JWS but rejected it initally due to a very specific constraint. (having to do with being able to index JWKs in databases, etc)
#
ajordan
I'll email you what I was going to say since you're out of time
#
ajordan
also about an AP sprint
#
eprodrom
ajordan: just hit me now, I'm still here
#
Loqi
[strugee] #1285 Resubmit Dialback authentication IETF draft
#
ajordan
worth pursuing?
#
eprodrom
Prrrrobably?
#
ajordan
ok, I'll leave it open in that case
#
eprodrom
Not for a little while
#
ajordan
we can revisit when things aren't so hectic
#
eprodrom
Right
#
ajordan
cool, that was all
#
eprodrom
It's very host-meta/webfinger-centric
#
eprodrom
Cool
#
ajordan
thanks! see ya
#
cwebber
eprodrom: brief PM before you vanish
#
cwebber
sent!
#
ajordan
cwebber: https://www.w3.org/community/swicg/ to sign up for the SWICG btw. it's just a button
#
Loqi
Call for Participation in Social Web Incubator Community Group W3C Team | Posted on: November 18, 2016 The Social Web Incu...
#
cwebber
oh right
#
aaronpk
the hardest part of joining the swicg is setting up the w3c account but you've already done that :)
#
aaronpk
no profile photo cwebber?
#
cwebber
aaronpk: I'll add one :)
#
ajordan
oh btw aaronpk how long does it take for profile pictures, etc. to show up on IndieWeb IRC logs?
#
aaronpk
should be 5 minutes
#
ajordan
clearly I did something wrong then
#
aaronpk
cwebber: you are now a chair!
#
cwebber
aaronpk: wow, so easy! why'd I put it off so long :)
#
cwebber
oh now I remember
#
cwebber
I made the mistake of trying to sign up as an individual before
#
cwebber
when I should have just clicked [X] on mediagoblin
#
cwebber
since I run it :P
#
cwebber
and then there was a process snafu. but I could have just resubmitted
#
cwebber
oops!
#
cwebber
aaronpk: happy to be co-chair with you, should be fun :)
#
ajordan
aaronpk: whoops, wasn't alphabetical since I changed it. I'm there though
#
aaronpk
haha k. let me check to make sure the cron job is working :)
#
Loqi
hehe
#
aaronpk
oh! i forgot to make the chat.indieweb.org logs use the w3c user list
#
elensil
hi guys
#
elensil
I'm the author of Movim an open and decentralized social network fully build on XMPP
#
elensil
I'm also part of the XSF and I'm interested to know more about your work done here
#
elensil
to also see if we can work together (the XSF and the SocialWG)
#
ajordan
lol neat
#
ajordan
thanks aaronpk!
#
ajordan
elensil: heya!
#
cwebber
heya elensil :D
#
cwebber
elensil: sorry we were so wrapped up in meeting for so long
#
cwebber
elensil: that sounds great; I am a big XMPP fan :)
#
elensil
did you already had a look at XMPP, especially Pubsub and related XEPs ?
#
cwebber
elensil: I've read them in the past yes
#
cwebber
elensil: so, the status of the SocialWG is we are wrapping up some specs already in process
#
cwebber
elensil: but, we have a social community group that will also be more broadly about the topic of federation
#
cwebber
elensil: it would be great to have you part of that
#
Loqi
Call for Participation in Social Web Incubator Community Group W3C Team | Posted on: November 18, 2016 The Social Web Incu...
#
elensil
I have a couple of issues here
#
elensil
first it looks like you are working on Social protocols that are really bound to the web standards
#
Zakim
excuses himself; his presence no longer seems to be needed
#
elensil
JSON/HTTP …
#
cwebber
elensil: yup
#
cwebber
that's true :)
#
Loqi
yeah who invited you anyway Zakim
#
aaronpk
this is the social *web* working group after all :)
#
dmitriz
cwebber: as far as the mailing lists for the community group - which one of the 3 is the main one? (worth joining,e tc)
#
elensil
so I'd like to know where we can fit together, XMPP is TCP/real-time/XML :D
#
aaronpk
i thought i had systems remove the mailing list link. we don't use the mailing list
#
aaronpk
i will ask again
#
dmitriz
np
#
dmitriz
elensil: it would be interesting to discuss/specify how the various XEPs would interop with the corresponding web protocols. like the XMPP Pubsub vs Websub. etc.
#
dmitriz
how to bridge between the two
#
elensil
yeah
#
cwebber
I think bridging would be the most useful
#
cwebber
elensil: I think the XMPP group has already has its own groups to incubate its federation XEPs
#
cwebber
and our group is specifically about web stuff
#
cwebber
but, bridges are good
#
elensil
the first thin would be to define common URI, all your protocols seems to be defined using hrefs
#
cwebber
so maybe that would be a good role for you in the CG elensil ?
#
elensil
in XMPP we have uri="xmpp:" or uri="http://…"
#
dmitriz
so if there’s no mailing list for the CG, where does the discussion take place?
#
aaronpk
here, and github
#
elensil
I also invite you to join xsf@muc.xmpp.org :)
#
aaronpk
we have https://github.com/swicg/general and can also make new repos if we start having more focused projects/specs/docs
#
dmitriz
aaronpk: got it, thanks.
#
Loqi
[swicg] general: General issue tracker for the group
#
elensil
there is big discussions at the moment on MIX, the Pubsub on steroids
#
cwebber
elensil: I joined
#
cwebber
elensil: however I think we will remain a focused on web-type-technologies group
#
cwebber
but, as said
#
cwebber
bridging is good
#
elensil
yes, but I trully think that we are solving similar issues
#
cwebber
the eternal problem, federating federations :)
#
elensil
basically what is changing is the support (XML/JSON and TCP/HTTP)
#
cwebber
elensil: though some caution, the "so close but not quite" dream often ends up not being close enough to merge
#
cwebber
as even this WG has seen ;)
#
cwebber
I wish that weren't true though
#
tantek
waits for cwebber to eventually propose an interfederation protocol in 2018
#
cwebber
tantek: :)
#
tantek
then we can all talk about joining the "interfed" ;)
#
cwebber
tantek: the Meta Federation Protocol
#
tantek
cwebber, it's the internet, not the metanet ;)
#
cwebber
likes the Meta Object Protocol, so...
#
cwebber
ah
#
cwebber
yeah
#
dmitriz
wow. sign me up.
#
dmitriz
:)
#
tantek
Next telcon agenda is up: https://www.w3.org/wiki/Socialwg/2017-05-02 (and even stubbed 2017-05-09 while at it). Please add anything we missed this week.
#
tantek
BTW at this point I'm not expecting that we'll organize a f2f anytime soon, even for the SWICG
#
tantek
however I think a summer SWICG f2f could be interesting, something for aaronpk and cwebber to think about
#
tantek
(after charter end)
#
aaronpk
Summer is soon!
#
tantek
also if anyone can make it to Portland, IndieWeb Summit is June 24-25
#
tantek
lastly, TPAC 2017 is November 6-10 in Burlingame, CA (near SFO), and that's a good (likely) candidate for a SWICG f2f as well, since TPACs now have rooms set aside for CG f2f meetings.
#
tantek
all those dates, details, links here: https://www.w3.org/wiki/Socialwg#Future_Meetings
#
ajordan
oooo I can probably make it to the Summit this year
#
ajordan
dunno about TPAC. I'll be in college then
#
ajordan
s/then/by then/
#
tantek
great!
#
ajordan
hey, do we close issues that we know are for sure postponed?
#
ajordan
sandro, cwebber: ^^^
timbl joined the channel
#
ajordan
cwebber: sent ~5 PRs to pick off editorial low-hanging fruit
#
cwebber
wow nice, thx ajordan
#
ajordan
sure thing
#
ajordan
I'm picking off normative ones now
#
cwebber
ajordan: regarding closing issues btw
#
ajordan
can't get through all of them since for some I'm not familiar enough but
#
cwebber
ajordan: we need to either have satisfied the poster or get consensus from the group before closing an issue
#
cwebber
in general
#
ajordan
so in particular I'm looking at https://github.com/w3c/activitypub/issues/188 which I think we resolved last week on the telecon?
#
Loqi
[astronouth7303] #188 Revision ID?
#
ajordan
didn't we say that timestamps were good enough and that something more precise could be revisited in an extension?
#
ajordan
might be misremembering though
#
cwebber
hm
#
cwebber
I thoguht I started to reply to this one
#
cwebber
oh
#
cwebber
we were going to put it on the agenda for this week :P
#
cwebber
oops
#
ajordan
lol whoops
#
cwebber
what we said resolving it didn't get logged if we had something apparently
#
cwebber
I don't see anything in the minutes re: that one
#
ajordan
from last week?
#
cwebber
yeah
#
cwebber
I mean, concluding it or etc
#
ajordan
guess we'll have to put it on next week's agenda?
#
cwebber
I guess so
timbl joined the channel
#
ajordan
ok, put a significant dent in the open issue count