#social 2017-04-25

2017-04-25 UTC
timbl joined the channel
#
@ChrisAldrich Curious if @altmetric has looked at Webmentons https://www.w3.org/TR/webmention/ so they could potentially support generic… http://stream.boffosocko.com/2017/curious-if-altmetric-has-looked-at-webmentons-trwebmention-so-they (twitter.com/_/status/856676458193965057)
#
@ToDiaspora https://www.w3.org/TR/activitypub/ (twitter.com/_/status/856706051059613696)
tantek joined the channel
#
@accessiblestef Webmention - too complicated for me technically, but conceptually great. https://www.w3.org/TR/webmention/ /v @w3c (twitter.com/_/status/856787678662057984)
tantek, dmitriz, timbl, edhelas and elensil joined the channel
#
elensil hello :)
#
cwebber hi
#
elensil I'm interested to know a bit more about the work currently done by the Social WG :)
tantek joined the channel
#
ajordan elensil: wer you looking for something in particular? or just generally?
#
tantek good morning #social
#
cwebber hi tantek
#
ajordan morning tantek!
#
sandro trackbot, start meeting
#
RRSAgent logging to http://www.w3.org/2017/04/25-social-irc
RRSAgent joined the channel
#
trackbot is preparing a teleconference.
#
trackbot RRSAgent, make logs public
#
cwebber it's about that time right?
Zakim joined the channel
#
RRSAgent I have made the request, trackbot
#
trackbot Zakim, this will be SOCL
#
Zakim ok, trackbot
#
trackbot Meeting: Social Web Working Group Teleconference
#
trackbot Date: 25 April 2017
#
cwebber elensil, well, we have a meeting now, it's socialwg participant early but you're welcome to lurk here on irc, could give you a good indication of what we're up to :)
#
tantek cwebber: yes it is
#
tantek present+
#
csarven meeting now??.. did i get my tz wrong?
#
csarven I thought it'll be in an hour
#
aaronpk present+
#
tantek csarven: yes now
#
ajordan present+
#
csarven okie dokie
#
ajordan probably
#
tantek present+ eprodrom
#
tantek Zakim, who is here?
#
Zakim Present: tantek, aaronpk, ajordan, eprodrom
#
Zakim ... lambadalambda, aaronpk, bigbluehat, mattl, trackbot
#
Zakim On IRC I see RRSAgent, tantek, elensil, timbl, dmitriz, ajordan, wilkie, ben_thatmustbeme, KjetilK, dwhly, bitbear, rhiaro, csarven, wseltzer, raucao, sandro, cwebber, Loqi, jet,
#
cwebber present+
#
ben_thatmustbeme present+
#
csarven present+
#
tantek https://www.w3.org/wiki/Socialwg/2017-04-25
#
cwebber I can scribe
#
tantek chair: tantek
#
rhiaro present+
#
tantek scribenick: cwebber
#
sandro present+
#
sandro Zakim, who is here?
#
Zakim Present: tantek, aaronpk, ajordan, eprodrom, cwebber, ben_thatmustbeme, csarven, rhiaro, sandro
#
Zakim On IRC I see RRSAgent, tantek, elensil, timbl, dmitriz, ajordan, wilkie, ben_thatmustbeme, KjetilK, dwhly, bitbear, rhiaro, csarven, wseltzer, raucao, sandro, cwebber, Loqi, jet,
#
Zakim ... lambadalambda, aaronpk, bigbluehat, mattl, trackbot
#
tantek https://www.w3.org/wiki/Socialwg/2017-04-18-minutes
#
cwebber tantek: let's get started with first item, which is to review minutes from last week, had a brief telcon to discuss activitypub issues
#
cwebber tantek: let's see what the rest of the folks who were here, see if the minutes are good
#
dmitriz present+
#
sandro waves to dmitriz !
#
rhiaro waves to dmitriz!
#
ben_thatmustbeme needs to remove the DRAFT header and we usually remove the footer stuff too
#
cwebber would it be safe to do PROPOSED now?
#
cwebber
#
aaronpk i can do that
#
sandro PROPOSED: approve https://www.w3.org/wiki/Socialwg/2017-04-18-minutes
#
sandro +1
#
cwebber +1
#
ben_thatmustbeme +1
#
aaronpk +1
#
ajordan +1
#
cwebber was there
#
ben_thatmustbeme majority of those that were there are here
#
rhiaro +1
#
cwebber TOPIC: next telecon
#
cwebber tantek: with excepttion of last week we've done them every other week, that would place next telecon on May 9th
#
cwebber tantek: how does that sound for folks?
#
rhiaro I won't be here but y'all can carry on without me
#
ben_thatmustbeme +1
#
csarven +1
#
cwebber evan: I think it makes sense
#
cwebber sandro: I'd propose doing every week
#
cwebber would prefer every week at this point, but can do every other
#
csarven can't next week
#
cwebber evan: could we do half hour every week instead of an hour?
#
aaronpk can't make next week
#
cwebber sandro: I don't think we've been wasting time in meetings
#
cwebber evan: I'm happy to do a full hour I just don't want to take up more of peoples' time than we need
#
rhiaro we can always finish early if it happens..
#
cwebber evan: and we are down to one to two specs at this point
#
cwebber sandro: we only need the people who are there
#
cwebber sandro: maybe we can wait till the end of this meeting and see how we're doing
#
cwebber tantek: I'll offer my opinion, the key thing I think is to actually have progress on the things we've made progress on
#
cwebber tantek: if we don't have a test suite that's ready, a meeting is not going to change that
#
cwebber tantek: so that's why I have my doubts about meeting every week
#
ajordan gotta drop out, forgot I had something else right now. sorry!
#
cwebber tantek: I'd like to allow people to have their time to focus
#
ajordan present-
#
cwebber tantek: maybe I should ask chris and aaron
#
cwebber tantek: do you think it'll be done in 2 weeks? or will it be done in a week?
#
cwebber aaronpk: I don't think I can guarantee having it done in a week... two weeks yeah
#
sandro cwebber: Probably two weeks for the test suite, realistically, probably.
#
sandro q?
#
Zakim sees no one on the speaker queue
#
sandro q+
#
Zakim sees sandro on the speaker queue
#
cwebber evan: we also need to get implementations done, 2 weeks sounds right
#
cwebber sandro: if I remember right last week we decided to do breaking changes on ActivityPub
#
cwebber sandro: and the absolute final deadline for doing breaking changes is 3 weeks from now
#
cwebber sandro: so there's a lot of deadline pressure
#
cwebber sandro: maybe we're not doing any more deadline pressure
#
cwebber tantek: let's at least put up the we need to do in two weeks or three weeks
#
cwebber sandro: if there are any open issues in AP, we should do it next week
#
cwebber tantek: why not in two weeks
#
cwebber sandro: in theory we could do it in two weeks
#
cwebber sandro: in a four hour meeting in two weeks? some of these take a while
#
cwebber tantek: here's the other side of that... if we're seeing a rate of normative substantiative issues come in, then it might make more sense to give chris and others more time to wrap them up
#
cwebber tantek: that was going to be the second question I was going toa sk
#
cwebber *ask
#
rhiaro We're using a lot of meeting time talking about scheduling meetings.
#
cwebber tantek: if we have a high rate of substantiative meeting
#
sandro *23* open issues need to be closed
#
cwebber +1 to rhiaro
#
cwebber tantek: not all these issues need to be discussed in the telcon
#
cwebber tantek: if editors and people who raised them can resolve them, we can quickly knock them out
#
rhiaro q+
#
Zakim sees sandro, rhiaro on the speaker queue
#
tantek ack sandro
#
Zakim sees rhiaro on the speaker queue
#
cwebber rhiaro: in the interest of this meeting to use this week to do things, can we agree to do a meeting next week and see if we need it
#
ben_thatmustbeme +1 to schedule it and can always cancel
#
cwebber tantek: you're right, let's do a straw poll to see
#
cwebber tantek: just enter into irc
#
rhiaro +1 all the weeks
#
cwebber cwebber: I'd prefer a meeting next week
#
sandro +1 to long meetings for the next three weeks, until all issues are dealt with
#
cwebber cwebber: all weeks :)
#
aaronpk i don't mind every week in general, but i can't make next week's call
#
csarven +1 sandro said.. in the interest of minimising risk. show up for those that need to get their stuff moving.
#
ben_thatmustbeme do we want to schedule it as an activitypub meeting next week then?
#
rhiaro i also think i'ts useful to have more than just core spec people in the meetings for better consensus making, but we can't force people to show up..
#
rhiaro perspectives etc
#
ben_thatmustbeme nods
#
cwebber RESOLVED: will hold meetings on may 2nd and may 9th
#
csarven Same bat channel
#
cwebber tantek: please try to resolve issues outside of the call on github
#
cwebber tantek: quick PR update status
#
sandro but PLEASE try to keep time available after call so we can go long.
#
cwebber tantek: we do have PRs for AS2 and MicroPub (congrats)
#
cwebber tantek: any calls for changes or objections?
#
cwebber rhiaro: we have mostly positive comments (?)
#
cwebber tantek: we have until may 11th for people to review the PRs
#
cwebber rhiaro: so that goes to the last one which is WebSub
#
cwebber tantek: oh ok, can you give us a summary of the end date
#
cwebber sandro: AP and WebSub don't have deadlines there because thye haven't gone to PR yet
#
cwebber sandro: from the perspective of this, it's only the PR that gives us a deadline
#
sandro (this = W3C AC Review)
#
cwebber tantek: last I looked at it I saw a bunch of positive votes saying they like LDN, want to give it their support
#
cwebber tantek: last I saw we could use a few more AC reps voting on AS2 and MicroPub
#
cwebber tantek: so if you know member organizations, reach out
#
cwebber tantek: encourage them to at least say hey, this is a good idea, make this recommendation
#
sandro https://www.w3.org/Member/ACList List of W3C companies and their representatives
#
cwebber tantek: they have till May 11th, so
eprodrom joined the channel
#
cwebber tantek: so that's something everyone can do
#
cwebber tantek: that'e enough on that...
#
cwebber TOPIC: Websub
#
cwebber tantek: any comments from the AC on websub and activity[streams]?
#
cwebber tantek: it didn't sound like it, but figured I'd explicitly ask
#
cwebber tantek: I assume rhiaro is muted or checking
#
cwebber rhiaro: no explicit comments
#
cwebber tantek: we'll assume if they are they're filing them in github, etc
#
cwebber TOPIC: Social Web Protocols
#
cwebber tantek: there's been revisions, suggesting publishing new version
#
cwebber rhiaro: need to pull up changelog
#
cwebber rhiaro: so I brought all of the websub stuff up to date
#
cwebber rhiaro: I'd appreciate it if aaron, etc did so
#
cwebber rhiaro: looked at it
#
rhiaro http://w3c-social.github.io/social-web-protocols/#change-log
#
cwebber rhiaro: I also tidied it up a bit
#
cwebber tantek: aaronpk, julian, did you look at it recently?
#
cwebber aaronpk: I have reviewed it recently but not specifically for websub, I can go through that
#
cwebber tantek: ok
#
aaronpk micropub status PR, this still says CR
#
cwebber tantek: let's give you a few minutes to do that; we'll come back to social web protocols
#
cwebber tantek: we'll give a few minutes to do that
#
aaronpk https://w3c-social.github.io/social-web-protocols/#swwg-specs
#
cwebber tantek: I don't have any updates on post type discovery, we'll skip for this week
#
tantek zakim, who is here?
#
Zakim Present: tantek, aaronpk, eprodrom, cwebber, ben_thatmustbeme, csarven, rhiaro, sandro, dmitriz
#
cwebber tantek: we don't have julian on the phone do we?
#
Zakim ... cwebber, Loqi, jet, lambadalambda, aaronpk, bigbluehat, mattl, trackbot
#
Zakim On IRC I see eprodrom, Zakim, RRSAgent, tantek, elensil, timbl, dmitriz, ajordan, wilkie, ben_thatmustbeme, KjetilK, dwhly, bitbear, rhiaro, csarven, wseltzer, raucao, sandro,
#
cwebber tantek: no, ok
#
cwebber tantek: chris is minuting and has to do AP ;)
#
rhiaro I can
#
rhiaro scribenick: rhiaro
#
rhiaro puts on her scribing gloves
#
rhiaro scribing gloves gifted by cwebber
#
rhiaro tantek: Walk us through the issues. Important ones first
#
rhiaro cwebber: I've been focussing on the test suite
#
cwebber https://github.com/w3c/activitypub/issues/203
#
Loqi [jaywink] #203 Linked Data Signatures + public key URI
#
rhiaro ... this one I'm not going to address what he said, but will discuss in the abstract
#
rhiaro ... this is something that there's a lot of stuf fhappening in this area, and actula convergence between linked data signatures and jose stuff
#
rhiaro ... so that seems useful to capture becuase I know we keep getting asked about how to handle signatures
#
dmitriz (oh, awesome… re convergence between sigs & jose)!
#
rhiaro ... it's non normative
#
rhiaro ... one concern I have is people want us to address it in the spec, which means we'd need it in the test suite
#
rhiaro ... worried this will use a lot of time
#
sandro q+
#
Zakim sees rhiaro, sandro on the speaker queue
#
eprodrom q+
#
Zakim sees rhiaro, sandro, eprodrom on the speaker queue
#
tantek ack rhiaro
#
Zakim sees sandro, eprodrom on the speaker queue
#
tantek from before
#
rhiaro ... This is something I"ve been thinking about. I have some concerns.. we already knew the auth stuff was not going to be a permanent recommendation by the end of the group but i feel like this may be one of the things that needs to be updated as fast as possible
#
rhiaro q-
#
Zakim sees sandro, eprodrom on the speaker queue
#
rhiaro tantek: sounds like a process question
#
tantek ack sandro
#
Zakim sees eprodrom on the speaker queue
#
rhiaro sandro: seems like the best we can do is claim this is a feature that's orthogonal to AP. The way people do auth may change over time. Over here is where you see guidence about what people seem to be currently doing
#
rhiaro ... 'over here' can be managed by the CG, on a wiki page or something
#
rhiaro ... that can reflect our bes tunderstanding of what people are doing in practice based on implementation reports and changes over time
#
rhiaro ... if next year something better comes along, it doesn't change AP at all
#
rhiaro ... we just try to give people advoice, or point them to a place to help them find out what is going on
#
cwebber https://www.w3.org/TR/activitypub/#actors
#
rhiaro cwebber: that makes sense
#
rhiaro ... this is in the spec currently, the endpoints section
#
rhiaro ... we got the oauth stuff wrong, we're missing an endpoint
#
rhiaro ... but we do provide endpoints for some of these things
#
rhiaro ... one possible option is to move the auth endpoint stuff to an extension
#
rhiaro ... a wiki page seems like a bad idea
#
rhiaro ... I'm wondering whether we should leave this in the normative part of the spec of giving these endpoints. On the other hand, people need them
#
rhiaro ... But as you said i tmight not be necessarily correct for the future
#
rhiaro ... Should we include those endpoints actually in there?
#
rhiaro ... or is there a better place?
#
rhiaro eprodrom: if we're not sure how we're gonna use them I don't see a good reason to include them in the spec
#
rhiaro ... that doesn't seem like we should be throwing things into the spec that we're not actually using
#
rhiaro ... I agree with sandro. I think there is a big advantage to keeping those specs simple without auth being part of it
#
rhiaro ... There are two different kinds of auth that would be required, c2s and s2s, both important
#
rhiaro ... and part of the problem with combining the c2s and s2s in one spec is that we did complicate that a bit
#
rhiaro ... is there a way we could just kick it over to say oauth?
#
tantek q?
#
Zakim sees eprodrom on the speaker queue
#
tantek ack eprodrom
#
Zakim sees no one on the speaker queue
#
rhiaro ... use oauth2 discovery and there you go?
#
rhiaro tantek: I completely agree with what Evan just said
#
rhiaro ... specifically the endpoint question
#
rhiaro ... we should only include an endpoint if we are going to define precisely the implementaiton behaviour for that endpoint
#
rhiaro ... both for the person with the endpoint and the person discovering it
#
rhiaro ... kicking this to an extension or an example spec, ie wiki page or github
#
rhiaro ... if there's some part of a spec where we don't have the precise method defined, we should modularise that out of the spec
#
rhiaro ... saying that as me not as chair
#
rhiaro cwebber: I have a suggestion on how to handle this
#
tantek q?
#
Zakim sees no one on the speaker queue
#
rhiaro ... two sections that reference this. The actor endpoints part. Sounds like there's rough consensus that we shouldn't be defining those cos we'll possibly get them wrong and we can handle that in the CG or external to the AP as this spec process
#
cwebber https://www.w3.org/TR/activitypub/#authorization
#
rhiaro ... there's also a whole auth section
#
rhiaro ... I could just keep that there but dilute it heavily
#
rhiaro ... refer to the kind of directions that are possible, and very vaguely say how they might be used
#
rhiaro ... how do people feel about that?
#
tantek q?
#
Zakim sees no one on the speaker queue
#
rhiaro ... removing the endpoints and referring to the possible directions but saying to look elsewhere?
#
rhiaro sandro: why not cut a little more than that, and just say this is out of scope, here's some places you might look for how to do it?
#
rhiaro cwebber: that's what I mean
#
rhiaro ... we could remove it as a whole header.. currently it's a whole section. We could jjust move it to the security considerations section just pointing at the things
#
rhiaro tantek: I like the general approach
#
rhiaro ... How did micropub address this issue in terms of keeping the auth bits orthogonal? I don't quite remember
#
rhiaro ... is there some way to reuse similar text to indicate that it's something that's defined elsewhere?
#
rhiaro ... and point to a couple of specific approaches informally as what other implementaitons are looking at
#
rhiaro aaronpk: one, micropub does explicitly say that bearer tokens are used for authentication
#
rhiaro ... that avoids having to have multiple different options. What it doesnt' say is how you get the access token, because that's outside of the scope of micropub
#
rhiaro ... that cleans that up
#
rhiaro ... where micropub and activitypub differ is that AP is also a server to server protocol, which means there's untrusted content going between the two, so a bearer token may not be the best approach for that
#
rhiaro ... this doesn't apply for micropub because we're not using it to federate between servers
#
rhiaro tantek: I have this vague recollection of resolving to use bearer tokens in both? we can reconsider. What do you think of using th emicropub approach for the client to server piece of AP?
#
rhiaro cwebber: we could reuse it, it's a lot more normative in micropub that it currently is in activitypub
#
rhiaro ... in micropub it's much more specifically baked in there
#
rhiaro ... we could try to bake in bearer tokens for c2s, but that doens't sovle the question people are asking the most which is about s2s
#
rhiaro ... we might patch over a part of it, but we're leaving just a big of a gap anyway
#
rhiaro ... at that poing i'd like to encourage the bearer token usage and describe how it's done in the more diluted security considerations section that we're talking about
#
eprodrom q+
#
Zakim sees eprodrom on the speaker queue
#
tantek q?
#
Zakim sees eprodrom on the speaker queue
#
rhiaro ... but I think since the spec does say you have to... we can probabyl borrow some of it and pull it inot the non-normative section that we're talkinga bout here. Would that make sense?
#
rhiaro tantek: what do you think is right for AP?
#
tantek ack eprodrom
#
Zakim sees no one on the speaker queue
#
rhiaro cwebber: I think that removing the endpoints, have the watered down portion in the security considerations section, and borrowing some of micropub's terminology about how to use bearer tokens is probably the best way forward
#
rhiaro eprodrom: cwebber, could we instead of taking this call, could we go over how pump.io does this process before we make this decision, and see if that's something we could translate into AP?
#
rhiaro ... pump.io started 4 yeares ago, uses early versions of oauth2 discovery, but the concepts are still the same
#
rhiaro ... should be possible to point out simply to use oauth 2 discovery or openid connect discovery to make this work
#
rhiaro ... and that should be sufficient
#
rhiaro ... but we'd need to step through it
#
rhiaro ... the other thing is saying 'it may be possible to use these for c2s, along with other auth systems'
#
rhiaro cwebber: we can talk, do you immediatley after this call want to follow up?
#
rhiaro eprodrom: stay on irc
#
rhiaro tantek: important issue, time well spent
#
rhiaro ... sounded like we were close to consensus from teh group's perspective
#
rhiaro ... eprodrom, would you have any objection to resolving what chris said
#
rhiaro ... remove the endpoints, move the watered down portion of auth to the non-normative security considerations section, and borrow some of micropub's terminology about how to use bearer tokens, with details left up to editor
#
rhiaro ... that's the rough proposal
#
rhiaro eprodrom: I'd like to more carefully walk through the possibilities for pointing out the features we could use at each stage of the server to server and client to server before we just punt on it
#
rhiaro ... i feel like this will take more work
#
rhiaro tantek: I'll leave it to the two of you to follow up in the issue
#
rhiaro ... hopefully you'll resolve it in a way the commenter agrees to, or if we need to explicitly approve a proposal we can do that next week
#
rhiaro ... but we're not resolving it now
#
rhiaro eprodrom: aaronpk, if you're not in a rush at the end of the call if you could stay on with us to discuss that would be helpful
#
rhiaro TOPIC: SWP again
#
cwebber scribenick: cwebber
#
cwebber aaronpk: I have two issuses open on it, and I do think they should be addressed before publishing
#
Zakim sees rhiaro on the speaker queue
#
rhiaro q+
#
cwebber tantek: those are new issues, so instead of discussing them in realtime, I'd like rhiaro to look at them
#
tantek ack rhiaro
#
Zakim sees no one on the speaker queue
#
cwebber tantek: would you be okay with delaying a decision to public next week
#
cwebber rhiaro: would publishing with these issues be enough to keep a version from november up
#
cwebber rhiaro: would you object with these issues aaronpk
#
cwebber aaronpk: I guess I'd be willing to publish even with these issues
#
cwebber PROPOSED: publish an update to Social Web Protocol with current draft
#
cwebber tantek: one issue is to note the issues inline, or we could try to do another draft next week
#
cwebber aaronpk: let's just do another draft
#
cwebber cwebber: +1
#
aaronpk +1
#
rhiaro +1
#
ben_thatmustbeme +1
#
wilkie +1
#
csarven +1
#
eprodrom +1
#
sandro +1
#
cwebber RESOLVED: publish an update to Social Web Protocol with current draft
#
cwebber tantek: appreciate the update rhiaro, and let's do more rapid updates too
#
cwebber TOPIC: websub
#
cwebber tantek: where are we at with normative issues aaronpk ?
#
cwebber aaronpk: I believe we haven't had any issues come in
#
cwebber tantek: as in terms of group decision issues, do you have any editorial issues that require republishing?
#
cwebber aaronpk: one thing that came up two weeks ago, I'm trying to remember if this needs any editing of the text, just gimme a sec
#
aaronpk https://github.com/w3c/websub/issues/98
#
Loqi [kevinmarks] #98 Subscription migration is unclear
#
cwebber tantek: basically is the editor's draft disparate from the CR
#
cwebber aaronpk: I don't think there's any difference in the ED right now
#
cwebber aaronpk: just trying to remember if this issue requires any editorial changes
#
cwebber aaronpk: I remember it doesn't have any functional changes
#
cwebber tantek: could you give us an update on the test suite
#
cwebber aaronpk: no test suite yet, will work on it in the next 2 weeks
#
aaronpk s/no test suite/no updates on the test suite/
#
cwebber tantek: ok in the issue of moving forward, we're done with websub issues this week
#
cwebber tantek: I think we can re-address this next week with whether to update with CR updates
#
cwebber tantek: that brings us back to AP
#
rhiaro scribenick: rhiaro
#
cwebber https://github.com/w3c/activitypub/issues/196
#
Loqi [annando] #196 How to differentiate between posts and private (direct) messages?
#
rhiaro cwebber: this is a big ... there's been this whole thread about whether to differentiate between posts and direct messages basically
#
rhiaro ... there has been discussion, but not clear progress since last week
#
rhiaro ... sandro what's your current understanding?
#
rhiaro sandro: *remembering*
#
rhiaro ... I think I clarified what the issue was and then other people said what the solutions were... but I'm still confused about them
#
rhiaro tantek: sounds like we need a specific proposal
#
cwebber https://github.com/w3c/activitypub/issues/204
#
Loqi [donpdonp] #204 activitypub profile discovery
#
rhiaro cwebber: this one is shorter, 204
#
rhiaro ... what it sounds like is he wants some sort of way to use a rel link from html to what would be their activitypub profile in activitystreams
#
rhiaro ... I'm not really sure.. the usual way we have this described is that probalby someone's homepage uses content negotiation to grab the activitystreams equivalent of what that page is
#
rhiaro ... we could add rel links to a page but that opens up the question of whether we should also add text to the page about whether you have to do further discovery
#
rhiaro ... feels like it would make it more complicated
#
eprodrom +q
#
Zakim sees eprodrom on the speaker queue
#
rhiaro ... I'm not against having a way to jump from someone' shomepage to their AP profile, but I'm hesitant about having an alternate way for somebody to have their profile linked in addressing or something like that
#
rhiaro ... but I also have not done the most amount of things with rel links of people in this group
#
rhiaro tantek: I think the same reasonsing we used for the security endpoint discovery applies here
#
rhiaro ... if we're not going to have it well defined, we probably should not be adding it
#
rhiaro ... could be done in an extension
#
tantek q?
#
Zakim sees eprodrom on the speaker queue
#
tantek ack eprodrom
#
Zakim sees no one on the speaker queue
#
rhiaro eprodrom: chris, this rel="alternate" is a fine way to do it, I think you should respond and say it's a common way
#
rhiaro ... but that it's usually conneg
#
rhiaro cwebber: do we add something to the spec?
#
rhiaro eprodrom: no
#
rhiaro q+
#
Zakim sees rhiaro on the speaker queue
#
tantek ack rhiaro
#
Zakim sees no one on the speaker queue
#
rhiaro http://w3c-social.github.io/social-web-protocols/#content-representation
#
rhiaro "To make content available as ActivityStreams 2.0 JSON, one could do so directly when requested with an appropriate Accept header (eg. application/activity+json or application/ld+json), or indirectly via a rel="alternate" type="application/activity+json" link . This link could be to a different domain, for third-party services which dynamically generate ActivityStreams 2.0 JSON on behalf of a publisher."
#
cwebber https://github.com/w3c/activitypub/blob/gh-pages/activitypub-tutorial.txt
#
rhiaro cwebber: No more normative issues
#
tantek \o/
#
cwebber https://github.com/w3c/activitypub/blob/gh-pages/activitypub-tutorial.txt
#
rhiaro ... Last week I linked this tutorial with ascii art
#
sandro +1 amazing graphics !
#
rhiaro ... somebody provided amazing vector graphics to replace the ascii art
#
rhiaro ... I'm thinking of putting the tutorial with those graphics at the top of AP as a short introduction to all the concepts
#
rhiaro tantek: this is an editorial change as far as I'm concerned
#
rhiaro cwebber: right
#
eprodrom q?
#
Zakim sees no one on the speaker queue
#
rhiaro tantek: up to rhiaro and sandro to deal with contributor agreement stuff
#
rhiaro cwebber: they just need to indicate that it's okay to be the same copyright
#
rhiaro tantek: congrats with 0 normative issues!
#
rhiaro ... goal to publish new cr next week
#
rhiaro ... Any other items?
#
tantek q?
#
Zakim sees no one on the speaker queue
#
rhiaro ... See you next week, great work
#
cwebber o/
#
eprodrom cwebber, aaronpk : let's stay on the channel
#
aaronpk cwebber: eprodrom: I will brb, need to make another coffee
#
tantek cwebber++ for minuting!
#
Loqi cwebber has 7 karma
#
aaronpk give me like 3 minutes
#
tantek rhiaro++ for minuting
#
Loqi rhiaro has 139 karma in this channel (255 overall)
#
wilkie cwebber++
#
Loqi cwebber has 8 karma
#
eprodrom I'd like to walk through the flows that we might need to execute to get some basic tasks done
#
cwebber eprodrom, sounds good
#
wilkie rhiaro++
#
Loqi slow down!
#
tantek trackbot, end meeting
#
trackbot is ending a teleconference.
#
trackbot Zakim, list attendees
#
Zakim As of this point the attendees have been tantek, aaronpk, ajordan, eprodrom, cwebber, ben_thatmustbeme, csarven, rhiaro, sandro, dmitriz
#
trackbot RRSAgent, please draft minutes
#
RRSAgent I have made the request to generate http://www.w3.org/2017/04/25-social-minutes.html trackbot
#
trackbot RRSAgent, bye
#
RRSAgent I see no action items
#
cwebber eprodrom: it's tricky also because we need to actually put these workflows into the test suite
#
rhiaro dmitriz maybe wants to stick around for auth discussions. dmitriz knows lots about openid connect, eprodrom, cwebber :)
#
cwebber ....
#
dmitriz @eprodrom / @aaronpk / @cwebber — I’d love to join in on the s2s auth conversation (I’ve been implementing s2s auth using oauth2/oidc for the last several months)&
#
cwebber hopes eprodrom reappears
#
rhiaro wow did evan forget
#
tantek aside: cwebber I took a quick look at https://github.com/w3c/activitypub/issues and take your word for it that none of those require normative changes, however it would be good to process as many of those as possible (even for editorial changes to AP) for next week
#
cwebber tantek: there's a lot of them with normative changes, but which we discussed last week and I didn't resolve yet
#
cwebber we came to resolutions
#
cwebber but they weren't incorporated
#
tantek see how close we can get that 23 to 0 as it were for the next CR draft
#
tantek resolutions in the issues at least?
#
cwebber tantek: yes I think I recorded them
#
tantek but not yet incorporated into the draft?
#
tantek ok
#
cwebber yep
#
cwebber tantek: was focusing on the test suite
#
tantek if you could add "commenter satisfied" to the ones where the issue filer was ok with the resolution, that would be great too
#
tantek I think we have a label for that
#
tantek hmm did we lose eprodrom?
#
sandro yes, I just pinged him on fb, too, no answer yet
#
dmitriz i think he said he’s grabbing coffee?
eprodrom joined the channel
#
ajordan dmitriz: that was Aaron I think
#
eprodrom cwebber, aaronpk : are we stepping away for a couple of minutes?
#
cwebber hi eprodrom, welcome back
#
eprodrom thanks
#
tantek cwebber, for next week, I'd say priority 1 is the updated AP CR (with all necessary normative changes and as many editorial changes as possible for open issues), and then priority 2 test suite
#
cwebber tantek: kk
#
cwebber eprodrom: I think aaron was grabbing test suite
#
cwebber er
#
cwebber grabbing coffee
#
cwebber words!
#
eprodrom OK
#
tantek the more solid we can have this updated the CR the better!
#
eprodrom cwebber: I'm going to come right back then
#
tantek yes, all the words :)
#
aaronpk back
#
tantek thanks cwebber
#
ajordan cwebber: if I have some extra time I can go through and send PRs for some of the editorial stuff; would that be helpful?
#
cwebber np, thanks for chairing tantek
#
tantek cwebber, our goal for this next CR is to not have to have another CR with normative changes :)
#
ajordan sorry I missed today, will read the logs
#
cwebber ajordan: yes that'd help, maybe ping me on irc with which ones you're hopping on first so I have a heads up and we don't duplicate efforts?
#
ajordan cwebber: sure
#
ajordan gonna do the Activity Vocabulary reference one right now
#
aaronpk eprodrom: cwebber: what's the goal here for this auth discussion?
#
cwebber aaronpk: I think "don't get the recommendations for what to do with oauth in the security considerations section wrong, even better, give something usable" :)
#
cwebber I also want to leave in the possibility of signatures via LDS or etc, even if not specific
#
cwebber because this is the #1 requested feature from existing federation systems
#
cwebber so we don't have to be specific, I just want to reference it at least
#
cwebber but I guess I don't need others to leave that vague part in there
#
aaronpk is there a particular issue this discussion is happening on already?
#
dmitriz speaking of signatures, I have a general auth question. if the specs are using so many components of oidc (oauth2, discovery, signatures), why not use oidc directly?
#
eprodrom I'd like to step through some of the flows and make sure we can point to OAuth 2.0 specs that deal with them
#
tantek cwebber, if you can leave it orthogonal enough that a separate spec can "plug in" to the AP spec to make this work, that would be ideal
#
tantek (as far as goals go)
#
cwebber tantek: +1
#
eprodrom Nobody has to be part of this and if you'd rather handle it in an issue happy with that, too
#
aaronpk OAuth 2 is really only going to be useful for the client-to-server part, since OAuth is about an application obtaining authorization on behalf of a user
#
tantek (perhaps even more than one spec if there are groups of implementers that are exploring different possibilities, that's ok too - from our perspective for AP)
#
aaronpk Bearer Tokens are used by OAuth 2, and can also be used by ActivityPub
#
eprodrom aaronpk: there's 2-legged authentication too
#
eprodrom At least in 1.0
#
aaronpk eprodrom: that's still client-server tho!
#
eprodrom That's what pump.io depends on
#
tantek ducks out of the OAuth details :)
#
eprodrom aaronpk: fair enough
#
dmitriz oauth2 is very much usable for server to server
#
aaronpk dmitriz: if you're talking about oauth2 bearer tokens then yes sure
#
tantek considers getting some popcorn
#
cwebber dmitriz: we resolved to not be super specific about the auth stuff in this group aside from a general recommendation of bearer tokens given the amount of churn happening
#
dmitriz not just bearer tokens (which I’m generally against, since they’re only one step away from signed id tokens, which are much more secure)
#
eprodrom Damn
#
cwebber dmitriz: so right now the state in AP will be that we're going to recommend loosely a route for auth stuff in activitypub's security considerations section, but it won't be pinned down as normative
#
aaronpk you could also wrangle a way to have the oauth2 authorization process involve users at both ends, but that's not really what it was made for
#
dmitriz but s2s auth is possible if both servers are essentially peer nodes, both identity providers & clients. and dynamically register with each other
#
aaronpk so the security implications of that aren't really well thought through for that use case
#
eprodrom wow
#
eprodrom lot of chatter
#
cwebber yeah
#
aaronpk auth is fun!
#
dmitriz i’m not sure it’s even wrangling, though
#
cwebber eprodrom: ok, I want to hear what pump does
#
eprodrom maybe we could step through the flows? Seems like we're getting way ahead of ourselves here.
#
cwebber yes
#
cwebber +1
#
eprodrom Thanks
#
aaronpk yeah let's start with pump.io
#
eprodrom Great
#
eprodrom ajordan: are you still around? Maybe you can refresh my memory on some of this
#
eprodrom Let's start with a typical client task: posting a new activity
#
ajordan eprodrom: yea
#
ajordan h
#
eprodrom The client only has the identity of the client user
#
ajordan not super familiar with this stuff but I can try :P
#
eprodrom in pump.io that's a webfinger ID like evan@example.com
#
eprodrom but in AP it'd be a URI like https://example.com/evan
#
eprodrom pump.io uses OAuth 1.0
#
ajordan https://github.com/pump-io/pump.io/blob/master/API.md FWIW
#
elensil hey
#
eprodrom So we need an access token to make a post
#
eprodrom ajordan: thanks
#
ajordan sure
#
elensil should I wait the end of your meeting to ask questions :) ?
#
eprodrom So the first step is discovering the oauth 1.0 endpoints: getting a request token, making the authorization request, and then turning the request token into an access token
#
cwebber elensil: yes please, we're having a tricky auth convo
#
ajordan elensil: probably, sorry
#
eprodrom pump.io does this using Host Meta discovery
#
elensil ajordan, that's fine ;)
#
eprodrom It also has a discovery method for getting a client ID
#
aaronpk dynamic client registration?
#
cwebber eprodrom: when pump.io clients continue to communicate with the server, they supply *just* the access token right?
#
eprodrom which it needs for doing the 0auth 1.0 flow
#
eprodrom cwebber: correct
#
cwebber ok
#
eprodrom cwebber: well, mostly
#
eprodrom you need the client id and the access token for OAuth 1.0
#
eprodrom in Oauth 2.0 it's just bearer tokens
#
cwebber right ok
#
aaronpk with oauth 1, you also send a signature which is calculated using the client ID and secret
#
eprodrom Right
#
aaronpk okay, i think we're all on the same page with that now
#
eprodrom So that's the main parts of discovery for pump.io, if you're a client trying to post on behalf of a users
#
cwebber has commentary but will wait until we finish the pump.io workflow
#
eprodrom I think for AP, you could do the same thing starting out with the user ID as an URI
#
eprodrom cwebber: go ahead with the commentary, I'm done on this one
#
eprodrom Otherwise I'd like to step through it for AP
#
cwebber so it's observable in desktop clients on gnu/linux how the oauth 1.0 workflow is kinda painful, and I tried to figure out if it can be less painful for oauth 2.0 and it still looks painful
#
cwebber the initial setup
#
dmitriz which part is painful?
#
cwebber in pump clients, you're basically redirected to a uri where you authorize, and then you have to copy paste back the token you get into your client
#
cwebber when I looked at how it could be done through oauth 2.0, the recommendation seems to be "use a redirect uri parameter"
#
dmitriz oauth2 dynamic registration lifts the need for cutting & pasting
#
aaronpk there is a lot of work in oauth 2 to address this
#
cwebber but, that assumes that either a) you have a web server as a client
#
aaronpk no it doens't, you can redirect to a native app
#
cwebber or b) you have the id to set up custom myapp:// type things
#
cwebber which you don't have on all systems
#
ajordan cwebber: I think the way you're "supposed" to handle that is by popping up a web view in-app or something
#
ajordan but
#
cwebber ajordan: that's also very wonky
#
ajordan exactly
#
cwebber embedding a browser is not great
#
eprodrom So, are we going to fix this?
#
aaronpk we're not going to fix this, there are lots of people working on this
#
eprodrom I feel like this UI discussion is a distraction
#
cwebber ok
#
aaronpk it's a known problem, and plenty of people are working on it
#
ajordan ah sorry, that's my fault
#
aaronpk iOS already shipped a new feature to address it
#
eprodrom Sweet
#
cwebber fwiw I think having a signature direction for auth workflows could actually resolve this
#
cwebber but
#
eprodrom OK, so, the tricky part with this in pump.io is the client registration
#
cwebber that's out of scope of this conversation
#
eprodrom Unlike, say, Twitter, there's not an out-of-band mechanism for getting a client ID
#
aaronpk with oauth2 you don't really need client registration because you don't even need a client secret
#
aaronpk at the point that anyone can register a client with no authentication, there isn't a lot of benefit to having the secret at all
#
eprodrom Right
#
cwebber yeah client secrets don't make sense for FOSS projects anyway
#
cwebber anyone can look at pumpa's source code to find out what its client secret would be
#
dmitriz well wait though
#
eprodrom Well, sorry kids, but they do
#
aaronpk and for client_id, just use a URL!
#
dmitriz for oauth2, you need client secrets for confidential clients
#
eprodrom In this case, for s2s, we use the client id and secret
#
dmitriz (ie, server-side apps).
#
eprodrom That's the 2-legged auth
#
cwebber eprodrom: ok for *server to server*
#
cwebber yes
#
aaronpk we're not talkign about server-to-server right now
#
cwebber for client to server, no
#
aaronpk we're talking about client-to-server
#
eprodrom Fair enough
#
aaronpk we'll get to s2s later
#
dmitriz k.
#
dmitriz client registration is still necessary though
#
eprodrom So, I'm trying to remember how the client registration works in pump.io
#
dmitriz because it’s essentially the only way to verify public clients (read: in-browser apps, desktop apps, etc)
#
eprodrom If I remember correctly we used an early version of 0auth 2.0 client reg
#
aaronpk no, you can use URLs for verifying and identifying
#
dmitriz registration is the way to get those urls
#
ajordan eprodrom: https://openid.net/specs/openid-connect-registration-1_0.html is what's linked to
#
aaronpk and for the few cases where that doesn't work, again it's a known problem and we're not going to solve it faster than the oauth group is
#
eprodrom ajordan: thanks!
#
ajordan np
#
eprodrom for pump.io, we also use dialback authentication
#
eprodrom https://tools.ietf.org/id/draft-prodromou-dialback-00.html
#
Loqi Evan Prodromou
#
eprodrom Basically, it's a way for a server to say "I am this server" and be able to prove it.
#
aaronpk this sounds like s2s again?
#
eprodrom Yes
#
eprodrom But it's the same client registration endpoint
#
eprodrom OK, so I think that's it for C2S
#
eprodrom I think for AP, it should be possible to go from a user's URI to a bearer token
#
eprodrom First, by doing 0auth 2.0 discovery for the endpoints
#
eprodrom I don't remember if a client id is necessary there
#
aaronpk here is oauth2 discovery https://tools.ietf.org/html/draft-ietf-oauth-discovery
#
cwebber eprodrom: what do you mean oauth 2.0 discovery for the dnpointts?
#
cwebber oh
#
dmitriz (this is what we’re doing in solid, fwiw. user’s uri -> token, via discovery)
#
dmitriz (except using oidc discovery, which is basically a slightly more specified version of oauth discovery)
#
eprodrom Do you have to do client registration, too?
#
dmitriz yes
#
dmitriz dynamic registration, if that helps
#
aaronpk fwiw PKCE basically makes client secrets unnecessary, and google has already implemented this https://tools.ietf.org/html/rfc7636
#
eprodrom So, uri -> (optionally client registration) -> (optionally endpoint discovery) -> oauth 2.0 authorization -> token
#
aaronpk it's their solution to avoiding the use of secrets for mobile apps, while still having the security of avoiding common redirect attacks
#
dmitriz so, PKCE is useful, but is often overkill for s2s
#
aaronpk we're talking about c2s right now
#
aaronpk plz
#
aaronpk we'll do s2s later because there's a whole host of different considerations there
#
eprodrom I think we're done talking about c2s
#
dmitriz oh, I thought eprodrom said that was it for c2s
#
eprodrom Is there a part of the flow that isn't specified that we couldn't speak to?
#
dmitriz sorry bout that.
#
aaronpk do we have a plan for how to update this in activitypub then?
#
aaronpk we're not done with c2s until cwebber has a path forward for what needs to change about that section of activitypub :)
#
cwebber so
#
eprodrom I think the only part I'd be concerned about is that if my id uri is https://example.com/evan then the host for oauth discovery would be example.com
#
dmitriz that’s true
#
cwebber we're describing some pretty complicated workflows
#
cwebber and we had talked about watering down that section
#
cwebber now it feels like it's going to actually get way more complex
#
cwebber which, the reality is
#
cwebber the implementation stuff is going to be complex
#
cwebber the question is, where do we put this
#
eprodrom Security notes section
#
eprodrom cwebber: so, what I'm more concerned with is having an unimplementable spec
#
cwebber eprodrom: I'm concerned about this too
#
aaronpk activitypub can say that it uses oauth2 bearer tokens for c2s authentication, and point to the specs evan just linked for how to obtain that
#
dmitriz why unimplementable?
#
eprodrom So let's make sure there's one path through, and that we can describe in about a paragraph how to do this with Oauth 2.0
#
eprodrom aaronpk: that sounds correct to me
#
aaronpk and specifically call this out as client-to-server authentication otherwise it gets conflated with s2s
#
eprodrom The only problem is that some of those oauth 2.0 specs are not yet final
#
dmitriz which ones?
#
eprodrom oauth discovery
#
cwebber eprodrom: this stuff not only needs to be implementable, we actually also need to have it implemented in the test suite... in the next two weeks!
#
eprodrom cwebber: yes
#
dmitriz hmm, that’s odd. I didn’t realize that one was still in draft. fwiw, the OIDC discovery is 1.0, out of draft.
#
eprodrom dmitriz: true
#
cwebber so also, I'm just going to say that as an individual
#
eprodrom We'll need to decide whether to go with one or the other
#
cwebber about 9 months ago I sat down to try to learn how to do these oauth workflows and etc
#
cwebber and I printed out a ton of docs
#
eprodrom OK
#
cwebber and it was one of the worst weeks of my life
#
dmitriz (in fact, the list of authors on the oauth discovery spec is pretty much the same as the oidc discovery. so I think they just moved on.)
#
eprodrom I don't know if this is a fruitful path for this conversation
#
eprodrom Or a good way to use people's time
#
cwebber what I'm saying is
#
cwebber I want to have a single paragraph that describes a workflow
#
eprodrom OK, I will write that paragraph for you
#
cwebber *without* people having to traverse too many other docs finding out the right ways
#
ajordan wait why are we discussing this being in the test suite? I thought we were putting this as a non-normative "this is how you'd _probably_ do this" thing in security considerations?
#
eprodrom Could we move on to S2S?
#
cwebber yes
#
ajordan if I missed something during the meeting I'll shut up
#
eprodrom ajordan: we have to have something in the test suite
#
ajordan okay. I don't get why but it's not important so let's move on
#
eprodrom Could be unauthenticated, could be HTTP basic, could be access token acquired out-of-band
#
eprodrom I'm going to move on to s2s
#
aaronpk i did out-of-band access token for hte micropub test suite
#
ajordan ohh yeah okay I see
#
aaronpk eprodrom: one sec
#
aaronpk just to close on c2s
#
eprodrom So for pump.io we use 2-legged Oauth 1.0 authorization
#
aaronpk you'll write the paragraph for cwebber for that section?
#
eprodrom OK, sure
#
eprodrom Yes
#
aaronpk based on https://chat.indieweb.org/social/2017-04-25/1493138396155000
#
Loqi [eprodrom] So, uri -> (optionally client registration) -> (optionally endpoint discovery) -> oauth 2.0 authorization -> token
#
eprodrom If that's OK with everyone, it seems like the right direction to go
#
aaronpk +1
#
cwebber thank you eprodrom :)
#
eprodrom No problem
#
cwebber +1
#
aaronpk okay great
#
eprodrom So let's go to S2S
#
aaronpk TOPIC: server-to-server authentication
#
eprodrom [12:48] <eprodrom> So for pump.io we use 2-legged Oauth 1.0 authorization
#
eprodrom Let's say a pump.io server needs to deliver an activity to the inbox of a user on another server
#
aaronpk to clarify, that's basically using just the application's credentials right?
#
eprodrom Yes
#
aaronpk no user involved in obtaining a token in that flow
#
eprodrom so, example.net is delivering an activity by evan@example.net to the inbox of jane@example.com on example.com
#
eprodrom aaronpk: it's too hard to do
#
dmitriz what is?
#
aaronpk what? sorry i was just clarifying what 2-legged means
#
cwebber bipedal
#
cwebber (sorry)
#
eprodrom I took the expedient of saying "If it's from example.net, and they say that it's by evan@example.net, it's probably actually by evan@example.net"
#
ajordan cwebber++
#
Loqi cwebber has 9 karma
#
dmitriz are there signatures involved?
#
eprodrom You could make a case for saying, "No, evan@example.net has to authenticate to example.com and the delivery should happen with that token"
#
dmitriz as in, does example.net sign it?
#
eprodrom But that's really tedious
#
eprodrom dmitriz: Oauth 1.0 2-legged authentication
#
aaronpk so there's an implicit trust that example.net can act on behalf of evan@example.net
#
eprodrom So yes
#
eprodrom aaronpk: yes
#
dmitriz it’s tedious, but isn’t it kind of necessary? (for evan to authenticate to example.com) at very least, evan needs to consent to that trust relationship the first time that server is encountered?
#
eprodrom Anyway the flow works kind of like this:
#
eprodrom dmitriz: I think that's asking too much
#
dmitriz go on, re work flow
#
eprodrom If every time someone from somerandomserver.example follows me, I have to go authenticate to their server to allow delivery of activities, that's a big pain
#
dmitriz oh, agreed
#
eprodrom OK, thanks
#
dmitriz I assume you allow that server once.
#
eprodrom So, for delivery, flow goes something like this:
#
eprodrom discovery via hostmeta -> client registration with dialback authentication -> 2-legged Oauth 1.0 authentication for delivery
#
eprodrom I'm a little foggier for what we'd do for AP S2S
#
dmitriz just to be clear, who is authenticating in that last 2-legged step?
#
aaronpk the server
#
aaronpk example.net
#
eprodrom example.net server
#
dmitriz k
#
aaronpk proving that the later request came from it
#
eprodrom Right
#
dmitriz makes sense. what’s the difficulty for s2s for AP?
#
eprodrom Well, I guess we'd do client registration the same way
#
dmitriz yeah!
#
dmitriz the servers just register with each other as clients
#
aaronpk you can do the same client registration step, resulting in a bearer token which is then used when delivering activities
#
eprodrom But
#
eprodrom Is there a callback mechanism in OAuth 2.0 client registration?
#
dmitriz there is
#
aaronpk link?
#
dmitriz one sec
#
eprodrom Or some way of knowing that the client registration came from example.net
#
aaronpk i don't see anything in http://openid.net/specs/openid-connect-registration-1_0.html#RegistrationRequest which is where i'd expect to find it
#
dmitriz ah, well, so, with oidc registration, the callback happens not at registration but at code exchange (getting the access token) step
#
aaronpk oh interesting. where's that documented?
#
dmitriz it’s postponed till that
#
dmitriz should be just in the authorization code workflow
#
dmitriz lemme find link
#
aaronpk sorry there are like a dozen oidc docs so i don't always know where to look
#
dmitriz https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowSteps
#
dmitriz yeah I hear you there
#
dmitriz specifically...
#
aaronpk but that involves a user
#
aaronpk how does it work if there is no user, just a server authenticating?
#
cwebber so
#
cwebber this is why the diaspora and ostatus users from mastodon and etc want signatures I think right?
#
cwebber because if you had a key tied to a user
#
cwebber you could sign the message before shooting it over the wire
#
dmitriz https://openid.net/specs/openid-connect-core-1_0.html#AuthResponse <- callback
#
aaronpk dmitriz: but again that involves a user at a browser
#
cwebber and if the server can look up the user's key once
#
cwebber it can verify posts coming over the wire
#
cwebber and that's already how diaspora does it
#
aaronpk what eprodrom is describing is a server-to-server mechanism for verifying the token request came from the server
#
aaronpk which is pretty clever
#
dmitriz the user at the browser part is not necessary for s2s
#
eprodrom blushes
#
dmitriz and yes, oidc relies on signatures on both sides
#
dmitriz and the key discovery mechanism
#
aaronpk you can't do an HTTP Location redirect without a user
#
dmitriz I think there’s a POST response type also
#
dmitriz but lets step back
#
aaronpk i just don't see anything oidc that provides the same functionality
#
dmitriz what’s the core meta-question? how do the two servers verify each other?
#
aaronpk well there are essentially two different ways that this delivery request can be authenticated.
#
eprodrom dmitriz: yes
#
eprodrom Well, one-way
#
aaronpk either the request includes something that can be used to prove the user created the request themselves, or that can be used to prove the server created the request and then you trust that the user's host can act on behalf of the user
#
eprodrom Presumable example.net already knows that example.com is example.com
#
aaronpk sounds like what pump.io did is the latter, with the dialback verification to establish an access token from server to server
JanKusanagi joined the channel
#
JanKusanagi o/
#
eprodrom JanKusanagi: yo
#
cwebber so, I'm going to wait until this OAuth mechanism is fully described, but I do want to describe one alternate workflow at the end of this
#
ajordan JanKusanagi: heya! logs if you want to read back: https://chat.indieweb.org/social/2017-04-25
#
cwebber but there's productive discussion
#
aaronpk what diaspora did is the former, using a public key in the user's profile to sign the objects so that the receiver doesn't have to worry about whether example.net actually sent that or not
#
cwebber so I don't want to interrupt
#
cwebber okay actually aaronpk just queued me to say it :)
#
cwebber right exactly
#
cwebber so here's a super simple workflow
#
cwebber the linked data signatures route would be:
#
cwebber the user has their public key embedded *in their actor profile*
#
cwebber so a server either has already retrieved that user's profile
#
cwebber or they do so when first seeing the user
#
cwebber when you get a message
#
cwebber the signature is *attached* to the message sent server to server
#
cwebber and whammo, no need to look back and forth for any token things
#
cwebber you just sign messages
#
aaronpk okay now define the mechanism for serializing the JSON to sign ;-)
#
ajordan cwebber: is the assumption that s2s profile lookups are mostly secure then?
#
cwebber aaronpk: already done
#
eprodrom So, I've always liked what Blaine Cook says about security specs
#
aaronpk where?
#
eprodrom Which is, "If you get to public key infrastructure, back up, because you've gone too far."
#
aaronpk eprodrom++
#
Loqi eprodrom has 43 karma in this channel (44 overall)
#
ajordan eprodrom++
#
Loqi eprodrom has 44 karma in this channel (45 overall)
#
cwebber aaronpk: it's part of the LDS spec, it uses normalization of linked data
#
cwebber I really don't agree with this eprodrom
#
cwebber but I know others in the group feel strongly about it
#
cwebber so
#
cwebber I think we should provide the signature-less direction I guess
#
eprodrom I understand
#
cwebber and also provide this other route
#
cwebber I'm willing to implement both
#
dmitriz (ok, found the part in the OIDC spec for client verification)
#
aaronpk heh, linked data signatures links to a 404 for how the json is canonicalized
#
aaronpk https://w3c-dvcg.github.io/ld-signatures/#bib-RDF-DATASET-CANONICALIZATION
#
cwebber aaronpk: it moved
#
aaronpk womp womp
#
cwebber I informed them, they haven't updated the spec
#
aaronpk someone should fix the link
#
cwebber but here it is:
#
dmitriz (it’s sort of hidden in https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata — the client passes its keys (either embedded or as a uri) that the server uses to verify it during registration)
#
dmitriz (if you look at the jwks_uri section “ If the Client signs requests to the Server, it contains the signing key(s) the Server uses to validate signatures from the Client.”)
#
eprodrom OK
#
cwebber https://json-ld.github.io/normalization/spec/
#
aaronpk cwebber: ? this looks easier to you than token exchanges? (honest question)
#
cwebber aaronpk: looks easier once you have a library that already implements the normalization :)
#
cwebber everything there on out I think is honestly easier
#
cwebber but
#
aaronpk i don't even know what half these words mean in the algorithm section https://json-ld.github.io/normalization/spec/#normalization-algorithm
#
cwebber ok
#
cwebber well
#
aaronpk at least in the context of starting with a JSON document
#
cwebber I'm not going to fight on this, at least we should move forward with a route that works and uses an oauth worklow resembling something like what the world currently uses
#
cwebber I agree that LDS route needs to incubate itself more
#
eprodrom So, I get foggy when I try to understand where LDN fits in here
#
aaronpk LDS, not N :)
#
aaronpk just the signature part
#
aaronpk frankly "just use signatures" falls down pretty quickly here IMIO
#
aaronpk s/IO/O
#
cwebber ok
#
eprodrom well, actually
#
cwebber forget I raised it!
#
eprodrom I meant LDN
#
aaronpk cwebber: i mean if you can tell me how I can sign this example object in a paragraph then i'll reconsider https://www.w3.org/TR/activitypub/#obj
#
ajordan eprodrom: got a one to two minute question for you when we're done with this discussion but don't want to interrupt
#
aaronpk but so far i was linked to a spec that links to a 404 doc for how to normalize the document before even getting to the signing algorithm
#
eprodrom It looks like LDN just punts on AuthC which is fine
#
cwebber aaronpk: the signing algorithm itself is very short once you have it normalized
#
cwebber aaronpk: and in fact it looks like jose will be used
#
aaronpk and now my eyes are bleeding because i don't know what "Run the Hash N-Degree Quads algorithm, passing temporary issuer, and append the result to the hash path list." means in the context of that doc
#
cwebber aaronpk: well, you shouldn't have to, any more than you should have to write an html parser
#
eprodrom So, it seems we're at a bit of an impasse
#
aaronpk well
#
cwebber eprodrom: I guess it was a mistake to bring it up.
#
eprodrom No, it's fine
#
cwebber eprodrom: the LDS direction isn't ready yet, but
#
cwebber eprodrom: this is also something *very specifically* asked for by the Diaspora and Mastodon communities
#
aaronpk it sounds like really the only missing piece for using an analogous mechanism as pump.io is the server-to-server token exchange bit that pump.io uses the dialback for
#
eprodrom cwebber: that doesn't make any sense for Mastodon since they use OStatus
#
aaronpk eprodrom++
#
cwebber eprodrom: they use salmon too, and I think they want to do more along that direction
#
eprodrom aaronpk: I think we're there
#
eprodrom cwebber: right
#
eprodrom OK, so, if I can characterize the discussion so far
#
cwebber I think the best direction is to support the workflow you have described for OAuth, but leave open the signatures direction
#
eprodrom 1) We have a path for C2S, which eprodrom will document for cwebber to include in security considerations
#
cwebber +1
#
eprodrom (Probably with group approval?)
#
tantek perks back up again
#
eprodrom 2) We have a couple of paths for S2S authentication
#
eprodrom UNFORTUNATELY, this happens to be a part of your spec where you don't want to have a lot of options
#
cwebber totally agreed :\
#
eprodrom A user can sit in front of their client and try a couple of different C2S auth mechanisms
#
eprodrom Server implementations won't do that
#
eprodrom It's better to have one
#
eprodrom S2S, that is
#
dmitriz +1
#
eprodrom We don't have to decide today, but we should probably work up a couple of proposals for discussion for the next meeting
#
eprodrom I'd suggest having one mechanism as a SHOULD and mention other mechanisms as a MAY
#
eprodrom cwebber: does that sound about right?
#
tantek any such SHOULD mechanism should have working implementations, or else we're incubating way too late in the game
#
cwebber eprodrom: so you're suggesting we make it normative?
#
tantek (and if it's not normative, then no need to say SHOULD or MAY, just point to stuff)
#
cwebber eprodrom: it could also be a Very Strongly Worded section of the security considerations section :)
#
eprodrom tantek: agreed
#
tantek (trying to reduce risk here)
#
eprodrom cwebber: I think you can just be suggestive for c2s
#
eprodrom But for s2s it just won't work without some bedrock SHOULD
#
cwebber eprodrom: we're going to need to implement like hell to make sure this works enough with a SHOULD
#
eprodrom cwebber: I don't think we have a choice
#
cwebber feels really nervous!
#
cwebber I'm not saying you're wrong, I feel like we're dancing near the edge of a cliff on this though
#
eprodrom I know!
#
aaronpk shipping a spec with no implementations makes me more nervous ;-)
#
eprodrom yeah
#
eprodrom cwebber: we have to implement s2s
#
tantek any way of modularizing that SHOULD into a separable spec?
#
cwebber hey pubstrate implements server to server without any checks right now ;)
#
cwebber isn't that good enough ;)
#
cwebber I'm joking
#
tantek really nervous about putting anything that new (yet to be implemented "like hell") into a CR
#
tantek also is usually a sign that that aspect will reveal *more* normative issues
#
cwebber so
#
cwebber points gun footward
#
tantek (as you implement multiple implementations for the first time and have them bang on each other)
#
eprodrom I guess I just don't know what else to do
#
cwebber we've been having a *lot* of recent activity and interest in activitypub right now
#
cwebber but it's right up to the line
#
tantek if we had another 6 months, even 3, I might speak differently
#
cwebber it feels hard to believe we're going to make this without an extension
#
tantek but we're literally supposed to be fixing normative *details*
#
eprodrom If I were going to move stuff to a different spec, I'd move the whole S2S section with authentication
#
cwebber we have the right level of interest and activity right now
#
cwebber but it's happening all right up near the finish line
#
cwebber and that's not great
#
tantek (given just 2-3 weeks left to do *any* normative updates)
#
aaronpk this is why we had talked about splitting the specs to begin with, because c2s and s2s have very different requirements and considerations, as we are now seeing very clearly
#
tantek cwebber - well the flipside (positive) is:
#
eprodrom aaronpk++
#
Loqi aaronpk has 76 karma in this channel (1295 overall)
#
tantek 1. That level of interest and activity should be directed to the SWICG
#
tantek (would help get more energy in there)
#
aaronpk (speaking of swicg we still need to get cwebber to join it so i can make him a chair in the system)
#
dmitriz see, I dont think the requirements are that different
#
cwebber oops
#
cwebber aaronpk: I'll do that this week
#
cwebber hopefully today even
#
cwebber so
#
cwebber this is literally the one big gaping hole left open in the spec
#
tantek 2. If there is BOTH high level of interest and activity and evidence of something being converged and incubated quickly, that's data to push for possible new charter to cover the scope of those incubations.
#
cwebber what's the shot of an extension? :)
#
cwebber like seriously
#
cwebber we're so close on this stuff
#
cwebber but
#
aaronpk 0 without interest
#
cwebber aaronpk: are you making an accounting joke or are you talking about community interest
#
cwebber because right now I think the community interest level is high
#
aaronpk community interest lol
#
tantek like don't hope for it (especially without more W3C Member participation / positive votes on the CRs/PRS)
#
aaronpk right, if we can't demonstrate community interest we won't get an extension
#
aaronpk how to demonstrate community interest? join swicg!
#
cwebber we have several *existing* federation communities actively talking about implementing activitypub
#
cwebber so
#
tantek aaronpk is right, showing a big spike in SWICG activity would help gives us maybe a fraction of a chance instead of 0
#
cwebber I feel like with 3-6 more months? we'd have activitypub out the door for sure
#
cwebber ok
#
cwebber so are you saying, I should join the SWICG and ask people to join?
#
cwebber but if the SWICG isn't doing anything yet
#
tantek yes absolutely - you're a chair of SWICG!
#
cwebber am I just asking them to fill seats?
#
eprodrom cwebber: can I propose
#
eprodrom That we make sure to publish the c2s part of AP
#
tantek you're asking them to bring the discussion to W3C
#
eprodrom It's the most mature and ready to go
#
cwebber :(
#
eprodrom And let's figure out whether we will also do the s2s
#
eprodrom Again, if we get N implementations, I'm happy to see it happen
#
cwebber I actually think that's a worse plan, becasue it gives a good shot at punting on AP's S2S as being a deliverable of this group
#
cwebber and definitely seems to punt on an extension
#
cwebber and I think AP S2S is the interesting thing
#
tantek also - and I forgot to bring this up on the call - we really should start having perhaps monthly SWICG calls
#
cwebber C2S I think is not as interesting without S2S
#
aaronpk well we can't ship S2S without implementations of it
#
tantek but running SWICG telcons is kinda up to the SWICG co-chairs. AHEM ;)
#
eprodrom cwebber, client-to-server is a huge part of social
#
cwebber aaronpk: but right, we're now at the piont where people ares starting to implement
#
cwebber aaronpk: not sure if you saw
#
cwebber but mastodon got a PR for the outbox
#
aaronpk and C2S is certainly useful without S2S, cause without it, you can at the very least create activitystreams objects on your own server
#
cwebber I'll say that I'm not interested in working on that, because it doesn't tell a useful story
#
eprodrom cwebber: what do you mean?
#
aaronpk cwebber: let's start inviting people to the CG and schedule regular meetings either on IRC or voice, in order to do regular checkins with everyone who is considering or actually implementing AP
#
eprodrom Well, here's where I sit
#
cwebber eprodrom: https://cloud.githubusercontent.com/assets/164785/25296471/bc26a912-26e8-11e7-9803-1b28f1b51f74.png
#
cwebber this is what I mean
#
cwebber eprodrom: this justifies, and makes interesting, the whole inbox/outbox workflow
#
cwebber aaronpk: +1
#
eprodrom So, here's where I stand
#
eprodrom We have a little under a month to get interoperating S2S versions going, under the auspices of this WG
#
eprodrom I think it's possible to do, but we have a lot of hacking to do
#
cwebber and it's probably true that we can do it if we implement the pump.io workflow
#
eprodrom If it's not possible to get those interoperating S2S versions going, I'd very much like to ship the C2S stuff
#
cwebber ok, can I modify that?
#
aaronpk +1 modularity
#
eprodrom Because I've spend about 10 years working with client developers and I can say very conclusively that they find client APIs interesting
#
cwebber If it's not possible to get those interoperating S2S versions going, and we can't get an extension, I'd very much like to ship the C2S stuff
#
cwebber (but, I'm not really excited about that)
#
cwebber I know that C2S is interesting, but it's not why I'm here
#
eprodrom Why not?
#
cwebber and I feel like we're going to blow an opportunity
#
eprodrom OK
#
cwebber I'm not saying I'm opposed
#
eprodrom Well, the opportunity is now to define and implement the S2S part
#
cwebber I'm just not excited
#
eprodrom OK
#
eprodrom Oh, crap
#
eprodrom aaronpk, dmitriz, cwebber : I forgot to talk about one flow
#
aaronpk perks up
#
dmitriz go on
#
eprodrom It's c2s where the end user doesn't have an account on the server
#
tantek perks up
#
tantek onboarding!
#
eprodrom Say, when evan@example.net wants to look at the contents of an object at https://example.com/note/note-by-jane-1
#
ajordan tantek: not onboarding, think "sign in with an account on another server"
#
cwebber eprodrom: (note we do have a workflow for that in the AP spec right now for reading)
#
cwebber but keep going!
#
tantek oh sorry yes
#
ajordan :)
#
eprodrom cwebber: https://www.w3.org/TR/activitypub/#client-to-foreign-oauth ?
#
eprodrom Cool
#
eprodrom With pump.io we use proxies
#
ajordan I think that ends up being painful though? JanKusanagi can comment on that
#
eprodrom So evan@example.net's client requests from example.net to get the content, and then example.net requests the content from example.com
#
dmitriz yeah, this is something i’ve been working on too, the foreign auth
#
eprodrom ajordan: agreed
#
ajordan eprodrom: this is what proxyUrl or whatever is right? I think it's kinda ill-defined too but maybe that's just an implementation detail
#
eprodrom ajordan: right
#
ajordan ok
#
cwebber eprodrom: we have proxy stuff in AP too
#
cwebber https://www.w3.org/TR/activitypub/#proxyUrl
#
JanKusanagi well, in my experience the proxy thing works quite allright, except when there's an "API route" that's not proxied, or the fact that proxy errors don't carry the original error
#
ajordan ah, interesting
#
JanKusanagi also, double server load when you need to download media (say, a big video) through the proxy
#
eprodrom JanKusanagi: yeah, that stinks
#
dmitriz yeah. and the other problem w proxy is for “unattended” server side apps
#
dmitriz the classical oauth2 use case
#
ajordan dmitriz: how so?
#
dmitriz just made harder with more actors in the mix
#
ajordan ah
#
eprodrom cwebber: so, the spec right now says s2s with LDS and/or JWKS
#
eprodrom Again, PKI
#
eprodrom But I'd rather ship with that then have nothing
#
eprodrom s/then/than/
#
cwebber eprodrom: yeah
#
tantek eprodrom including making test suite tests for those? and getting impls to pass them?
#
dmitriz well wait though. there’s two different kinds of PKI. there’s PKI for people, in which case sure, that saying holds true. and then there’s PKI for servers (for oauth2 discovery / oidc). which is an easy, and solved problem
#
cwebber eprodrom: so what I was hoping for out of this
#
cwebber was for you to define the oauth workflow
#
cwebber in a couple paragraphs
#
cwebber maybe a PR?
#
cwebber and then I could implement it over this week
#
cwebber both in the test suite and pubstrate's implementation
#
ajordan dmitriz++
#
Loqi dmitriz has 2 karma
#
cwebber eprodrom: could we do that? That would be moving forward
#
eprodrom Sounds fine-ish
#
cwebber eprodrom: the current state of the test suite and pubstrate is that I've done the C2S, though obviously since I missed an endpoint
#
tantek movingforward++
#
Loqi movingforward has 1 karma
#
cwebber I must have done the workflow wrong
#
cwebber so I'd like to correct it, but I haven't done S2S
#
cwebber so if I could get that in
#
cwebber since pubstrate currently doesn't do any auth (and that's one reason I don't have a public instance up)
#
cwebber and then I can also add it to the test suite
#
cwebber and we can get moving
#
cwebber and as for the LDS, I still uphold that it's interesting, and may be even the right way to go, but it shouldn't hold things back, and obviously bringing it up here is doing so
#
cwebber eprodrom: could you make that an item you can deliver on today or tomorrow?
#
eprodrom cwebber: I think if we can stick with just one kind of JSON signature, we'll be better off
#
cwebber getting a PR with that workflow in the text?
#
cwebber eprodrom: good news
#
cwebber LDS and JWS are converging.
#
cwebber so there's no conflict.
#
eprodrom cwebber: the c2s workflow? ye
#
eprodrom yes
#
cwebber that's my rough understanding
#
cwebber LDS will be probably using JWS, and will instead be how you embed the signature and key on the object
#
cwebber sorta.
#
eprodrom I don't get how JWK works so I don't think I can get it to you today or tomorrw
#
cwebber eprodrom: ok, well you described a workflow today though
#
cwebber do you think that workflow is worth putting down?
#
cwebber into spectext?
#
eprodrom Yes
#
cwebber and is it understood enough to be sufficient/implementable?
#
cwebber sweet
#
cwebber eprodrom: then get a PR for that too!
#
dmitriz (this is the single coolest thing I’ve learned today, that JWS and LDS are converging)
#
eprodrom I think so
#
cwebber dmitriz: that's my understanding, don't quote it as definitive
#
eprodrom cwebber: could you explain to me how the S2S signature system works?
#
dmitriz no worries. I just thought the LDS crowd was thoroughly opposed
#
eprodrom Don't you have replay problems?
#
dmitriz I’m happy to explain, too
#
eprodrom I guess that's always a problem with bearer tokens too
#
dmitriz it is. which is why I wanted to ask why the insistence on bearer tokens, for many of these specs
#
cwebber eprodrom: https://w3c-dvcg.github.io/ld-signatures/#dfn-nonce
#
eprodrom Developers like bearer tokens
#
dmitriz and the solution is fairly simple (if not always easy in the details). which is to have an audience property in the token.
#
dmitriz which is the route OIDC took. (and Facebook’s oauth2 implementation)
#
eprodrom OK, I have to go
#
cwebber dmitriz: I wonder if OIDC's use of signatures and linked data signatures' use of signatures aren't too different in the path they take
#
cwebber not in implementation
#
cwebber but for the direction they're used for
#
dmitriz I think they’re very similar. (I’d need to look again at the LDS spec)
#
cwebber eprodrom: ok, please get those PRs up there
#
ajordan eprodrom: see ya
#
cwebber eprodrom: thanks for taking the time, and to everyone else who did too :)
#
dmitriz from what I understood from talking to Manu & crowd, LDS considered JWS but rejected it initally due to a very specific constraint. (having to do with being able to index JWKs in databases, etc)
#
ajordan I'll email you what I was going to say since you're out of time
#
ajordan also about an AP sprint
#
eprodrom ajordan: just hit me now, I'm still here
#
ajordan eprodrom: https://github.com/pump-io/pump.io/issues/1285
#
Loqi [strugee] #1285 Resubmit Dialback authentication IETF draft
#
ajordan worth pursuing?
#
eprodrom Prrrrobably?
#
ajordan ok, I'll leave it open in that case
#
eprodrom Not for a little while
#
ajordan we can revisit when things aren't so hectic
#
eprodrom Right
#
ajordan cool, that was all
#
eprodrom It's very host-meta/webfinger-centric
#
ajordan ok
#
eprodrom Cool
#
ajordan thanks! see ya
#
cwebber eprodrom: brief PM before you vanish
#
cwebber sent!
#
ajordan cwebber: https://www.w3.org/community/swicg/ to sign up for the SWICG btw. it's just a button
#
Loqi Call for Participation in Social Web Incubator Community Group W3C Team | Posted on: November 18, 2016 The Social Web Incu...
#
cwebber oh right
#
aaronpk the hardest part of joining the swicg is setting up the w3c account but you've already done that :)
#
ajordan :P
#
ajordan true
#
aaronpk no profile photo cwebber?
#
cwebber aaronpk: I'll add one :)
#
ajordan oh btw aaronpk how long does it take for profile pictures, etc. to show up on IndieWeb IRC logs?
#
aaronpk should be 5 minutes
#
ajordan ah
#
ajordan clearly I did something wrong then
#
aaronpk I don't see you on https://www.w3.org/wiki/Irc-people
#
aaronpk cwebber: you are now a chair!
#
cwebber aaronpk: wow, so easy! why'd I put it off so long :)
#
aaronpk :)
#
cwebber oh now I remember
#
cwebber I made the mistake of trying to sign up as an individual before
#
cwebber when I should have just clicked [X] on mediagoblin
#
cwebber since I run it :P
#
cwebber and then there was a process snafu. but I could have just resubmitted
#
cwebber oops!
#
cwebber aaronpk: happy to be co-chair with you, should be fun :)
#
ajordan aaronpk: whoops, wasn't alphabetical since I changed it. I'm there though
#
aaronpk haha k. let me check to make sure the cron job is working :)
#
Loqi hehe
#
aaronpk oh! i forgot to make the chat.indieweb.org logs use the w3c user list
#
aaronpk you're on https://socialwg.indiewebcamp.com/irc/social/2017-04-25#bottom now tho
#
elensil hi guys
#
elensil I'm the author of Movim an open and decentralized social network fully build on XMPP
#
elensil I'm also part of the XSF and I'm interested to know more about your work done here
#
elensil to also see if we can work together (the XSF and the SocialWG)
#
ajordan lol neat
#
ajordan thanks aaronpk!
#
ajordan elensil: heya!
#
cwebber heya elensil :D
#
cwebber elensil: sorry we were so wrapped up in meeting for so long
#
cwebber elensil: that sounds great; I am a big XMPP fan :)
#
ajordan same
#
elensil did you already had a look at XMPP, especially Pubsub and related XEPs ?
#
cwebber elensil: I've read them in the past yes
#
cwebber elensil: so, the status of the SocialWG is we are wrapping up some specs already in process
#
cwebber elensil: but, we have a social community group that will also be more broadly about the topic of federation
#
cwebber elensil: it would be great to have you part of that
#
cwebber https://www.w3.org/community/swicg/
#
Loqi Call for Participation in Social Web Incubator Community Group W3C Team | Posted on: November 18, 2016 The Social Web Incu...
#
elensil I have a couple of issues here
#
elensil first it looks like you are working on Social protocols that are really bound to the web standards
#
Zakim excuses himself; his presence no longer seems to be needed
#
elensil JSON/HTTP …
#
cwebber elensil: yup
#
cwebber that's true :)
#
Loqi yeah who invited you anyway Zakim
#
aaronpk this is the social *web* working group after all :)
#
dmitriz cwebber: as far as the mailing lists for the community group - which one of the 3 is the main one? (worth joining,e tc)
#
elensil so I'd like to know where we can fit together, XMPP is TCP/real-time/XML :D
#
aaronpk i thought i had systems remove the mailing list link. we don't use the mailing list
#
aaronpk i will ask again
#
dmitriz np
#
dmitriz elensil: it would be interesting to discuss/specify how the various XEPs would interop with the corresponding web protocols. like the XMPP Pubsub vs Websub. etc.
#
dmitriz how to bridge between the two
#
elensil yeah
#
cwebber I think bridging would be the most useful
#
cwebber elensil: I think the XMPP group has already has its own groups to incubate its federation XEPs
#
cwebber and our group is specifically about web stuff
#
cwebber but, bridges are good
#
elensil the first thin would be to define common URI, all your protocols seems to be defined using hrefs
#
cwebber so maybe that would be a good role for you in the CG elensil ?
#
elensil in XMPP we have uri="xmpp:" or uri="http://…"
#
dmitriz so if there’s no mailing list for the CG, where does the discussion take place?
#
aaronpk here, and github
#
elensil I also invite you to join xsf@muc.xmpp.org :)
#
aaronpk we have https://github.com/swicg/general and can also make new repos if we start having more focused projects/specs/docs
#
dmitriz aaronpk: got it, thanks.
#
Loqi [swicg] general: General issue tracker for the group
#
elensil there is big discussions at the moment on MIX, the Pubsub on steroids
#
elensil https://xmpp.org/extensions/xep-0369.html
#
cwebber elensil: I joined
#
cwebber elensil: however I think we will remain a focused on web-type-technologies group
#
cwebber but, as said
#
cwebber bridging is good
#
elensil yes, but I trully think that we are solving similar issues
#
cwebber the eternal problem, federating federations :)
#
elensil basically what is changing is the support (XML/JSON and TCP/HTTP)
#
cwebber elensil: though some caution, the "so close but not quite" dream often ends up not being close enough to merge
#
cwebber as even this WG has seen ;)
#
cwebber I wish that weren't true though
#
tantek waits for cwebber to eventually propose an interfederation protocol in 2018
#
cwebber tantek: :)
#
tantek then we can all talk about joining the "interfed" ;)
#
cwebber tantek: the Meta Federation Protocol
#
tantek cwebber, it's the internet, not the metanet ;)
#
cwebber likes the Meta Object Protocol, so...
#
cwebber ah
#
cwebber yeah
#
dmitriz wow. sign me up.
#
dmitriz :)
#
tantek Next telcon agenda is up: https://www.w3.org/wiki/Socialwg/2017-05-02 (and even stubbed 2017-05-09 while at it). Please add anything we missed this week.
#
cwebber runs rhiaro's tool https://www.w3.org/wiki/Socialwg/2017-04-25-minutes
#
tantek BTW at this point I'm not expecting that we'll organize a f2f anytime soon, even for the SWICG
#
tantek however I think a summer SWICG f2f could be interesting, something for aaronpk and cwebber to think about
#
tantek (after charter end)
#
aaronpk Summer is soon!
#
tantek also if anyone can make it to Portland, IndieWeb Summit is June 24-25
#
tantek lastly, TPAC 2017 is November 6-10 in Burlingame, CA (near SFO), and that's a good (likely) candidate for a SWICG f2f as well, since TPACs now have rooms set aside for CG f2f meetings.
#
tantek all those dates, details, links here: https://www.w3.org/wiki/Socialwg#Future_Meetings
#
ajordan oooo I can probably make it to the Summit this year
#
ajordan dunno about TPAC. I'll be in college then
#
ajordan s/then/by then/
#
tantek great!
#
ajordan \o/
#
ajordan hey, do we close issues that we know are for sure postponed?
#
ajordan sandro, cwebber: ^^^
timbl joined the channel
#
Loqi Aaronpk made 1 edit to [[Socialwg/2017-04-18-minutes]] https://www.w3.org/wiki/index.php?diff=102844&oldid=102572
#
Loqi Tantekelik made 1 edit to [[Socialwg/2017-04-25]] https://www.w3.org/wiki/index.php?diff=102851&oldid=102590
#
Loqi Tantekelik made 2 edits to [[Socialwg/2017-05-02]] https://www.w3.org/wiki/index.php?diff=102854&oldid=0
#
Loqi Tantekelik made 1 edit to [[Socialwg/2017-05-09]] https://www.w3.org/wiki/index.php?diff=102853&oldid=0
#
Loqi Tantekelik made 1 edit to [[Socialwg]] https://www.w3.org/wiki/index.php?diff=102856&oldid=102580
#
Loqi Cwebber2 made 1 edit to [[Socialwg/2017-04-25-minutes]] https://www.w3.org/wiki/index.php?diff=102855&oldid=0
#
ajordan cwebber: sent ~5 PRs to pick off editorial low-hanging fruit
#
cwebber wow nice, thx ajordan
#
ajordan sure thing
#
ajordan I'm picking off normative ones now
#
cwebber ajordan: regarding closing issues btw
#
ajordan can't get through all of them since for some I'm not familiar enough but
#
ajordan yeah?
#
cwebber ajordan: we need to either have satisfied the poster or get consensus from the group before closing an issue
#
cwebber in general
#
ajordan ok
#
ajordan so in particular I'm looking at https://github.com/w3c/activitypub/issues/188 which I think we resolved last week on the telecon?
#
Loqi [astronouth7303] #188 Revision ID?
#
ajordan didn't we say that timestamps were good enough and that something more precise could be revisited in an extension?
#
ajordan might be misremembering though
#
cwebber https://socialwg.indiewebcamp.com/irc/social/2017-04-18#t1492532287320 convo from last week
#
cwebber hm
#
Loqi [cwebber] https://github.com/w3c/activitypub/issues/188
#
cwebber I thoguht I started to reply to this one
#
cwebber oh
#
cwebber we were going to put it on the agenda for this week :P
#
cwebber oops
#
ajordan lol whoops
#
cwebber what we said resolving it didn't get logged if we had something apparently
#
cwebber I don't see anything in the minutes re: that one
#
ajordan from last week?
#
cwebber yeah
#
cwebber I mean, concluding it or etc
#
ajordan ah ok
#
ajordan guess we'll have to put it on next week's agenda?
#
cwebber I guess so
timbl joined the channel
#
ajordan ok, put a significant dent in the open issue count
#
ajordan \o/
#
ajordan hopefully that reduces your workload cwebber <3
#
cwebber thank you ajordan :)
#
cwebber it's greatly appreciated
#
cwebber ajordan++
#
Loqi ajordan has 1 karma
#
ajordan sure thing.
#
ajordan lol I wish I could associate my other nickname with this one in Loqi
elensil joined the channel
#
JanKusanagi ajordan++
#
Loqi ajordan has 2 karma
#
ajordan lol thx JanKusanagi
#
JanKusanagi the least I could do =)