#social 2017-05-20

2017-05-20 UTC
# 00:22 
astronouth7303 so, my opinion is that we pretty much need http signatures for S2S authentication
# 00:22 
astronouth7303 i think user-level authentication will just provide a false sense of security. In s2s, the server can choose any of its users to be.
# 00:23 
astronouth7303 and the keys a provider signs with need to be independently discoverable
# 01:04 
sandro Hm, that's 4am here, but I'll try to join later.
# 01:06 
saranix astronouth7303: that sounds like what we have now. I don't know what http signatures means though.
# 01:07 
astronouth7303 saranix: it's an IETF-track spec for applying cryptographic signatures to HTTP requests/responses
# 01:08 
saranix like a header?
# 01:08 
astronouth7303 if the signing key is publically discoverable (DNS, well-known URL), then you can verify that the S2S request you're getting came from a provider, and you have proof it's the provider they say they are
# 01:09 
saranix is the purpose to remove reliance on TLS server cert?
# 01:09 
astronouth7303 no, it's to verify the requestor; TLS verifies the server
# 01:10 
saranix oh. that would be convenient
# 01:10 
astronouth7303 (reference: https://tools.ietf.org/html/draft-cavage-http-signatures-06 )
# 01:11 
astronouth7303 so when another server submits an activity, or requests private data, or w/e, you _know_ what provider is making the request
# 01:14 
saranix it's kind of ok for server-server stuff. great as a replacement to oauth for sure, but specifically for social, I see it as being mostly useful for the client. If only we could get browsers to send these. It would replace magic-auth like zot with something much cleaner. We've been waiting for some time for this.
# 01:15 
astronouth7303 oh! i've been really concerned about S2S (because that's how you get federation), but yeah
# 01:15 
astronouth7303 the trick with C2S signatures is key registration
# 01:17 
saranix I think I might play with using this in an api I'm about to write. I hate oauth.
# 01:18 
astronouth7303 i think oauth works pretty well for browser-based stuff
# 01:18 
astronouth7303 but for native clients, it sucks
# 01:23 
saranix funny thing is this draft is 1000 times simpler than everything similar that already exists. and not in a bad way. It's only as complicated as it needs to be, unlike the rest...
# 01:24 
astronouth7303 the signatures draft? I haven't had a chance to look in to it in detail yet.
# 01:24 
astronouth7303 my biggest concern is key discovery
# 01:25 
saranix long term sure... for now patching together key discovery methods from the 5 or so biggest federations isn't that much of a chore
# 01:25 
astronouth7303 you just have to make sure key discovery is independent of the request
# 01:25 
saranix yeah that sucks
# 01:26 
astronouth7303 it's something you can look up independently, given only a provider (host name?)
# 01:27 
saranix webfinger? I know it's not perfect, but I'm not sure what you're getting at
# 01:27 
astronouth7303 maybe? could be tied in to it? depends on how much webfinger is a thing
# 01:28 
saranix well from a simple standpoint, zot uses zot-info@hostname (and also [system]@hostname), meanwhile diaspora uses something like host-info@hostname, IIRC
# 01:29 
saranix can't remember why I started the sentence that way. ignore everything before the comma because I have no idea what it means :-)
# 01:29 
saranix it's friggin hot here
# 01:32 
astronouth7303 well, there could also be http[s]://hostname/.well-known/activity-pub.pem (or w/e)
# 01:34 
saranix the whole .well-known thing is a very hastily hacked thing that needs to be revamped IMHO
# 01:34 
astronouth7303 i mean, that's basically how robots.txt and favicon work
# 01:35 
astronouth7303 i'd also be a fan of putting the key in a DNS TXT record (somehow)
# 01:36 
saranix another junk drawer, but somehow preferrable. Actually SRV makes more sense to me
# 01:36 
saranix or something new
# 01:36 
saranix RSA
# 01:36 
saranix dunno
# 01:36 
astronouth7303 can't put a key in a SRV record?
# 01:36 
sandro Have you seen webfist?   It brilliantly leverages the key already in the DNS records for spam control
# 01:37 
astronouth7303 also, good luck getting the IETF on board with another record type
# 01:37 
saranix well the other problem with that is at least https has MITM protection, DNS does not
# 01:37 
sandro astronouth7303, .well-known is a lot of things, but hastily hacked it is not.  It was argued for many many many years, what to do about robots.txt and favicon.
# 01:38 
astronouth7303 blames saranix for that comment
# 01:38 
saranix yeah that was me, I stand by it though :-)
# 01:38 
sandro oops, yes, sorry, that was saranix :-)
# 01:38 
astronouth7303 hastily points fingers
# 01:38 
astronouth7303 (maybe webfingers?)
# 01:38 
saranix chortles
# 01:38 
sandro I'll happily agree it *looks* hastily put together, but I remember people arguing about for years on end.
# 01:40 
astronouth7303 i suspect there's a lot of pointless arguing at w3c
# 01:41 
saranix well, perhaps it's the wrong characterization. I was trying to get at the arbitraryness. It doesn't seem reflective of inherent properties or any sort of decades of learned wisdom.
# 01:41 
sandro yes, but perhaps less than most other places  :-)
# 01:42 
sandro yeah, everyone agrees .well-known is totally an ugly hack, they just couldn't come up with anything else that worked nearly as well.
# 01:42 
saranix not saying I could do better than .well-known, it just feels like a hack to me
# 01:42 
saranix yeah
# 01:48 
sandro posts new swicg issue that's been preoccupying him today: https://github.com/swicg/general/issues/4
# 01:48 
Loqi [sandhawke] #4 Forwarding
# 01:49 
saranix you know what might make more sense? although equally unpracticle... adding a special field to the servers x509...
# 01:53 
saranix hmm.. my protocol has something like this called "tombstoning". It isn't at the server level though, only the identity level. Server level would be good though. Just hadn't gotten that far...
# 01:57 
saranix the way I handle it, currently, is just with HTTP. 301 Forwarding for a time period, then 410 Gone for another time period, after which point the ID becomes reusable.
# 02:03 
saranix actually I refer to this as tombstone period, retirement period, and rebirth period
# 02:03 
sandro Yeah, first cut 301 is fine.   There are hard bits, though, like you need each post forwarded to the right place, and webfinger
# 02:03 
sandro I think it's wrong, as I write there, to every turn off a URL that someone might come looking for in 10, 20, 30 years.
# 02:04 
saranix it all comes down to who pays for 30 years of storage and retrieval... wrong? nah.
# 02:05 
saranix it's up to the linker to make sure to follow redirects and keep their links accurate
# 02:07 
sandro As I say, sometimes these links are in archival storage, or on paper, or in email.
# 02:07 
saranix not as if the web is resilient to that without social
# 02:07 
sandro And I think it's one line per user in an nginx file.   Really, really tiny server.  No storage needed, if done right.
# 02:07 
saranix and any proper archive should still regularly cron to keep redirects up to date
# 02:08 
sandro Well, twitter and facebook *are* remarkably stable in that regard.   And we don't have to give that up.
# 02:08 
saranix haha yeah right
# 02:08 
Loqi ahaha
# 02:09 
saranix I hope stupid useless evil crap like twitter and facebook aren't around in 30 years
# 02:09 
saranix I sure as hell hope the dossier facebook collected on me without my permission is gone by then
# 02:12 
sandro I have various bookmarks and notes of URLs.  The earliest twitter one is from 2010 and still works.  No matter what you think of Twitter, that's a really good thing for the web and the people who use it.
# 02:13 
sandro https://twitter.com/fabien_gandon/status/13083071358 if you're curious
# 02:13 
Loqi [@fabien_gandon] Linked Data Tables: publishing RDF using WYSIWYG HTML http://bit.ly/8Xvx1F Sandro Hawke @sandhawke  #lod #www2010 #w3ctrack
# 02:13 
saranix just threw up a little
# 02:14 
saranix "good thing for the web" *retch*
# 02:14 
saranix does that bit.ly link still work? I refuse to click on either twitter.com links or bit.ly links to check
# 02:18 
sandro Yes, the bit.ly link was slow but still worked.   It went to a domain that I have since stopped paying for.    So Twitter and Bit.ly did the right thing, in terms of keeping the Web working (Cool URLs and all that), but I failed.  :-)
# 05:14 
astronouth7303 i don't think it's reasonable to keep per-object redirects for an entire provider
# 05:14 
astronouth7303 (there's no guarantees the target provider uses the same URL scheme as you)
# 05:14 
astronouth7303 and i think you're severely overestimating the amount of data even failed services have
# 06:31 
saranix yeah. For my service, the user has an option: static url redirect (e.g. host.example/user/foo/anything redirects to newhost.example/home/foo), or, same path redir (from.example/foo/bar -> to.example/foo/bar), or, in some custom cases, I'll allow a regex. But I'm really nice to my customers. I wouldn't expect that to be mandatory for a spec. :-)
# 06:33 
saranix and I don't guarantee that a specific post url won't end up with 404. If it's been deleted and I don't know the author anymore, I can't redirect tombstone.
# 07:52 
aaronpk the IndieWebCamp Nürnberg livestream will begin shortly! https://indieweb.org/live
KevinMarks_ joined the channel
# 12:45 
@danbri @robinberjon https://www.w3.org/TR/activitystreams-core/#example-3 is also somewhat related (twitter.com/_/status/865910518136963072)
KevinMarks and tcit joined the channel