#social 2017-07-17

2017-07-17 UTC
#
cwebber2 it looks right ajordan
#
cwebber2 [15:33]--[19:01]
#
cwebber2 that was how long that discussion today was
#
cwebber2 3.5 hours
#
cwebber2 nonetheless, I think we got some solid outputs out of it. whew!
#
ajordan cwebber2: sweet
#
ajordan lol my estimate was 4 hours
#
ajordan which would've meant we got a solid one bullet point in that summary done for every hour :'D
#
cwebber2 lol
saranix joined the channel
#
saranix in order for a AP client to be a useful thing, the client needs to be
#
saranix ...able to tell the server a max page size, and also you SHOULD be
#
saranix ... allowed to request an alternate order. I especially think " A
#
saranix ...property which changes regularly, such a "last updated" timestamp,
#
saranix ...should not be used. " is misguided. Some people would definitely want
#
saranix ...their stream order like that, and more than that, the client should
#
saranix ... be able to choose which field it is sorted by *and* also the depth of
#
saranix ...expansion
#
saranix hmm https://www.w3.org/TR/ldp-paging/ extends the Prefer (RFC7240) header... but the props they use don't easily transfer
#
Loqi [Steve Speicher] Linked Data Platform Paging 1.0
#
saranix max-member-count I support
#
saranix *suppose
#
saranix ahh ldp:pageSortCriterion
#
saranix nah that's only informative server to client
#
saranix so need to add sort-field and max-sub-expansion to Prefer.... If I start doing this in my implementation any chance others will copy?
#
ajordan saranix: I definitely agree with you that the client should be able to specify those things
#
ajordan however I strongly feel that they should be in an extension
#
ajordan the core spec should define how to get the data. extensions can refine and expand the capabilities available to clients
#
saranix I think this falls under getting the data... some clients may not be able to download the entire 4GB inbox in one GET (which the spec allows for)
#
ajordan so I think that https://w3c.github.io/activitypub/#collections (I'm assuming that's what you're referring to?) should stay the same. better to present a stable interface that doesn't change all the time and let the client opt-in to less stable sorting, like a last modified field
#
ajordan saranix: re: 4GB inbox are you talking specifically about the page size issue now?
#
saranix yes... but I also disagree about ordering
#
saranix I think the server should say which field it is ordering by, and the client can request an alternate field but is free to ignore the client's preference
#
ajordan I just don't think that's important enough to be in the core spec
#
saranix without specifying, 4GB inboxes are possible, completely unpaged is allowed, and any page size is allowed, the server can do whatever and the client is just supposed to be able to handle it... I think that's way too open-ended
#
ajordan okay wait stop
#
ajordan we're talking about two different issues here
#
ajordan that are largely unrelated
#
ajordan can we address *just* collection size first?
#
saranix ok
#
ajordan so this (speaking for just myself and not cwebber2 or the WG, obviously) I think is a legit concern
#
ajordan and wasn't what I was referring to with my importance remark above :)
#
ajordan while it's technically possible I think it won't be a big deal in practice
#
ajordan no legitimate implementation will send 4GB inboxes I feel
#
ajordan but maybe we should do it just in case? I'll raise an issue
#
ajordan saranix: mind if I copy and paste some of your IRC remarks onto GitHub?
#
saranix go for it
#
ajordan neat
#
saranix note: https://w3c.github.io/activitypub/#collections does not specify an order, ActivityPub does
#
saranix crap...wrong link
#
saranix ignore me
#
saranix https://www.w3.org/TR/activitystreams-core/#collections and ActivityPub makes it a thing, which I think is a mistake
#
saranix it says MUST be in a certain order... as far as stable spec goes, does it break anyone's impl if it's changed to unspecified defaults to XXX instead?
#
ajordan https://github.com/w3c/activitypub/issues/246
#
Loqi [strugee] #246 Limit Collection page sizes somehow?
#
ajordan saranix: I think you might be conflating Collections and OrderedCollections?
#
ajordan all ActivityPub says is that when something is specified as an OrderedCollection the method used to order the collection should be reverse-chronological
#
saranix yes but it also denies that last modified is a legitimate chronological
#
saranix as a note
#
ajordan yes
#
ajordan hmm
#
saranix I don't think that's way too implementation specific actually
#
saranix *do
#
saranix that's why I advocate that the server tells specifically which field it sorted by, if it doesn't specify, one can assume backwards compatibility, then of course there is the Prefer request
#
ajordan but if you leave it open to implementations the interface will be inconsistent
#
ajordan unless we change the spec clients won't be able to tell how things are sorted
#
saranix huh?
#
ajordan we could do that but at that point I feel like we're creating too much variance that clients are forced to deal with
#
ajordan the C2S interface that is
#
saranix Right now you're forcing an implementation that thinks of chronology a certain specific way....
#
ajordan and by "it" I mean the property that's sorted on
#
saranix If a client wants to sort by last modified, they have to fetch the entire collection to look for new ones... no matter what... if they are not allowed to choose
#
ajordan but you could make the same argument for the existing behavior
#
saranix same argument how?
#
saranix my solution provides backwards compatibility
#
ajordan with what?
#
saranix the de jure default
#
ajordan no it doesn't
#
ajordan because if we loosen that section any client that assumes that servers will sort using what's in the spec today will get unexpected results when a server sorts by a "last modified" field
#
saranix how so? A client that doesn't request a sort order should be treated the same as one that expects the "old" sort order
#
saranix the server will not sort by the last modified field unless asked by the client
#
ajordan I'd like to make clear again that I definitely think we should have some way for the client to specify sort order
#
ajordan but in an extension
#
ajordan not the core specification
#
ajordan and what you're saying makes a lot of sense for that
#
saranix and I suppose you think collapsing should be an extension too?
#
ajordan in fact there are some things related to this on https://www.w3.org/wiki/ActivityPub_extensions#Possible_future_extensions (see "inbox search" at the bottom)
#
ajordan define collapsing
#
saranix max-depth for object nesting, before using type:Link instead
#
ajordan also another note, I feel like I've been speaking like I have the authority to decide what goes into the spec, which I certainly do not :)
#
saranix you have :)
#
ajordan lol sorry
#
saranix are you working on an AP impl?
#
ajordan I maintain pump.io
#
saranix does it have AP?
#
ajordan not yet, it's been on my list of things to do and I've been doing a positively dismal job doing it tbh
#
ajordan it will soon though
#
saranix lol... no worries... just looking for servers to test with
#
saranix not that I'm ready yet either... almost though
#
ajordan AP is very, very similar to pump.io's protocol though because it started out as a formalization of pump.io's protocol
#
ajordan and then evolved from there
#
ajordan also re: Links
#
ajordan a Link to an object is apparently very different from a nested object
#
ajordan personally I don't get it but
#
ajordan https://github.com/w3c/activitystreams/issues/364
#
Loqi [strugee] #364 Unclear on why direct Object relationships (vs. Links) are useful
#
ajordan max-depth for object nesting seems to be the same kind of usecase as the page size thing
#
ajordan smart servers won't do stuff that overwhelms the client
#
ajordan saranix: I guess the problem here is that a fully expanded object is much bigger than just a URL to that object, so if the server recurses through these things too aggresively the size of the response can balloon?
#
ajordan does that make sense to you?
#
ajordan crap I'm doing the thing again sorry
#
ajordan https://github.com/w3c/activitypub/issues/246#issuecomment-315655552
#
Loqi [strugee] Something similar applies for object recursion - a full object is obviously much bigger than a URL to an object so if the server is too aggressive about recursing through objects, the response size can balloon. We've _kind of_ already raised this in ...
#
saranix What do you think about this extension { type:Create, object:{Note}, target:{Collection} } ... sound reasonable?
#
saranix unrelated to other stuff we were talking about
#
saranix What I'm thinking, is if an actor has an number of Streams listed on their actor obj, that a party might want to post directly to one of those collections... not quite sure how to request or convey permission though... maybe an Invite to the Collection? hrm...
#
ajordan the goal being to avoid an additional round-trip to the server to Create and _then_ Add?
#
saranix since AP only has follow/following, what is the equiv of "post to XXX wall"? To:X, X-followers-collection? how does a person know if they have permission?
#
ajordan that's a good question actually
#
saranix All my q are good :-)
#
ajordan true :)
#
ajordan it seems like the way to do that would be to extend Collections to have access control for writes?
#
saranix I didn't know about Add... How does one know if they are allowed to Add?
#
ajordan and then you would just do Create and Add, business as usual
#
ajordan saranix: I believe the status quo is just "if it's *your* collection"
#
ajordan I'll raise a GitHub issue... lollll
#
saranix The problem with Create then Add is it leaves the object out their in general and not confined to only the collection
#
saranix there
#
saranix but if you target the collection then it only goes there
#
saranix There is an example in AS2 for MOVE using target in this fashion
#
ajordan oh interesting
#
saranix https://www.w3.org/TR/activitystreams-vocabulary/#origin-target
#
ajordan so Create + Move maybe is the way to go?
#
saranix Why not Create right to it?
#
saranix Move kinda has a from
#
ajordan because then you're abusing Create
#
ajordan abusing/overloading
#
ajordan at least IMO
#
saranix Add uses target
#
saranix Create inherits properties from Activity, Activity contains target, it's not an abuse
#
saranix looks like it's not even an extension now that I'm reading...
#
saranix Completely new question... is there anything for the "read/unread" semantic like email inboxes?
#
ajordan hmm, interesting
#
ajordan AFAIK there's nothing for read/unread but I haven't thought about it a lot so I could easily be wrong
#
ajordan https://github.com/swicg/general/issues/13
#
Loqi [strugee] #13 Adding objects to someone else's collection
#
ajordan that captures *part* of what we've been discussing
#
saranix https://www.w3.org/TR/activitystreams-vocabulary/#dfn-read but doesn't say that it changes the representation when fetching to indicate it changed status or is part of a ReadCollection or anything like that....
#
saranix seems like it is more meant as a Read notify to the sender
#
saranix like a return-receipt
#
saranix or not even, the example show Sally reading a random blog post... just telling the world Today-I-Read
#
ajordan shrugs
#
ajordan I'll have to leave to go to dinner very soon
#
ajordan also because tbh my brain is about to explode from all the AP stuff :D
#
saranix lol ok
#
saranix I can't let it go... I'm in the zone :-)
#
ajordan saranix: you gooooo! \o/
#
saranix For access control I've settled on (so far): { @context: ["https://www.w3.org/ns/activitystreams", {acl: "http://www.w3.org/ns/auth/acl"} ], Type:Person, streams: [ { type:Collection, "acl:mode": [ "acl:Read", "acl:Append" ] } ] }
#
Loqi [Amy Guy] ActivityStreams 2.0 Terms
#
saranix just listing the acl's that the current authenticated requester has
#
saranix hmm AS defines Profile but is has no meaningful properties... is it expected to be full of foaf properties?
#
saranix meh, an hcard would be better. What is the right mediaType for hcard?
#
cwebber2 saranix: huh, I didn't even know about the ACL namespace
#
cwebber2 it looks decent.
astronouth7303 joined the channel
#
saranix After thinking through a few usecases it might be better to acl: [ {},{] ] with a set of full acl triplesets (with subject assumed to be the viewer if omitted)
#
saranix if only for consistency when applying it to other objects like Profile... to convey, for example: "you are allowed to share this profile with activitystreams#Public"
#
saranix that's a pretty narrow usecase though. *sigh* still need some way to do it...
#
saranix also thinking through an addressBook endpoint... that's why...
dwhly and xmpp-social joined the channel
#
Loqi Benthatmustbeme made 1 edit to [[Socialwg/2017-07-18]] https://www.w3.org/wiki/index.php?diff=103778&oldid=103713
#
xmpp-social [ajordan] Thanks ben_thatmustbeme
#
ben_thatmustbeme no problem
#
xmpp-social [ajordan] Good idea to bring that up
#
xmpp-social [ajordan] I will say though this'll be one doozy of a call :/
#
ben_thatmustbeme in terms of what?
#
xmpp-social [ajordan] There's kind of a ridiculous amount of AP stuff, particularly with the changes to publicInbox we were discussing today
#
xmpp-social [ajordan] Took us over 3 hours this afternoon
#
ben_thatmustbeme we should probably get all other business out of the way first, i don't think there are any other major updates really
#
Loqi +1
#
ben_thatmustbeme other than that EME issue to bring up (also Diaspora had a similar response, though for different reasons)
#
ben_thatmustbeme i also wanted to request an updated draft of jf2
#
xmpp-social [ajordan] Ah neat
#
xmpp-social [ajordan] I still haven't read the draft in its entirety, I'll try to do that before Tuesday
#
xmpp-social [ajordan] The other thing is there's a bunch of agenda items we pushed from previous weeks
#
xmpp-social [ajordan] Like bridging
#
xmpp-social [ajordan] Implementation uptake is a blessing and a curse ;)
#
Loqi Benthatmustbeme made 1 edit to [[Socialwg/2017-07-18]] https://www.w3.org/wiki/index.php?diff=103779&oldid=103778
#
ben_thatmustbeme yeah, and pushed stuff is supposed to get first priority
#
xmpp-social [ajordan] Smart
#
xmpp-social [ajordan] Tbh earlier cwebber2 and I were discussing preemptively asking to extend the call
#
ben_thatmustbeme there were things having starvation issues when we were just going by whatever seemed most important, so i pushed to move everything to be FIFO
#
xmpp-social [ajordan] Yeah that's way better
#
ben_thatmustbeme at the very least it would be good to mention it right up front
#
xmpp-social [ajordan] Yep
#
ben_thatmustbeme also might be good to write something up of all the changes made, if that makes sense
#
ben_thatmustbeme i was going to say 'you are up late' but you are west coast aren't you?
#
xmpp-social [ajordan] You mean on the agenda?
#
ben_thatmustbeme or as a post and link to it on the agenda
#
xmpp-social [ajordan] Yep! PST
#
xmpp-social [ajordan] Yeah I'll do that; I made sure to capture everything in issues
#
xmpp-social [ajordan] What timezone are you by the way?
#
ben_thatmustbeme EST
#
ben_thatmustbeme err EDT right now
#
xmpp-social [ajordan] Neat
#
xmpp-social [ajordan] So you're the one up late then ;)
#
ben_thatmustbeme yep, 3 am server outage, so i woke up an hour ago
#
ben_thatmustbeme have ram failing on the companies primary DB server
#
xmpp-social [ajordan] Oh dang that's brutal
#
xmpp-social [ajordan] Sorry to hear that
#
ben_thatmustbeme eh, its okay, thankfully my body woke me up at 2 am
#
ben_thatmustbeme rather than having to wake for my alarm at 2:45
#
ben_thatmustbeme my subconscious is pretty good about getting my butt up when it needs to
#
xmpp-social [ajordan] Ahh. That's nice
newton and timbl joined the channel
#
Gargron about the discussion of sorting responses in client-to-server API, that's kind of why i'm not interested in a standard client-to-server API. every application *may* be different, s2s AP allows a youtube-type and an instagram-type and a mastodon-type platform to exist, but each of those presents content completely differently to the users, and making a standard c2s API for all of them would limit their abilities to be good applications, prevent innovative
#
Gargron applications that weren't expected, and it puts a lot of onus on client-app developers
#
puckipedia the c2s api is pretty much optional though
#
puckipedia and alternately it explains how the side effects on e.g. liking an object work
timbl and newton joined the channel
#
cwebber2 the number of differences in a client UI are probably not *too* huge, and even if you want a different look for different applications, I think you can at least have a base application that can be pretty easily skinned and retooled for those needs
#
cwebber2 but, it's optional, and you don't need to be convinced to use the s2s api :)
#
cwebber2 puckipedia: https://mastodon.social/users/Gargron/updates/3787501
#
Loqi [Eugen] @cwebber hey do you know puck's URI? would like to test my account resolving code
#
puckipedia https://puckipedia.com/social is my test account
#
puckipedia Gargron: ^
#
puckipedia cwebber2: and yeah, for not having to store entity data: maybe do e.g. https://example.com/object?like=12&by=123&signature=AAQAi8fjzshd_as-? :P
#
puckipedia tries to use Kroeg to send a reply
#
puckipedia welp it's catching the old mastodon activitypub stuff
newton and Gargron_ joined the channel
#
Gargron_ yo
#
cwebber2 yo yo Gargron_ :)
#
ben_thatmustbeme is there a 'yo' instance of mastodon yet? :P
newton joined the channel
#
saranix hmm... yeah, that mastodon reply in puckipedia page has a non-dereferencable (non-compliant) id https://www.w3.org/TR/activitypub/#obj-id
#
puckipedia I know that
#
puckipedia currently for non-AP posts I just put the inReplyTo manually
#
saranix oh it came from non-AP?
#
puckipedia the tag: one, yes
#
puckipedia check the url
#
saranix hmm... my parser still rejects it
#
saranix I don't know if I want to write a work-around
#
saranix since it's clearly non-compliant
#
puckipedia I might just drop OStatus support once Mastodon has ActivityPub implemented
#
Gargron_ yeah
#
Gargron_ added test spec for account resolver https://github.com/tootsuite/mastodon/pull/4216/commits/4d933301fde7c1bd5bfbd3229688e8f70255161d PogChamp
#
Gargron_ gotta fix how icon/image are serialized
#
Gargron_ i dunno if publicKey should have some sort of pinning precaution
#
Gargron_ on one hand, ppl keep losing databases and recreating users and stuff like that, and each time there is a genuine need to accept a new public key
#
saranix yeah I brought up ttl last week I don't think anyone saw me :P
#
Gargron_ in current mastodon setup, it stays pinned for a day
#
Gargron_ and tbh... well, it means people have to wait for a day when they brick their account
#
Gargron_ i guess there is no real reason not to accept updates to it, if it's delivered over TLS anyway
#
saranix the flip side is, it's extremely expensive to keep fetching a key
#
puckipedia alternatively, you could try to resolve a key if a signature fails to validate?
#
puckipedia though maybe that should be rate limited
#
Gargron_ puckipedia: talking about this line https://github.com/tootsuite/mastodon/pull/4216/files#diff-9ad66311219adfd749e084691c22eb5eR53 when we fetch an actor
#
Gargron_ i mean i still need to add a special case for when it's not embedded and another http roundtrip is needed
#
puckipedia maybe make a method resolve, that just passes the object through if it's a Hash, or else GETs it
#
ben_thatmustbeme have seen some terrible user issues where an instance crashed in other networks and there is no path forward and just no one accepts the new key
#
ben_thatmustbeme i thought the one-day thing was to mitigate issues when a host gets hacked temporarily
#
ben_thatmustbeme or rather the URL gets taken i mean
#
ben_thatmustbeme though the more i think about it, neither of those are good use cases
#
ben_thatmustbeme its really only for man in the middle attacks huh
#
cwebber2 saranix: Gargron_: https://web-payments.org/vocabs/security#expires
#
cwebber2 for setting an expiration time on a key
#
puckipedia but what if the server's data is erased
#
puckipedia and you restart, and someone recreates an existing account
#
saranix I agree with canonical fallback in the case of verification fail (exactly once)
#
saranix at leasted automated... a failqueue for admin intervention might be useful for weird edge cases
#
puckipedia I would suggest trying max once a day after a verification fail
#
ben_thatmustbeme puckipedia: or for that matter if ther server closes completely, DNS expires, and someone else takes it
#
ben_thatmustbeme in theory they could pretend to be every user that was ever on that server
#
saranix ben_thatmustbeme: that's actually a problem for this protocol. My protocol pairs user keys with the server software key to define a unique "user", specifically for that situation, but AP does not have software keys
#
puckipedia hmmmmm
#
puckipedia good question if we should support that and /at least/ describe it
#
saranix from a security standpoint, there should be a software key
#
saranix the software is being entrusted with custody, but with no verificatio
#
saranix n
#
ben_thatmustbeme so i have heard a lot about this from one user on friendica who had this issue, his server crashed, lost his key, now none of his friends are getting any updates as they all see it as invalid sigs... they have to remove and re-add him
#
ben_thatmustbeme one suggestion was to put it to the user and have a notification saying the reset
#
ben_thatmustbeme but i'm guessing the remote user's info is stored server wide
#
ben_thatmustbeme its a very interesting and messy problem
#
saranix Another argument for a software endpoint: getting version information of who you are talking to for protocol ambiguities
#
saranix I've decided. For my impl I will be adding a software attribute to the canonical actor object {type:Actor, software: {type:Application, version:ver, publicKeyPem: software-key } }
#
saranix actually I think I'll reuse the "generator" attribute
#
ben_thatmustbeme well, ideally it should be just the protocol version thats needed, but the software version can be useful for things outside of spec
#
puckipedia generator?
#
puckipedia at least, imo generator is close enough for the actor
#
saranix it's more semantic... generator it is
#
puckipedia like, this actor is [generated by/hosted by] this application/server/whatever
#
Gargron_ a server key does not solve the described problem btw
#
Gargron_ if the admin loses the db
#
Gargron_ or even if the key is outside the db, as a flat file
#
Gargron_ the key would get lost and the admin would regenerate it and you're back on square one
#
Gargron_ imo the "somebody takes over the domain" is a social problem
#
Gargron_ or maybe on the DNS level
#
saranix if the admin loses the DB, there is nothing that can be done and no way to mitigate it. It's like losing your own key with no way to "reset" your password. You're screwed. You should've backed up, dummy.
#
Gargron_ yeah but it's gonna happen
#
Gargron_ it's happened
#
Gargron_ many times
#
Gargron_ you can't just tell them "well, the domain you bought is now worthless, you'll need to get a new domain"
#
saranix I'm more concerned about someone buying reallypopulardomain.com and stealing all the users
#
saranix yes, you can tell them that, because that's how domains work
#
saranix we can't change how domains work, so we have to work within that
#
Gargron_ i see it this way
#
Gargron_ the key is used for verifying it's user from domain
#
Gargron_ the *initial* key is also served from the domain, so if somebody takes it over, they're gonna serve their own key
#
Gargron_ it's not used for verifying actual identity of the person behind the user account
#
saranix I'm considering an E2Ekey for this purpose
#
cwebber2 <ben_thatmustbeme> puckipedia: or for that matter if ther server closes completely, DNS expires, and someone else takes it
#
cwebber2 <ben_thatmustbeme> in theory they could pretend to be every user that was ever on that server
#
cwebber2
#
cwebber2 it's a legit problem
#
saranix it's authoritative on nomadicity (vis a vis Zot)
#
Gargron_ an e2e key is cool but it's a separate layer imo
#
cwebber2 but I think all of our problems are going to have awkwardness around this stuff until we use something non-dns
#
Gargron_ i think im not gonna pin public keys in my code for now
#
cwebber2 DIDs might be a solution but they have yet to be proven
#
cwebber2 even if you tie a key to a server
#
cwebber2 has the same problem that either the server key expires or
#
cwebber2 it can be taken over by someone else anyway
#
saranix Yeah I had a look a DIDs, they are overly complex...
#
cwebber2 I'm not sure DIDs are the answer, but hopefully something like them will eventually win
#
saranix I haven't found a fitting property to stuff the E2E key into yet...
#
Gargron_ i mean, the publicKey can be an array i think
#
puckipedia it can
#
cwebber2 you'd probably want to actually pin keys to each device
#
Gargron_ however i dunno how you want to symbolize whether a key is server-owned or e2e
#
puckipedia does it matter?
#
cwebber2 maybe you could attach a Profile to the Actor somewhow
#
saranix yes, the E2E key is authoritative for server switches, key changes, etc, and the private part should never be shared with a third party
#
cwebber2 for actor sub-profiles
#
cwebber2 anyway, it's going to take some work for someone to establish how to do E2E properly
#
saranix it's like your "email for password reset" of yore but with better controls and crypto
#
saranix it will need a massive javascript UI, especially since WebID is dead WRT browser key generation
#
saranix My old software uses client TLS for this purpose, but because of that deprecation, I have yet to replace it with a new UI
#
cwebber2 hey Gargron_
#
cwebber2 Gargron_: https://tools.ietf.org/html/draft-cavage-http-signatures-07
#
cwebber2 now with less expiration :)
#
cwebber2 until January 2018 anyway :)
#
Gargron_ nice
#
saranix err... which spec talks about publicKey and publicKeyPem? I can't find them in AP or AS2 with a text search
#
cwebber2 saranix: https://web-payments.org/vocabs/security#publicKey
#
cwebber2 saranix: https://github.com/w3c/activitypub/issues/203#issuecomment-297553229
#
Loqi [cwebber] I think that's because in Linked Data Signatures, the key would actually be attached to the object itself? Unfortunately it seems under-documented on the LDS spec itself, but we can hop straight to a Real Implementation (TM) to see what's expected...
#
saranix hmmm
#
saranix missing from that vocab is allowed usages of the key
#
Gargron_ serverOwned vs userOwned param on keys, something like that, would be interesting
#
Gargron_ i made my parser support publicKey URIs and proper Image objects vs URIs too: https://github.com/tootsuite/mastodon/pull/4216/commits/f0bc2b064bc0231bda188115bb0ee268b2bcd1e3
#
saranix it's not a matter of who owns it, but what it's authorized to be used for. I have 3 uses defined explicitly -> signLocations (e.g. which servers are allowed to speak for this id), 'signTransportRekey' (e.g. allowed to change the transport key (the one attached directly to the actor) without having an https:// endpoint that matches, and E2E (encrypt payloads to be read only by receiver)
#
saranix although I have to admit that E2E has some ambiguity WRT deviceid
#
saranix still a WIP
#
jaywink hmm wouldn't it make sense to assign each user a separate key for http signatures? what exact situations does a server key go for?
#
saranix server key allows authoritative user rekeys from within the same origin
#
saranix has nothing to do with http sigs
#
saranix well, I suppose it would be signing the rekey request somehow, haven't gotten that far
#
Gargron_ puckipedia: huh so it's really "_:conversation" that's a weird key
#
Gargron_ why not just "conversation"?
bblfish joined the channel
#
cwebber2 Gargron_: looks like a blank node
#
cwebber2 https://en.wikipedia.org/wiki/Blank_node
#
Gargron_ okay..
#
Gargron_ another question. i am working on FetchRemoteStatusService now.
#
Gargron_ so i resolve a note URI, and it contains an attributedTo
#
Gargron_ i intend to verify that the attributedTo URI and the note's own URI are on the same host
#
Gargron_ reasonable?
#
Gargron_ otherwise i'd be able to publish notes on behalf of someone else
#
saranix I think you should just verify that the note fetched from it's canonical url matches
#
saranix you can't be guaranteed that outbox.someprovider.com isn't also the same provider as coolinboxes.com
#
saranix but if you fetch the canonical item and it's there, it's legit
#
Gargron_ i am already fetching the note from its canonical url
#
saranix then that should be sufficient?
#
Gargron_ but it just says it's attributedTo some actor
#
cwebber2 Gargron_: I guess that's the best you can do without linked data signatures
#
cwebber2 though
#
Gargron_ how do we know if that actor really did write it
#
cwebber2 Gargron_: if the actor signed the post with http signatures
#
Gargron_ yeah without LDS
#
cwebber2 using their key
#
cwebber2 wouldn't that be enough?
#
Gargron_ incoming requests are signed that way for sure
#
Gargron_ but i just wanna resolve a status by its URI
#
Gargron_ "pull"
#
cwebber2 ah yeah
#
Gargron_ don't have signatures there
#
cwebber2 hm
#
Gargron_ that's where LDS would be useful
#
cwebber2 yeah that would be useful
#
saranix it's looking more and more like we need to mandate LDS, solves a lot of problems
#
Gargron_ all i can think of to sidestep is the host comparison
#
Gargron_ because you can be reasonably sure a host cannot impersonate itself
#
cwebber2 Gargron_: there's an alternative route which involves doing some sort of multi-legged oauth check song and dance
#
cwebber2 but
#
cwebber2 actually that doesn't verify that the actor did it
#
Gargron_ i'd rather not oauth like this
#
cwebber2 now that I think about it
#
Gargron_ i think of oauth as client-to-server
#
cwebber2 it would still only verify that it came from the origin
#
cwebber2 which isn't helping you here
#
Gargron_ yeah im just gonna compare hosts for now
#
cwebber2 Gargron_: yeah do compare hosts for now, and we'll look at hopefully doing LDS long term
#
saranix since the origin is spitting out the publickey to the actor anyway, they can just place any false key there, so a canonical fetch is defacto assurance
#
saranix https anyway
#
cwebber2 saranix: if you're fetching the actor, regardless of what domain it's on, and it's fetched via https, yeah
#
saranix by comparing hosts you're disallowing legitimate use cases/server architectures
#
cwebber2 you can use https to be sure that at least, to the extent you trust the CA system, that's really the actor's key
#
cwebber2 saranix: I think it would be good for mastodon to adopt LDS but maybe we can get there in steps
#
saranix Also, what if I'm allowed to post to someone else's collection on another server
#
saranix author won't be same origin
#
Gargron_ saranix i am not sure you see the problem here. let's say i publish https://example.com/notes/foo, which will contain { content: "Dogs are bad", attributedTo: "https://saranix.com/me" }
#
saranix https://github.com/swicg/general/issues/13#issuecomment-315658118
#
Loqi [zotlabs] Was already considering doing this to support our existing notions of forum posting, sourced channels, and wall-to-wall posts. For instance to post to a forum, you would post to the forum's outbox. The difficulty in the protocol definition is how to...
#
Gargron_ https://saranix.com/me has never written such a thing
#
Gargron_ then some other user tries resolving https://example.com/notes/foo, through search, or other means
#
saranix ahh... yes... I guess only possible with ldsig then... dang
#
Gargron_ ye
#
cwebber2 yeah so you either gotta do ldsig or same origin
#
Gargron_ host comparison would be a monkey patch for now
#
jaywink would love to see ldsigs. But I thought the idea was to look up the object and auth http signatures? wouldn't that lookup give you guarantee the object is the same there?
#
jaywink but without ldsigs one needs to verify the whole object that it also hasn't changed
#
cwebber2 jaywink: we're not talking about the object integrity
#
cwebber2 re-read Gargron_'s example
#
Gargron_ afaik http signatures are for *requests*, not *responses*
#
jaywink hmm I don't get it, will try to re-read
#
cwebber2 jaywink: say you're using diaspora.example
#
cwebber2 but your user is on the cool-setup of jaywink.diaspora.example
#
cwebber2 or whatevs
#
cwebber2 if the post comes from diaspora.example but has the author as jaywink.diaspora.example
#
jaywink I hope that will be possible - happens all the time in diaspora world at least that content is relayed through another host
#
cwebber2 jaywink: yeah in that "forwarding" scenario
#
jaywink but signatures are used to check the author
#
cwebber2 you need the signature attached to the object
#
cwebber2 jaywink: but the *http* signature can't be forwarded
#
cwebber2 because the next post would be a different http request, see?
#
jaywink but can't the receiver look it up from the source?
#
cwebber2 jaywink: they can, but then they aren't sure that the author really sent it
#
cwebber2 jaywink: here, how about this
#
jaywink ldsigs ;)
#
cwebber2 yeah
#
cwebber2 you got it
#
cwebber2 so you either need ldsigs there or to keep it on same-domain
#
cwebber2 objects either have to be on the same "origin" as their actors or
#
cwebber2 ldsigs
#
jaywink well, the author would be jaywink.diaspora.example and the note id could be jaywink.diaspora.example/note/123 - wouldn't that be enough to guarantee? would it be common for an author ID and note ID (for example), to be on different hosts?
#
jaywink but yeah, a bit dirty :)
#
cwebber2 jaywink: yes
#
cwebber2 that's what we said
timbl joined the channel
#
cwebber2 if it's on the same domain
#
cwebber2 no problem
#
cwebber2 but if it's on different hosts that's where it's challenging
#
puckipedia <Gargron_> why not just "conversation"? <- to be 100% clear that it's kinda hacky
#
cwebber2 puckipedia: hm wait, suddenly realizing you're using a blank node for a key
#
cwebber2 yikes!
#
puckipedia cwebber2: tbh it's only used for internal stuffs
#
cwebber2 ah ok
#
puckipedia to ensure I can do 100% lossless OStatus<->ActivityPub
#
cwebber2 got it
#
puckipedia I use blank nodes for those indicators, that you should not assume it exists
#
jaywink what was the stopper for ditching ldsigs btw in the mumble call some days ago? I mean, if they would solve some important problems in a good way :)
#
Gargron_ didnt realize what exact problems they would solve before i started implementing
#
Gargron_ but reason was: Too Hard
#
cwebber2 Gargron_: I think in the long run, they'll make your life easier, but I agree it's more effort up-front
#
jaywink this is how diaspora does it just for fyi: https://diaspora.github.io/diaspora_federation/federation/magicsig.html .. based on https://cdn.rawgit.com/salmon-protocol/salmon-protocol/master/draft-panzer-magicsig-01.html
#
cwebber2 puckipedia: btw, not sure if you saw my PM (if so, great, no rush)
#
jaywink what about JWS? where they ever considered for signing the payload? (https://tools.ietf.org/html/rfc7515). At least it's a standard, but I've always found the JW set looking really heavy and scary :)
#
saranix JOSE is very open-ended and loose. Even https://web-payments.org/vocabs/security talks about LDsigs being only implementing the RS256 varient
#
saranix keeping in mind that all 6 or 7 of these are all "draft" standards, either abandoned after creation 2-3 years ago, or just drafted months ago
bwn and timbl joined the channel
#
Gargron_ how tf would you "normalize" the to-be-signed json document (for LDS)
#
Gargron_ i mean for goodness sake can't you just take the json output as a string and sign that
#
Gargron_ all you need to do for verification is take the very same string of json minus the signature itself
#
saranix lol you sound like me last week
#
saranix The specs go in circles but never say how
#
saranix I came to the conclusion, reading between the lines, that "normalize" means, "make sure all required parameters exist"
#
puckipedia the normalization is, afaik, basically turning the JSON-LD into a specific form of RDF, then hash that, then that is signed
#
puckipedia at least, I'm not 100% sure as the spec is mostly for people that want to implement it and also for masochists (not even kidding, that's what it says)
#
saranix I think that is the only sticking point for us getting ld-sigs done, and if we all have some inclination of doing ldsigs, let's just decide ourselves on a way that we all agree on
#
saranix at least for now, so we aren't stuck
#
saranix doesn't have to be perfect
#
jaywink saranix++
#
Loqi saranix has 2 karma
#
saranix \o/
#
jaywink the important thing is AP spec says what is done and how, to ensure servers interop
#
puckipedia so I think the only thing the spec will have to include is the use of publicKey
#
Gargron_ i am for just taking the json string in whatever form
#
Gargron_ without extra processing it's gonna be in the same form/order on input as well as output
#
Gargron_ (while it's a string i mean)
#
saranix whitespace
#
Gargron_ nah whitespace won't change if it's a string
#
puckipedia PHP escapes slashes inside string values in JSON
#
Gargron_ ok tbh i don't know how to remove the signature subsection of it while it's a string tho
#
puckipedia and the singature is /inside/ the obj-yep
#
Gargron_ this spec is effed up
#
saranix puckipedia: json_encode($string, JSON_UNESCAPEDSLASHES|JSON_PRETTY_PRINT); <-- mirrors Kroeg
#
Gargron_ i hope some poor soul writes a ruby library for it so i dont have to
#
jaywink are we talking about this? https://w3c-dvcg.github.io/ld-signatures/#signature-algorithm
#
puckipedia jaywink: I think the biggest point is the canonicalization algorithm
#
Gargron_ yes step 2
#
puckipedia Gargron_: the point is that JSON-LD signatures are made to be able to sign any JSON-LD document
#
Gargron_ it's like "step 2: solve P=NP. step 3: .."
#
puckipedia and any JSON-LD document can be represented in many ways
#
saranix lol gargron
#
puckipedia Gargron_: eh. it's doable. it's got an exact list of things to do
#
puckipedia the point is that JSON-LD { "@context": "http://www.w3.org/ns/activitystreams", "actor": "https://example.com/actor" }
#
Loqi [Amy Guy] ActivityStreams 2.0 Terms
#
puckipedia is equal to JSON-LD [ { "https://www.w3.org/ns/activitystreams#actor": [ { "@id": "https://example.com/actor" } ] } ]
#
Gargron_ i wonder if http sigs can be stuck into a http response
#
puckipedia probably not too difficult to do
#
puckipedia hm, maybe it is
#
Gargron_ would need to implement Digest header to actually digest the body of the response and sign it
#
Gargron_ but it would be much simpler than this LDS stuff
#
Gargron_ because you only need to care about the whole body, verbatim. no canonicalization
#
Gargron_ no parsing, no removing signature
#
Gargron_ "1.2. Using Signatures in HTTP Responses"
#
Gargron_ it's not further specified
#
Gargron_ cwebber2: maybe you could ask your friends about that
#
saranix reading https://json-ld.github.io/normalization/spec -- It talks an awful lot about blank nodes... We don't have those, do we?
#
saranix everything has an @id
#
puckipedia not true
#
saranix according to this, we should order by @id
#
puckipedia @id can be null
#
saranix not server-server it can't
#
puckipedia "An ID explicitly specified as the JSON null object, which implies an anonymous object (a part of its parent context)"
#
saranix and if you are doing client-server there is no reordering because it is one object
#
puckipedia just for activities it must have IDs, except if it is transient
#
saranix in the case there is no ID, the algo says to map each one to a black node _:a to _:z and sort them by their SHA256 hash
#
saranix blank
#
saranix although I must admit I don't understand this blank node stuff
#
puckipedia a blank node is _:asdf
#
puckipedia an id of*
#
puckipedia and basically blank IDs are used when it doesn't matter what ID the object has outside the context of the document
#
saranix "In short, it is a node in a graph that is neither an IRI nor a literal"
#
Gargron i intend to use blank IDs for binary privately-targeted events such as follow/unfollow, like/unlike (because those will not appear in any collections)
#
saranix blank face
#
Gargron anyway, that's all a bit too bothersome. at least i made some progress today
#
Gargron i need to refactor a good chunk of code to make any further progress so i'm a bit frustrated
#
Gargron i was thinking how to fit AP data with old OStatus data in the db: https://github.com/tootsuite/mastodon/pull/3827#issuecomment-315653890
#
puckipedia saranix: so an IRI id, is basically most URIs. A literal is basically any possible value. And a blank node starts with "_:"
#
saranix But blank nodes DO have a value...
#
puckipedia _:asdf is a blank node, not a literal
#
saranix but "_:asdf":"somehash" IS a literal
#
puckipedia I mean _:asdf is a blank node called "Asdf"
#
jaywink https://tools.ietf.org/html/draft-staykov-hu-json-canonical-form-00 (just looking around for simpler options)
#
puckipedia "asdf"*
#
puckipedia a literal can also be integers, a dateTime, etc
#
cwebber2 Gargron: I can ask about it sure
#
cwebber2 saranix: blank nodes are just temporary theoretical placeholders
#
saranix https://json-ld.github.io/normalization/spec#blank-node-identifier-issuer-state "issued identifiers list: A list that tracks previously issued... also tracks the existing identifier that triggered the issuance, to prevent issuing more than one new identifier per existing identifier, and to allow blank nodes to be reassigned identifiers some time after issuance"
#
cwebber2 saranix: and aren't guaranteed to be the same from one display to the next
#
saranix I have no idea what that gobbledygook means
#
puckipedia blank nodes are used when you don't want to give a node a permanent ID, but you do want to refer to it within the document
#
cwebber2 saranix: IIUC is basically, the blank nodes, since they aren't real ids, need a way to be sorted
#
cwebber2 so you're finding a way to always sort them in the same order, even though they *don't* have an id
#
cwebber2 which it turns out
#
cwebber2 is a really hard graph problem
#
cwebber2 it's okay with a few blank nodes
#
puckipedia e.g. {"id": "https://example.com", "type": "Create", "object": {"id": "_:thing", "type": "Actor"}, "actor": "_:thing"}
#
cwebber2 but it grows quadratically
#
cwebber2 that's my understanding
#
cwebber2 I'm not an expert
#
puckipedia _:thing is not referrable outside this document. but it is referenced inside the document
#
cwebber2 puckipedia: yep you got it
#
cwebber2 it's just a way to say that both the id of the object and also the actor, in your example, point to the same thing *there*
#
cwebber2 but they aren't universal
#
jaywink here is the Matrix way: https://matrix.org/docs/spec/appendices.html#canonical-json
#
puckipedia yes but matrix doesn't use JSON-LD
#
puckipedia :P
#
cwebber2 jaywink: I'm guessing before I see it: it's sorting it by key name :)
#
puckipedia I think once we get extensions that use JSON-LD contexts it starts getting complicated
timbl joined the channel
#
cwebber2 jaywink: btw we *can* do a normalization algorithm where we sort by id, and attach that via linked data signatures
#
cwebber2 but
#
jaywink doesn't even understand JSON-LD, so...
#
cwebber2 yeah once you add extensions
#
cwebber2 and you expand/compact
#
cwebber2 that breaks
#
puckipedia and e.g. in AS2, "conversation": "asdf" and "_:conversation": "" are equal, technically, as long as conversation isn't defined in AS2 spec
#
cwebber2 basically, if you have multiple sites doing extensions
#
puckipedia ehm, "_:conversation": "asdf"
#
cwebber2 you'll want to be sure things aren't ambiguous
#
cwebber2 and you're going to want to be sure how to do that and normalization correctly
#
cwebber2 then you'll run into this issue
#
cwebber2 unless you decide to have a global namespace, but that's its own form of tricky
#
cwebber2 as2 could include extensions for nearly everything
#
cwebber2 but should it?
#
saranix I'm in favor of https://tools.ietf.org/html/draft-staykov-hu-json-canonical-form-00 -- no sorting. The signature is only valid for the object AS-IS
#
cwebber2 json-ld allows you to have a property "run" which is an extension and have one site use it for "run a program" and another site use it for "run a mile" and have them not hit a conflict
#
cwebber2 saranix: and that's possible, and I might add a normalization form for that
#
cwebber2 to which we could still *attach* the signature via json-ld, but
#
puckipedia saranix: please sort. JSON objects aren't defined to have an order?
#
cwebber2 it'll unfortunately become a mess for people if we get a lot of extensions
#
cwebber2 right we'd have to at least sort the keys alphabetically
#
cwebber2 *at least* that level of normalization must be done.
#
cwebber2 here's the other problem:
#
saranix puckipedia: only matters if you want to try to reconstruct an object, this way, we never do. Only verify signatures as if the object was a blob
#
cwebber2 now you have to store the object in your db *exactly* as you go ti
#
cwebber2 got it
#
cwebber2 saranix: that's also a problem
#
cwebber2 what about whitespace
#
saranix it sucks, but is it really any different than storing the message content as an opaque b64 string?
#
cwebber2 do you want people to store documents in their db as plaintext only?
#
saranix or PEM
#
saranix for that matter
#
cwebber2 right, I'm saying hopefully you *don't* do that
#
jaywink I don't quite get the problem. The signed object wont change before it is verified - thus the document should be the same. Why do extensions matter for signing?
#
cwebber2 jaywink: ok let's go through it step by step
#
cwebber2 let's assume you like my note, ok?
#
jaywink always :)
#
cwebber2 and I attach a signature to it
#
cwebber2 and you want to keep that signature
#
cwebber2 imagine I do my whitespace like this
#
cwebber2 {"type":
#
cwebber2 "Note",
#
cwebber2 "content": "forp"}
#
cwebber2 do you need to reproduce that whitespace to sign it?
#
cwebber2 hopefully not!
#
cwebber2 especially
#
cwebber2 hopefully not if you're doing
#
jaywink all the versions I've seen remove whitespace
#
cwebber2 jaywink: right, they remove whitespace and order keys right?
#
cwebber2 in which case, *some* normalization is done
#
cwebber2 it's not treated as *just* a base64 encoded blob
#
cwebber2 it's at least done the most minimal normalizaing possible.
#
jaywink well, that wouldn't work
#
cwebber2 you would *have to* normalize keys, realistically
#
cwebber2 here's why
#
aaronpk why can't you do all the signing and stuff at a layer outside from the JSON string? this seems incredibly fragile to be munging the data
#
aaronpk like how HTTPS doesn't care what's inside it
#
cwebber2 aaronpk: we've already got a layer for that with http signatures that we're not talking about at the moment
#
cwebber2 at the moment I'm talking about jaywink passing along my Note wrapped in his like
#
cwebber2 LIke
#
jaywink cwebber2: why isn't ordering keys enough?
#
cwebber2 Like
#
cwebber2 argh
#
Gargron cwebber2: sorry i dont think you need to store the blob-as-is unless you want to repost the original thing again, for me LDS is important in verifying content supposedly-from-the-origin
#
cwebber2 Gargron: okay that's fine, and in that case http signatures on response may be just fine
#
aaronpk i thought yesterday you were saying that checking the URL of the original object was going to be the best way to verify it?
#
Gargron that was today
#
cwebber2 aaronpk: Gargron hit a point where it wasn't enough: does the actor have to be on the same domain as the object
#
aaronpk wibbly wobbly timey wimey
#
cwebber2 in order to trust it
#
Gargron and comparing hosts is a temporary solution
#
Gargron im feeling jaded, i wanna make a decision on the db structure stuff for accounts but nobody gives me feedback on that
#
aaronpk i'm just thinking about this from the perspective of someone using the software
#
aaronpk if i see something presented to me that says "jaywink likes this post from cwebber" and i think it looks suspiciously like something cwebber wouldn't have posted, i would expect to be able to click on the link to cwebber's post to see the original
#
Gargron i mean, your server shouldnt even show that to you if it's not verifyably true
#
cwebber2 aaronpk: the example we're talking about isn't just "is the content the same on the original site"
#
cwebber2 take for granted that that's been verified
#
cwebber2 but can the site give an actor and say "aaronpk posted this" even though it was posted on dustycloud.org
#
cwebber2 without a signature from aaronpk, you'll have to limit it to aaronpk's domain
#
cwebber2 which maybe you'll say "good enough", I'm just trying to scope the problem here :)
#
jaywink that would be weird but then AP doesn't have a concept of server :) you could have many actors on the same domain - how to verify those?
#
cwebber2 (that's not good enough for jaywink though, who wants to be able to forward messages)
#
aaronpk on my site when i receive a comment from a source URL that doesn't match the reported URL, I show "via"
#
jaywink cwebber2: checking forwarded messages isn't a problem as long as the check is made against the author of the content, *not* who sent it. but forwarding isn't the issue here
#
cwebber2 Gargron: anyway I sent an email asking about http responses
#
aaronpk bridgy being the biggest example of this: https://media.aaronpk.com/Screen-Shot-2017-07-17-13-43-39.png
#
aaronpk i feel like that's a pretty good compromise, allowing servers to forward messages for other servers and letting people decide whether they trust it or want to double check it themselves
#
cwebber2 gets SEC_ERROR_OCSP_SERVER_ERROR
#
aaronpk fix your tls :P
#
Gargron putting the onus on users to check things that can and should be verified cryptographically is aiming the system at only engineers
#
Gargron and even engineers i bet wouldn't want that kinda UX
#
aaronpk it feels like premature optimiization to be worrying about this right now, when this spec isn't even interoperating at all right now
#
Gargron ummmmm no
#
Gargron it would be deployed in a network with over 700,000 accounts
#
Gargron most of who aren't engineers or IT people
#
Gargron so no, not premature
#
jaywink Gargron++
#
Loqi gargron has 6 karma
#
aaronpk so then don't allow servers to forge messages from other servers, and ship with just that
#
puckipedia so just an origin check?
#
Gargron *allowing* is not the issue here lol
#
Gargron like im not gonna write software with a function to forge messages
#
aaronpk you know what i mean
#
Gargron it's more of a "releasing software with a gaping vulnerability"
#
aaronpk don't write software that accepts forged messages
#
cwebber2 aaronpk: that's what we're trying to do!
#
Gargron that's why we are talking about it here
#
aaronpk i mean just leave it out entirely, put that problem off til later. get something working at all first.
#
cwebber2 aaronpk: they can't leave it out
#
cwebber2 a vulnerability like this has already happened.
#
aaronpk remind me again why an origin check isn't enough?
#
Gargron i need to be able to pull down a status by URI most importantly for thread resolving, e.g. i receive msg from server A which responses to msg from server B which i do not have in db yet
#
Gargron *responds
#
Gargron an origin check should be ok
#
Gargron somebody raised the point that actor JSON, and notes JSON do not *have* to be on same domain
#
Gargron i dont necessarily see a use case for it being that way tbh
#
cwebber2 it's probably not going to come up very often in mastodon's case
#
puckipedia I don't think it's going to come up very often full stop?
#
puckipedia I think 'inbox being on another server' will be more often than that
#
jaywink also you could have multiple separate servers running on some shared domain - AP doesn't even have domain
#
cwebber2 yeah I do think Gargron talked about mastodon having subdomain-users
#
cwebber2 that may come up there
#
saranix Anyone see any problems with this: https://pastebin.com/FvFujcQm ... The signature blob has to be stored as a text blob. The order of the "fields" array is used to reconstruct the obj to verify the signature. Sound good?
#
Gargron not subdomain users but custom domain users (foo.org pointing to instance that normally runs as bar.org, which for that domain pretends it's single-user)
#
Gargron in that use case all URLs would use the custom domain too
#
Gargron i think
#
cwebber2 aha
#
Gargron i haven't mapped it all out
#
cwebber2 puckipedia: it'll come up in other contexts though that aren't necessarily social web related that still may use our protocols. I know that doesn't matter a lot to people in here though and that'd fine.
#
puckipedia Gargron: well, I would guess except for the shared inbox
#
puckipedia as it'd be shared by all users on that server in Mastodon's case
#
saranix err https://pastebin.com/ew5iSxa6
#
puckipedia saranix: why not sign everything /but/ the signature
#
puckipedia because now I can fake-add a cc to it
#
saranix It was argued that there was a need for extensions, adding fields, etc
#
saranix puckipedia: no you can't
#
saranix puckipedia: you add a fake cc, the sig doesn't include cc, the sig fails
#
puckipedia why not just... sort them?
#
cwebber2 normalization++
#
Loqi normalization has 1 karma
#
saranix This is a solution to the normalization problem
#
Gargron lmao
#
saranix it was described as intractible
#
saranix existing signatures in social network protocols work this way, signing certain fields
#
saranix any other fields are considered "untrustworthy"
#
saranix DKIM works this way
#
saranix HTTP sigs works this way
#
puckipedia well, sort them, turn the short values into full IRIs as per JSON-LD spec, then write a string describing the contents. oh wait
#
jaywink maybe the problem here is JSON-LD.... ;)
#
saranix I'm saying we don't need their complex algorithm for our non-complex protocol
#
cwebber2 I really think that removing whitespace and sorting keys name isn't complex
#
cwebber2 maybe graph normalization is
#
cwebber2 but that isn't
#
aaronpk that's what they said about OAuth 1
#
saranix cwebber2: My proposal assumes whitespace removal. But you still need to list the fields to ensure no one tries to sneak extra ones in. Since you are already listing them, you might as well allow the order to be important
#
aaronpk https://dev.twitter.com/oauth/overview/creating-signatures
#
cwebber2 saranix: but order isn't preserved in most hashmap representations
#
aaronpk it's a little more straightforward when you have a flat list of properties, but what do you do with JSON where values are objects too?
#
cwebber2 aside from lisp alists, which are O(n)
#
puckipedia saranix: so if you sneak in another one, the signature will change!
#
Gargron i dont have anyone to discuss db design with rn and it is driving me up the wall :weary:
#
saranix cwebber2: you don't store the sig values as a hashmap, you store the json blob of the sig
#
aaronpk and then people gave up on oauth 1 at least partly because of this
#
cwebber2 Gargron: sorry D:
#
cwebber2 I don't know enuf about your db design to be useful I think
#
Gargron thats why i cant even just ask on masto
#
Gargron there's like 3 people who can form an informed opinion
#
puckipedia Gargron: hm, what were you thinking about?
#
saranix puckipedia: no, how?
#
Gargron i have a bunch of fields in accounts table which are used for ostatus. feed url, salmon url, hub url.
#
Gargron now i need to add some AP fields, outbox url, inbox url, sharedInbox url
#
saranix aaronpk: if you have a sub-object, it must be an IRI
#
puckipedia saranix: beacuse the JSON representation of the object changes, so the signature changes
#
puckipedia saranix: ooooh, well, "endpoints"
#
Gargron i was thinking they kinda map onto each other if i rename them and add an account type enum (ostatus|activitypub)
#
puckipedia Gargron: I think that'd be fine. My "inbox" is also the target for Salmon and WebSub :P
#
Gargron i need to add an extra field for followers_url so i can handle the addressing
#
saranix aaronpk: In this way, the person is only signing their OWN object, it is assumed that each other object well have their own signatures attributed to *their* authors
#
Gargron i was also considering caching the totalItems values from followers/following/outbox collections so i could present that to the user maybe
#
puckipedia Gargron: how often would you refresh those values?
#
saranix aaronpk: scratch that, subobject should be allowed to be signed as well. So you know when I "liked" a note that said "that's awesome", that is the version I was liking
#
Gargron good point, it would take extra effort to refresh them on tim
#
Gargron good point, it would take extra effort to refresh them on time
#
puckipedia saranix: so now someone does Update: object
#
puckipedia should that like be undone?
#
puckipedia if a user changes their display name, should their followers all be removed? because the follow isn't valid anymore?
#
saranix aaronpk: so fields: [ "to","content","published",{"parentobj": ["content"]} ] or something
#
puckipedia so now you have an object in JSON-LD that doesn't have an ID
#
jaywink saranix: btw, I don't think the receiver should trust which keys require signing anyway. You could sign one, include only that one in the "fields" and spoof the rest :P
#
saranix puckipedia: the like is only valid for the old version. It isn't undone, but it's up to the UI to display this distinction (or not). It's a simple matter of fact in reality, so no use arguing over it :)
#
saranix What is all this talk of "spoof the rest". If the fields are not signed, they are not signed. Discard them like whitespace. Not rocket science
#
puckipedia saranix: .. okay, imagine this
#
puckipedia user A creates an object
#
puckipedia user B receives that object and likes it
#
puckipedia but at the same time that user B likes it, user A updates it because it contained a typo
#
puckipedia and inbetween the liking and user A receiving the like, the object has thus changed
#
saranix puckipedia: like I said, we are talking about reality here. The fact is, pre-update is not what I signed.
#
saranix puckipedia: it's up to the UI to explain the facts to the user
#
saranix ""user A" liked a previous version of this"
#
saranix or whatever
#
puckipedia does that mean you store /all/ the previous versions of objects?
#
saranix You don't have to
#
saranix Only if you want the sig to still be meaningful
#
puckipedia does that mean you assume that if the signature fails for the inner object, that it was a previous one?
#
Gargron once you verify an object, it's in your db...
#
Gargron why should future updates matter?
#
Gargron i feel like a lot of this discussion is influenced by a not-relational db design
#
saranix not sure backstore really matters
#
saranix But yes, you can just say that "version ABCDEF" was signed by User B. And not have access to that original version anymore
#
saranix to your own users
#
jaywink signatures are really only for s2s delivery, right? signing an activity separately for delivery really doesn't seem that difficult imho (except for deciding how to do it). because a delivery happens always for one activity, right?
#
Gargron as cwebber2 said, it does affect how you view the protocol a lot
#
saranix having already verified the sig and stored it
#
puckipedia saranix: how do you know that object wasn't maliciously edited to show the wrong content, then signed with that wrong content?
#
jaywink I mean, you don't deliver an activity + the likes for it
#
cwebber2 Gargron: future updates even should matter in a relational db if users can modify content right?
#
saranix puckipedia: what do you mean?
#
Gargron yes but not in the way that you need to verify old content *again*
#
Gargron you only need to verify the *update*
#
saranix gargon: right
#
cwebber2 Gargron: that's true, in theory
#
cwebber2 you should get an update for every change
#
puckipedia saranix: you post a {type: Note, content: I am awesome, actor: saranix, id: saranixIsAwesome}. Then I send a {type: Like, object: {type: Note, content: I am horrible, actor: saranix, id: saranixIsAwesome}, signature: [properly signed]}
#
cwebber2 though of course
#
cwebber2 network partitions happen
#
cwebber2 and that's not a guarantee in reality
#
cwebber2 I think that's true in relational and document store both
#
Loqi agreed.
#
puckipedia it validates the signature and sees it's fine. but it doesn't know for certain what an older version of the note says
#
cwebber2 thanks Loqi :P
#
Loqi you're welcome, cwebber2
#
cwebber2 sighs :)
#
puckipedia Gargron: so are there any Mastodon servers that have statuses that show differently on different servers
#
puckipedia like, someone makes a status that shows which instance you're on or something
#
saranix puckipedia: if the published date is not one of the signed fields, then that is an assurance that the author left out. if it's not assured, then it isn't
#
Gargron i dunno what you mean exactly but probably not
#
puckipedia saranix: imagine if the object is exactly the same /except/ for content on the fake object
#
saranix puckipedia: if the content is not signed, then it isn't :-)
#
jaywink do we have an agreement *when* signing and verification happens? I feel there might be confusion. AFAICT it should only happen "signing -> S2S delivery to endpoint" and "verification -> "receiving a S2S delivery to endpoint".
#
saranix puckipedia: If my signature only points to an IRI, then the only assurance you have is that I liked *some version* of that IRI
#
puckipedia hm. oulipo.social doesn't edit incoming statuses
#
puckipedia jaywink: if you were to sign something, it'd be always. so e.g. example.com/user/puckipedia would have the signature too
#
saranix puckipedia: if, however, I signed a specific version, then it is up to the UI to convey that meaninfully
#
puckipedia so actually I just thought of this
#
puckipedia and aactually JSON-LD signatures already has this
#
puckipedia if you sign an object with `object` being a URI, it signs the uri. sign an object with `object` being an embedded object, and it signs it with the embedded object
#
jaywink puckipedia: why would we need to sign every object in example.com/user/puckipedia ? not sure I get why not just for delivery
#
saranix puckipedia: that's what I've been saying :)
#
puckipedia saranix: I mean without having a list that basically says "these things are signed"
#
puckipedia just sign all of it all the time
#
saranix puckipedia: then we have the P=NP signing algo again
#
puckipedia oh wow
#
cwebber2 puckipedia: yeah it's a tricky problem to decide whether to embed when signing
#
saranix also object reconstruction, which is not relational compatible
#
saranix limiting fields removes ambiguity *and* allows different impl to offer different assurances for their particular usecase
#
saranix s/limiting/naming
#
cwebber2 puckipedia: so there's another way to do it, but I dunno if I should say it and get banned from the channel for upending my own work :D
#
puckipedia something something /msg something
#
puckipedia :P
#
cwebber2 http://dustycloud.org/blog/an-even-more-distributed-activitypub/ well I guess I already blogged bout it :)
#
puckipedia aha, I kinda imagined what that'd be based on the title hehe
#
saranix cringes every time someone mentions "blockchain" or "merkle" or "DAG"
#
cwebber2 DAGs are pretty great
#
cwebber2 git++
#
Loqi git has 1 karma in this channel (11 overall)
#
cwebber2 the main reason to cringe at blockchains is that people associate them with bitcoin, which is kinda terrible imo, but doesn't represent the design of all blockchains
#
cwebber2 might not be the design people want everywhere though
#
cwebber2 shrugs
#
cwebber2 all systems are tradeoffs :)
#
saranix It seems there's 2 camps: the hype camp, and the math nerd camp. Not much in between but tumbleweeds...
#
cwebber2 at least the math camp is interesting :)
#
saranix lol
#
cwebber2 or only as full of hot air as "interesting ideas that aren't ready for the world yet"
#
cwebber2 which is the general state of math camps always, until finally it isn't
#
saranix I think it's a translation problem, but yeah, that happens a lot with maths
#
cwebber2 at which point it becomes the smug opinion of mediocre programmers everywhere
#
cwebber2 *making fun of functional datastructures for years, when will those be useful*
#
cwebber2 suddenly
#
cwebber2 "just use git, jeez"
#
cwebber2 in defense of mediocre programmers, I consider myself one ;)
#
cwebber2 a much happier version of things: eventually the practicalists and the theorists eventually converge
#
cwebber2 so maybe we shouldn't make fun of each other as much as try to understand each other :)
timbl joined the channel
#
cwebber2 I say as a practicalist, who tries to mine theorist ideas for the chance that they will be eventually useful :)
#
cwebber2 ... well I sure killed the conversation in here :)
#
jaywink :D ... this channel has ensured I've got nothing done this evening :P
#
saranix https://upload.wikimedia.org/wikipedia/commons/8/80/Field_cricket_Gryllus_pennsylvanicus.ogg
#
puckipedia -> bed
#
cwebber2 gnite puckipedia
#
cwebber2 and sorry jaywink :)
newton joined the channel
#
jaywink Gargron, was thinking of your db question and then of my own multi-protocol implementation. I would keep the fields separate. Otherwise afaict your profiles would not be able to function with both protocols?