#social 2018-08-25

2018-08-25 UTC
#
fiatjaf I'm sorry, I didn't mean to offend, nightpool[m]
#
nightpool[m] hmm?
#
nightpool[m] i'm not offended
#
fiatjaf it was just a cheap opinion, I appreciate the work you do on the standards.
#
nightpool[m] it's a pretty common opinion, i just find it a little confusing.
#
nightpool[m] because obviously there are always going to be extensions and incompatibilities
#
nightpool[m] running a network of federated systems is a political, not technical affair
timbl joined the channel
#
saranix holy mole. Hubzilla sends a gigantic fully expanded ld signed obj with every request, that includes a separately ld signed person/actor object complete with the public key
#
saranix a bit excessive
#
saranix to be clear. the actor is expanded *twice*. once for the activity, and once for the object inside. with pub key. with ld signature
#
nightpool[m] lol
#
saranix the payload is an order of magnitude larger than pleroma for the exact same message
#
saranix lol the actor even has extra fields like nomadicLocation list even if there is only 1 location
#
saranix s/fields/list of objects all expanded
#
saranix the link rel alternate text/html is kinda cool though
xmpp-social, KevinMarks_, vasilakisfil and KevinMarks joined the channel
#
fiatjaf why is json-ld signatures different from jws, jwk stuff?
#
fiatjaf wouldn't it be better to reuse the enormous amount of tooling that already exists for jws?
pdurbin joined the channel
#
fiatjaf is there a golang library that does ld-signatures?
KjetilK joined the channel
#
saranix fiatjaf: I remember reading the answer to precisely that question... I think maybe in the json-ld spec itself?
#
saranix err LDS spec
#
saranix anyways you don't need to worry about LDS... they don't really solve anything and thus no impl are really using them
KevinMarks, KevinMarks_, timbl, cwebber2 and up201705417 joined the channel
#
fiatjaf saranix, that's good to hear, but why are people working on that spec, then?
#
saranix it came out of a different group (now called #ccg) for WebPayments. some AP folks feel it is useful for them to do relaying, but there are other simpler ways
#
fiatjaf saranix: what are these other ways?
#
nightpool[m] ... and some people do use it, so it's kind of misleading to say "no impl are really using them"
#
fiatjaf I've read somewhere that mastodon "canonicalizes" the entire object "using RDF" before signing stuff, is that http signatures? how does that canonicalization works?
#
nightpool[m] that's LDS
#
fiatjaf is mastodon using that? is it required to do that to federate with mastodon?
#
nightpool[m] no
#
nightpool[m] it's using it, but it's not required
#
nightpool[m] mastodon uses it to optionally forward replies to other interested servers
#
nightpool[m] for example, if I (on server A) reply to you on Server B, you might forward that to your followers on servers A and E, who might not know about me otherwise
#
fiatjaf so what happens if your reply comes without a signature?
#
nightpool[m] then it won't get forwarded
#
nightpool[m] and it will just go to the people you deliver it to
#
fiatjaf hmm
#
saranix fiatjaf: signed blobs like the salmon protocol can be used as an easier method, although no one is doing that so compatibility might be an issue, and you can always just avoid relaying altogether
#
fiatjaf this guide mentions http signatures: https://blog.joinmastodon.org/2018/06/how-to-implement-a-basic-activitypub-server/
#
nightpool[m] http signatures are required to federate with mastodon
#
fiatjaf but that's just for identifying the server that is delivering the server
#
fiatjaf ok
#
saranix you can tell the other party about the url, let them fetch the original, there are in fact 2 parties that know whether they are on a followers list, the follower and followee
#
fiatjaf but that doesn't mention how the signature is fetched
#
fiatjaf no
#
fiatjaf the public key
#
fiatjaf there's a public key id, but it resolves to the actor profile
#
nightpool[m] yes, the public key is part of the actor
#
nightpool[m] uploaded an image: image.png (140KB) <https://matrix.cybre.space/_matrix/media/v1/download/cybre.space/IppunLNRnIOIAXKuVdOOKfiA>
#
nightpool[m] do you see the publicKeyPem property there?
#
fiatjaf yes
#
nightpool[m] that's the public key
#
fiatjaf but how can I know it is on 'publicKey.publicKeyPem'?
#
nightpool[m] because that's the vocabulary we use for implementing http signatures ¯_(ツ)_/¯
#
fiatjaf oh, everybody?
#
nightpool[m] well i mean keep in mind that it would be just as valid to have your keyId be "https://example.com/my-key"
#
nightpool[m] sent a long message: nightpool[m]_2018-08-25_23:31:52.txt <https://matrix.cybre.space/_matrix/media/v1/download/cybre.space/MrhTRTpulULOgxiyqgELgqMl>
#
nightpool[m] but nobody does that as far as i'm aware
#
nightpool[m] oops that id would be`"https://example.com/my-key"`
#
fiatjaf the key id doesn't matter, then
#
nightpool[m] to match the keyId
#
nightpool[m] what do you mean?
#
fiatjaf the only thing that matters is the 'publicKey' field on the actor
#
nightpool[m] well, both of them have to match
#
nightpool[m] the keyId is where you find the key
#
nightpool[m] the `owner` or the `publicKey` field on the actor (because one is the inverse of the other) is where you find the actor for a specific key
#
fiatjaf in the mastodon example both the actor and the keyid uris point to the same resource
#
nightpool[m] no
#
nightpool[m] one points to `https://mastodon.social/users/gargron` and one points to `https://mastodon.social/users/gargron#main-key`
#
Loqi Eugen
#
nightpool[m] same document, different resources
#
fiatjaf ok, but I do an HTTP GET to that and get the same thing back
#
nightpool[m] right, it's the same document
#
fiatjaf #main-key is just an useless string, right?
#
fiatjaf ok, suppose the key id is https://mastodon.social/key
#
nightpool[m] sure
#
fiatjaf then I must call that
#
nightpool[m] yep
#
fiatjaf and it must return a JSON document like {"publicKey": {"publicKeyPem": "..."}}
#
nightpool[m] no no
#
nightpool[m] publicKey is a property on an actor
#
nightpool[m] `{"publicKeyPem": "..."}` is the actual key object
#
fiatjaf so I call the keyid uri
#
fiatjaf if I get back an actor I look for "publicKey"
#
fiatjaf if I get back a key I look for "publicKeyPem"
#
nightpool[m] i mean, I guess
#
nightpool[m] you can also just look for the sub-document with the right id
#
fiatjaf what do you mean?
#
nightpool[m] well in one case you're looking for `{"id": "https://my-example.com/actor#main-key"}`, and in the other you're looking for `{"id": "https://my-example.com/key"}`
#
nightpool[m] that's unambiguous no matter what type of wrapper you get back
#
fiatjaf I still don't get it
#
nightpool[m] hmm
#
nightpool[m] let's step back to html documents
#
fiatjaf in the mastodon example the keyid would lead me to an actor profile
#
nightpool[m] if you type `https://www.w3.org/TR/activitypub/#delivery`, it jumps you to the delivery section, right?
#
nightpool[m] *if you type into your browser
#
fiatjaf yes
#
nightpool[m] how does that work? Like, on a technical level
#
fiatjaf the browser reads the hash and looks for an html element with an id equal to that
#
nightpool[m] so it's the exact same thing with json-ld documents
#
nightpool[m] sent a long message: nightpool[m]_2018-08-25_23:43:36.txt <https://matrix.cybre.space/_matrix/media/v1/download/cybre.space/QLpKEJkOTMyhRJTqxYCQCIwl>
#
fiatjaf no, because on https://my-example.com/actor#main-key there isn't an attribute named "main-key"
#
nightpool[m] no, but there's an attribute named "https://my-example.com/actor#main-key"
#
nightpool[m] which is the same thing
#
nightpool[m] just with an absolute instead of relative URI
#
fiatjaf ok, so I must look into all objects inside each and every field of the json I get back
#
fiatjaf until I find one that has an id of "https://my-example.com/actor#main-key"
#
nightpool[m] If you want to do it that way, yes
#
fiatjaf what is a better way?
#
nightpool[m] that's the "better" way
#
nightpool[m] it's more general then expecting "either an actor or a key"
#
fiatjaf even if I get an object like {"a": [{"x": [{"a": {"id": "https://my-example.com/actor#main-key"}}]}]}
#
fiatjaf is that how people are doing this?
#
fiatjaf they just go into all fields of the json recursively?
#
nightpool[m] i can only speak for mastodon
#
nightpool[m] which currently uses the "actor or key" approach, because mastodon isn't particularly worried about being Correct—we assume that it's pretty easy to fix our broken compatibility once someone makes us aware of it
#
fiatjaf why not just tell people to always return a key?
#
nightpool[m] well, it's more requests and documents to store
#
fiatjaf when we request an object A of any kind in any situation we may get back an object B which wraps object A and thus we have to search for A inside?
#
nightpool[m] in general, to my knowledge, json-ld resources may be embedded in some sort of overarching structure, yes.
#
nightpool[m] in practice the only real time this comes into play is when you both a) want to embed an object and b) want to refer to it separately
#
fiatjaf somebody should come up with a different standard, json-ld-direct
#
fiatjaf where you must use the full uris every time instead of @context
#
fiatjaf and you must always return the requested object and nothing more
#
nightpool[m] i mean, how else do you expect `#id` uris to work?
#
nightpool[m] they're literally called sub-resource identifiers
#
nightpool[m] wait i might be confusing that with something else