#social 2019-01-10

2019-01-10 UTC
# 00:38 
hellekin cwebber2: natacha and zeyev are going to present something about organization prior to the AP panel. As I wanted you on the panel rather than as a moderator, I asked them to take that role. As we still did not decide on the speakers they don't appear. Although Pentabarf makes a difference between various roles (moderator, speaker...), the Web interface of the schedule does not.
# 00:39 
hellekin the preparatory discussion is meant to gather as many people from the AP community to discuss topics and speakers.
# 01:31 
cwebber2 hellekin: aha :)
# 01:31 
cwebber2 cool
# 01:31 
cwebber2 ty for the clarification
# 01:32 
hellekin :)
# 01:32 
hellekin is reading http://waterken.sourceforge.net/web-key/ (I guess you have as well, given your goblins)
eprodrom, ajordan_, ajordan, timbl, xmpp-social, Guest84, hellekin, jdormit, hankgrabowski and HankG joined the channel; eprodrom left the channel
# 22:36 
HankG Hello just joined and setup IRC for this channel.  Just saying hello :)
# 23:11 
rialtate[m] Hello
jdormit joined the channel
# 23:17 
jdormit So I'm thinking about how to handle authentication for my AP library
# 23:18 
jdormit figuring out if a request is authorized to act on behalf of one of my servers users is the same as authentication for any other local service
# 23:18 
jdormit e.g. make them log in then store a cookie or whatever, lots of ways to skin that cat
# 23:18 
jdormit but what about requests for objects that my server owns that are private but addressed to actors on other servers?
# 23:19 
jdormit e.g. let's say my user Bob sends a private message to Alice, who has an account on another server
# 23:19 
jdormit Alice should be able to GET the id of that message and retrieve it from my server
# 23:19 
jdormit But how do I make sure the request actually comes from Alice?
# 23:20 
jdormit I can try to validate the HTTP signature with the public keys of every actor that the object was addressed to, but that could potentially be a lot of work if it was addressed to a lot of actors
# 23:20 
jdormit but the spec doesn't have a way of saying "this GET request is associated with the actor with this id", so I don't see another option
jdormit[m] joined the channel
# 23:21 
jdormit the other answer is that Alice just retrieves the version of the message that her server stored when I delivered it to her
jdormit[m] joined the channel
# 23:22 
jdormit which works, but it's a little weird that her server wouldn't be able to dereference the message from my server
# 23:26 
rialtate[m] > I can try to validate the HTTP signature with the public keys of every actor that the object was addressed to, but that could potentially be a lot of work if it was addressed to a lot of actors
# 23:26 
rialtate[m] Matching keyId does not seem like a lot of work. It's only a problem if you use one key for multiple actors (some do) Ha!
# 23:30 
jdormit well, let's say my message is addressed to Alice and Joe, neither of which are actors that I control
# 23:30 
jdormit and I receive a GET for that message
# 23:30 
jdormit how do I know if it is Alice or Bob or someone else who signed that request?
# 23:30 
jdormit s/Bob/Joe
# 23:30 
jdormit I'd have to try them both
# 23:31 
jdormit and if it was a message that was addressed to hundreds of actors, validating the signature against all of them would be prohibitively expensive
# 23:37 
jdormit am I missing something?
# 23:37 
rialtate[m] The http signature header has a keyId field. If the get is signed with https://alice.example/keys/1, which you know to be `owner` https://alice.example/actor, then you know it is Alice making the request. Simple SQL query if you do it right.
# 23:41 
jdormit OH
# 23:42 
jdormit that makes perfect sense
# 23:42 
jdormit thanks!
# 23:43 
rialtate[m] 😂 sure