#social 2019-01-24

2019-01-24 UTC
xmpp-social and cwebber2 joined the channel
# 11:28 
cwebber2 hello
# 11:29 
cwebber2 who all is coming (or is interested in coming) to fosdem?
# 11:32 
JasonRobinson[m] cwebber2 (IRC): will be there
# 12:55 
fr33domlover Hi people!
# 12:55 
fr33domlover OCAP-LD question: Who hosts the capability delegation document?
# 12:55 
fr33domlover cwebber2, ^
# 12:55 
fr33domlover ^_^
# 12:55 
fr33domlover Say object@server1 delegates capability to user@server2
# 12:56 
fr33domlover In the spec, the @id of the delegation is at server 1, but that seems to make little sense to me unless that id is meaningless, because server2 is the one using the capability, they need to make sure not to lose it etc. while server1 can do send-and-forget
# 12:57 
fr33domlover (server1 signs the delegation, they can always verify their own signature even if they receive it from someone else)
# 12:57 
cwebber2 fr33domlover: anyone "can" host it
# 12:57 
cwebber2 probably most sensibly though, the server of the person delegating
# 12:57 
cwebber2 assuming hosting servers are even involved!
# 12:58 
cwebber2 consider that you could even host ocap-ld docs over ipfs :)
# 12:58 
fr33domlover cwebber2, suppose they're involved :) in my use case I mean. But yeah could be ipfs too yay
# 12:59 
fr33domlover cwebber2, I mean if entityA gives many capabilities to a variety of people, and it has to host them all, seems kind of heavy
# 12:59 
cwebber2 fr33domlover: yes
# 12:59 
fr33domlover cwebber2, like it would be nice if people wanting access to a resource have to host the delegation they receive
# 12:59 
cwebber2 in general, the way the fediverse is used to hosting documents is heavy in that way too
# 12:59 
cwebber2 IMO
# 12:59 
cwebber2 the best route we cold go is to get people away from that
# 12:59 
fr33domlover cwebber2, yeah it's usually the opposite like you host what you write
# 12:59 
fr33domlover but maybe in this case
# 12:59 
fr33domlover do it the opposite way?
# 12:59 
cwebber2 https://github.com/WebOfTrustInfo/rwot7-toronto/blob/master/topics-and-advance-readings/magenc.md
# 13:00 
cwebber2 there are some thoughts about how to escape the bitrot nightmare that is the modern web / fediverse while retaining privacy
# 13:02 
fr33domlover cwebber2, that's a nice idea :) I'm happy to consider and try stuff, I'm just starting to implement federation for my app so I'm open to new stuff. But I also want to get started with something, to code some initial actual method and start federating. I'm leaning towards people hosting delegations they receive and the server doesn't store them at all, only problem is that the delegation @id would be
# 13:02 
fr33domlover meaningless, I saw you opened an issue about making the @id not required
# 13:03 
fr33domlover And this would be wonderful here
# 13:03 
fr33domlover Because the target doesn't even store the delegation (there's no need to; it receives it later from remote users who want to invoke it)
# 13:04 
fr33domlover Hmmmmmmm on the other hand hosting it is easier to be by-the-spec and do stuff the way the fediverse does :p
# 13:04 
cwebber2 if doing http based hosting
# 13:04 
cwebber2 I'd have the delegator host it
# 13:05 
fr33domlover cwebber2, so if I'm a car sending people car keys, I "host" all the delegations for them?
# 13:05 
cwebber2 the problems you've observed are also a headache in general for hosting posts and user profiles on the fediverse though :)
# 13:05 
cwebber2 fr33domlover: you could.  another option is to just generate a uuid
# 13:05 
cwebber2 and have them "embed" the full chain
# 13:06 
cwebber2 so no hosting at all in that case; invocations have a larger payload
# 13:07 
fr33domlover cwebber2, you mean you only keep the ID of the delegation and not the whole JSON-LD document?
# 13:10 
fr33domlover cwebber2, hosting posts and profiles is a bit different because public material ends up being cached in a million places; I guess ocap docs are generally personal, private, you just host them in 1-2 places at most (well, unless there's long delegation chains, but I guess  without hierarchical organizations etc. there won't be many chains longer than 2-3)
# 13:17 
fr33domlover We sign the capability in order to hand it out to others right? In which case, we don't need to host it, it just wastes space. And if we keep it loca, there's no need to sign it, because we're the only ones verifying it and we trust ourselves (am I right? maybe corner cases exist?)
# 13:18 
fr33domlover I do see one clear case we "remember" capabilities we send: When we want to be able to revoke them, we keep some ID so that we can revoke by deleting the ID from our DB
# 13:19 
fr33domlover If I give someone access to edit my stuff, I definitely want to be able to revoke this access
# 13:22 
cwebber2 fr33domlover: right
# 13:22 
cwebber2 so, that's a case for handing out with the entire chain embedded :)
# 13:22 
cwebber2 but, I have to leave!
# 13:22 
cwebber2 gotta go to my client's office
# 13:22 
cwebber2 later, *
# 13:26 
fr33domlover Oh I see! Yeah you'd be handing out the entire chain
# 13:26 
fr33domlover In my case there's no chain, I mean, just handing out top-level delegations
# 13:26 
fr33domlover Maybe that was confusing me
# 13:26 
fr33domlover I see now :)
tantek joined the channel