#social 2020-02-08

2020-02-08 UTC
nedjo, jacky, sl007 and BitBot joined the channel
#
nightpool[m] cwebber2 (IRC): ah, sorry, didn't see your response and forgot to drop a link here. let me make a new post right now, but so far no-one has responded to the agenda thread: https://socialhub.activitypub.rocks/t/2-8-socialcg-telecon/507
#
nightpool[m] and, well, you know. if the meeting doesn't happen, more time for me to work on my own stuff :D
#
cwebber2 nightpool[m]: cool, promoted it :)
pukkamustard and sl007 joined the channel
#
cwebber2 socialcg call in 10mins!
#
nightpool[m] *~*/~/*~*/~/~*/~
#
melody are we expecting participants?
lanodan joined the channel
#
nightpool[m] At least a couple.
nedjo, Zakim and RRSAgent joined the channel
#
RRSAgent logging to https://www.w3.org/2020/02/08-social-irc
#
nightpool Zakim, this is mumble on dustycloud.org / port 64738 / password “goblincamp”
#
Zakim got it, nightpool
#
nightpool RRSAgent, make logs public
#
RRSAgent I have made the request, nightpool
#
nightpool Meeting: Social CG Telecon
#
nightpool cwebber2, are you chairing or should I?
emacsen joined the channel
#
cwebber2 nightpool: why don't you chair
#
cwebber2 and I can scribe
#
nightpool sounds good
#
nightpool Chair: nightpool
#
cwebber2 scribe: cwebber2
#
nightpool Agenda: https://socialhub.activitypub.rocks/t/2-8-socialcg-telecon/507
#
nightpool ScribeNick: cwebber2
#
nightpool[m] Cool, let me jump on mumble and we'll get started
#
cwebber2 great
#
cwebber2 nightpool: thanks everyone for coming, why don't we start with intros
#
cwebber2 nightpool: I'm nightpool, I'm a mastodon developer and contributor and co-chair for the socialcg
#
cwebber2 note you can also give intros here on irc if preferred
#
lanodan Hi, I'm lanodan, pleroma full-time developer and admin of my own instance at queer.hacktivis.me (got no mic)
#
lanodan Yeah
tsyesika joined the channel
#
cwebber2 cwebber2: I'm Chris Webber, worked on ActivityPub, now working on Spritely, co-chair of the socialcg
#
nightpool[m] pokes emacsen (IRC)
#
emacsen sorry, my mumble is acting up
#
cwebber2 emacsen: I'm Serge, I'm interested in federated social web stuff, I'm currently working on Datashards, which I hope to be adopted as a complementary project to AP in the future
#
emacsen I had to poke it
#
sl007 Hi I am Sebastian and doing redaktor.me (inherently-social website-building software capable of serving website-building needs of institutions, journalist organisations, citizen journalism and photo/film documentary.
#
sl007 ;)
#
emacsen present+
#
melody present+
#
cwebber2 present+
#
nightpool[m] present+
#
lanodan present+
#
tsyesika present+
#
sl007 present+
#
nedjo present+
#
cwebber2 melody: I'm Melody, working on social tech, not necessarily activitypub, just in general, I'm also interested in mitigating anti-harassment online
#
cwebber2 setthemfree-at-memot-dot-fr: My name is Yury, I'm just curious about the future of the Fediverse, trying to figure out how to explain it to people in my city, country, language space etc. So I'm here just out of curiousity:)
#
cwebber2 nedjo: I'm nedjo, I'm active in Drupal dev, for the last few years I've been working at a Drupal distro acalled Drutopia, we're looking at integrating AP for Drupal
#
cwebber2 sl007: I'm Sebastian / sebi, I'm doing redaktor.me which is a social CMS, designed for the needs of journalists and photojournalists. I was a documentary photojournalist who switched to coding
#
cwebber2 cwebber2: tsyesika asked for me to give her intro, she's co-editor / co-author of activitypub, used to work on mediagoblin with me
#
cwebber2 nightpool: ok, I wrote some broad topics of interest, then we can move onto other stuff people are working
#
cwebber2 nightpool: I know people are interested in ocap stuff and datashards so if cwebber2 and emacsen can give an update
#
nightpool[m] ScribeNick: nightpool
#
nightpool[m] cwebber: Alright, i'll give an update on OCAPub and pass it over to Serge to do datashards.
#
nightpool[m] cwebber2 (IRC): so, the status of OCAP stuff is that there was an OCAPub spec a while ago, and that stuff is near completion
#
cwebber2 cwebber2: ocap social network discussion https://groups.google.com/forum/#!topic/cap-talk/icey8aO5ABo
#
cwebber2 cwebber2: confused deputy testing https://groups.google.com/d/msg/cap-talk/5Q8BM3aW0Gw/lHzTgXaQAgAJ
#
nightpool[m] cwebber2 (IRC): i've been trying to get security review, especially from the broader ocap community, through the cap-talk mailing list
#
sl007 q+
#
Zakim sees sl on the speaker queue
#
nightpool[m] cwebber2: There's some good discussion on non-ocappub specific social networking capability secuity there on the first link and then also some specific security review in the second link
#
cwebber2 scribenick: cwebber2
#
cwebber2 cwebber2: I've also been working on something called Spritely Goblins, which is ocap related, but more foundational, so not *directly* AP related though will be used for that
setthemfree joined the channel
#
cwebber2 ack sl007
#
Zakim sees sl on the speaker queue
#
cwebber2 ack sl
#
Zakim sees no one on the speaker queue
#
nightpool[m] ScribeNick: cwebber2
#
cwebber2 sl007: a question about object capabilities... I can give feedback about the feedback from 37c3 and OFFDEM... was full of AP sessions for one day
#
cwebber2 sl007: my question goes out to lanodan, but because what we saw at the event is that pleroma specified its own ocap system called litepub
#
cwebber2 sl007: I'm concerned nobody else will use it
#
lanodan LitePub is more like a profile of ActivityPub not really some restriction, our IR is more liberal
#
lanodan And yeah I'm involved in LitePub
#
cwebber2 nightpool: to give context, I haven't heard much about litepub in the mastodon side, I definitely think there's spaces to give unificiation to ocappub
#
cwebber2 q+
#
Zakim sees cwebber on the speaker queue
#
cwebber2 nightpool: but I think those two things are working in the same space
#
cwebber2 we should relay what lanodan says when nightpool is dones
#
lanodan Yeah
#
cwebber2 nightpool: I think it's fine to explore both and then figure out if it can be unified
#
nightpool[m] ack cwebber2 (IRC)
#
nightpool[m] ack cwebber
#
Zakim sees no one on the speaker queue
#
nightpool[m] https://git.sr.ht/~kaniini/draft-conill-bearcaps-uri-scheme
#
lanodan btw kaniini left the pleroma project so might need some kind of people taking over?
#
cwebber2 cwebber2: kaniini and I both worked on bearcaps which could be used for both ocappub and litepub
#
lanodan And I can volunteer on this
#
cwebber2 q?
#
Zakim sees no one on the speaker queue
#
cwebber2 nightpool: ok emacsen, can you go forward on datashards?
#
cwebber2 emacsen: datashards has been publicly quiet but privately active
#
cwebber2 emacsen: we've been working on a better URI scheme, and better support for efficient storage of small data
#
cwebber2 emacsen: and also support for large storage, which didn't exist before
#
cwebber2 emacsen: and also some new store URI support, using bearcaps
#
cwebber2 emacsen: I anticipate that'll take a couple of weeks, and then we can look at public AP integration
#
cwebber2 nightpool: this may be the first time people have heard of datashards, can you describe it?
#
cwebber2 emacsen: the goal of the project is secure storage of data that is not reliant on where it lives for it to be secure
#
nedjo More info on datashards: https://datashards.net
#
cwebber2 emacsen: that means we can do data collectives where we store each others' data with blindness to what the content is
#
cwebber2 nightpool: from an activitypub perspective the goal is to address decentralized storage
#
cwebber2 emacsen: that's right, if used in AP if nodes go down temporarily or permanently and activities would not be lost to time if they were still interesting to the network
#
cwebber2 q+
#
Zakim sees cwebber on the speaker queue
#
Zakim sees no one on the speaker queue
#
nightpool[m] ack cwebber
#
nightpool[m] cwebber: One thing to add is that mutable datashards might help with account migration, where if your node goes down, you can repoint it to a new node
#
sl007 q+
#
Zakim sees sl on the speaker queue
#
nightpool[m] ack sl
#
Zakim sees no one on the speaker queue
#
cwebber2 sl007: Chris said it might help with account migration, what would help the most? the world won't change, is that correct? if you migrate an account the URI stays the same?
#
nightpool[m] s/world/url
#
cwebber2 emacsen: I think that's a long question to answer, better served offline
#
sl007 https://socialhub.activitypub.rocks/t/is-objects-id-immutable/381
#
cwebber2 nightpool: but yeah the broad idea is that there's a decentralized identifier that doesn't change
#
cwebber2 emacsen: yes
#
cwebber2 q?
#
Zakim sees no one on the speaker queue
#
cwebber2 sl007: not a question but I put a link about account migration, so I put in a link there for emacsen to look at
#
cwebber2 nightpool: to give a summary of a link, people are looking at username changing, and there's some debate about whether mutable or immutable identifiers make sense
#
cwebber2 nightpool: I think that conversation may be out of scope...
#
cwebber2 sl007: I linked it so that we can continue the conversation there
#
cwebber2 nightpool: sounds good
#
cwebber2 nightpool: looks like that covers the ocap and datashards stuff, but I'd like to give some space to queue up on other items to talk about
#
cwebber2 might want to describe how q+ works
#
cwebber2 nightpool: I could schedule the other ones for later
#
cwebber2 nightpool: the queuing system works so that if you type q+, it's like raising your hand, the chair will look to the speaker queue to find out who's next
#
cwebber2 q?
#
Zakim sees no one on the speaker queue
#
cwebber2 I think the topics listed are good if nobody has anything else
#
cwebber2 nightpool: looks like nobody else has something to queue, so let's go with the agenda items
#
cwebber2 nightpool: so the next one is FEDERATION.md and interop by darius
#
cwebber2 nightpool: some documentation of objects and activities for specialized instances
#
sl007 https://socialhub.activitypub.rocks/t/documenting-federation-behavior-in-a-semi-standard-way/453
#
cwebber2 nightpool: the idea is that when you are implementing a specialized server that goes only over a subset of activities
#
cwebber2 nightpool: it basically describes an interface of supported types
#
cwebber2 nightpool: darius is working on an event-planning system
#
nightpool[m] https://socialhub.activitypub.rocks/t/documenting-federation-behavior-in-a-semi-standard-way/453/10
#
cwebber2 nightpool: kind of like meetup place called ???
#
cwebber2 nightpool: has added federation support, added this FEDERATION.md where you can document what you can write and respond to
#
sl007 q+
#
cwebber2 nightpool: if anyone has thoughts and feedback on this I'd love to hear
#
Zakim sees sl on the speaker queue
#
nightpool[m] s/a meetup place/a meetup.com replacement/
#
nightpool[m] s/???/gath.io/
#
cwebber2 sl007: for redaktor.me we started writing a FEDERATION.md and we like it
#
cwebber2 sl007: there was a machine-readable one described
#
lanodan Quite weird to pick markdown instead of like something a bit like swagger so it can be more or less parseable (could be useful to hint that like Honk doesn't support Like to an user).
#
cwebber2 sl007: we aim for maximum interoperability and I think this is quite the right way
#
cwebber2 q+
#
Zakim sees sl, cwebber on the speaker queue
#
nedjo q+
#
Zakim sees sl, cwebber, nedjo on the speaker queue
#
sl007 q+
#
Zakim sees sl, cwebber, nedjo on the speaker queue
#
cwebber2 ack sl
#
Zakim sees cwebber, nedjo on the speaker queue
#
sl007 q-
#
Zakim sees cwebber, nedjo on the speaker queue
#
nightpool[m] ack sl
#
Zakim sees cwebber, nedjo on the speaker queue
#
nightpool[m] ack cwebber
#
Zakim sees nedjo on the speaker queue
#
nightpool[m] cwebber: I think it's good to identify this as the abstract problem that it is, which is interface descriptions
#
nightpool[m] cwebber: that is, the interface between clients and servers and between servers themselves
#
nedjo q-
#
Zakim sees no one on the speaker queue
#
nightpool[m] cwebber: The thing I find interesting about FEDERATION.md is that it is human readable, and it's not interested in being machine readable.
#
melody q+
#
Zakim sees melody on the speaker queue
#
nightpool[m] cwebber: designing a machine readable form of this could take a very long time, and there are a couple of projects like Hydra that have attempted to do so
#
nightpool[m] cwebber: we thought about a similar JSON document when we were writing activitypub, defining the types you'd allow
#
cwebber2 nightpool: could you give more context, did it fall out of scope?
#
sl007 cwebber2 FYI, found the machine readable thing https://github.com/jhass/nodeinfo
#
Loqi [jhass] nodeinfo: NodeInfo defines a standardized way to expose metadata about an installation of a distributed social network
#
nightpool[m] cwebber: this was something discussed very earlier in the SocialCG's existence, right after the social web working group ended.
#
nightpool[m] cwebber: there were two proposals, one for a .well-known kind of thing, and one where an actor's profile pointed at this kind of information
#
melody q+
#
Zakim sees melody on the speaker queue
#
sl007 q+
#
Zakim sees melody, sl on the speaker queue
#
cwebber2 q?
#
Zakim sees melody, sl on the speaker queue
#
cwebber2 nightpool: I remember this a bit more now that you've jogged my memory, this was part of the node-info stuff and client negotiation stuff
#
nightpool[m] cwebber: the broader context of this was discussions around server-level information, and how much information should be provided on the software and where that informatino should live
#
nightpool[m] s/informatino/information/
#
cwebber2 melody: I just wanted to say I think one of the things I like about FEDERATION.md is that in a lot of ways just knowing the types isn't enough, there's a certain point you need the human intervention to understand the semantics of what the types are and how they're used... especially in some of the ways people stretch the meaning of types of what they expect of very different things. I think it makes sense to have something a human can
#
cwebber2 read and interpret
#
cwebber2 melody: important before you get into the brass tacks to get to why it's represented that way
#
lanodan Yeah, this is why I think it should be more like a description on how each activity is understood (like how Mastodon used to except 500 characters for as:Note). So if it's a JSON it's more like a list of description per activity name.
#
cwebber2 nightpool: yeah I also talked a bit about how this is relevant to specialized clients and generic servers. There's a bit of tension between how people are using AP (specialized servers) vs how designed (generic server). I think this is one thing that arises out of that tension
#
cwebber2 q+
#
Zakim sees melody, sl, cwebber on the speaker queue
#
cwebber2 q?
#
Zakim sees melody, sl, cwebber on the speaker queue
#
nightpool[m] ack melody
#
Zakim sees sl, cwebber on the speaker queue
#
nightpool[m] ack sl
#
Zakim sees cwebber on the speaker queue
#
cwebber2 sl007: I think it's most important that we get people together and talk, more important than machine-readable thing for sure
#
cwebber2 sl007: I posted a link into irc of nodeinfo
#
cwebber2 sl007: which has some integration for the following softwares [long list, including some AP ones ...]
#
cwebber2 sl007: like half of the AP universe
#
cwebber2 sl007: I wanted to link it but didn't have time
#
cwebber2 nightpool: just to describe, nodeinfo is something run by the server, so there's one nodeinfo document per server. Note that nodeinfo is a very restrictive spec... it does have some compatibility info but very coarse
#
cwebber2 nightpool: it does have some metadata information
#
cwebber2 nightpool: I know pleroma uses it for some additional info for s2s federation
#
cwebber2 q?
#
Zakim sees cwebber on the speaker queue
#
nightpool[m] ack cwebber
#
Zakim sees no one on the speaker queue
#
nightpool cwebber2: first off, I'm very glad to hear how widely supported nodeinfo is, and secondly I think both of these approaches are valuable
#
nightpool ... I think it would be very sad if FEDERATION.md was the only way of approaching this, and I think nodeinfo is valuable as a very broad "survey" of what is currently implemented on the fediverse
#
nightpool ... but notably, and this is why we originally suggested a simple JSON list of types, is that getting this kind of rich granularity is very, very hard.
#
nightpool ... it's hard to build this kind of contract language that can describe these features well
#
melody q+
#
Zakim sees melody on the speaker queue
#
nightpool ... and in the meanwhile, I'm very excited about FEDERATION.md, even if it isn't machine readable, because it gives insight into what kind of things implementors are doing and care about
#
nightpool ack melody
#
Zakim sees no one on the speaker queue
#
nightpool q+
#
Zakim sees nightpool on the speaker queue
#
cwebber2 melody: I agree, and I think it's good that we also have something that's machine readable, especially for simple negotiation between C2S & S2S. I also love that FEDERATION.md does not try to be that thing, because there's so much unspecified side effect behavior and etc, and I'm not sure how to represent in a machine-parasable way, and it's great to explain to a human what you're doing with all that. I think both approaches are
#
cwebber2 necessary for different things and different reasons.
#
cwebber2 melody: I'm looking forward to the possibilities that opens up
#
cwebber2 nightpool: yes I think the things people have said, there's value to two approaches, one that's machine readable coarse thing, and then we can iteratively make it more fine grained where that granularity is useful, and a very fine-grained but human readable FEDERATION.md and we can aggregate some of that information
#
cwebber2 nightpool: it might be useful to do something as if it were a survey of a fediverse
#
cwebber2 nightpool: maybe there's a way to link to it on the fediverse and represent it
#
cwebber2 nightpool: one issue I have with nodeinfo is you can't do two on the same server... one issue with mastodon is our dependency on fediverse has made it hard to deploy on the same domain (eg deploying alongside nextcloud). I think going forward, especially with the way AP was designed, would love to see things happen on the actor level. That can be then collected in the same way we collect nodeinfo. I think that makes more sense
#
cwebber2 especially as we move into C2S and other kinds of servers
#
cwebber2 +1
#
cwebber2 q+
#
Zakim sees nightpool, cwebber on the speaker queue
#
nightpool ack nightpool
#
Zakim sees cwebber on the speaker queue
#
nightpool ack cwebber2
#
Zakim sees cwebber on the speaker queue
#
nightpool ack cwebber
#
Zakim sees no one on the speaker queue
#
cwebber2 cwebber2: I just like to say that I liked how we started achieving consensus and it's nice when a community does that
#
sl007 full ack
#
cwebber2 nightpool: great! these next two agenda items are about issues for activitypub developers, and ways to make AP more approachable and accessible. The first of these is a draft guide for AP implementors written by nedjo, haven't had time to read the whole thing but it looks very thorough
#
cwebber2 nightpool: nedjo, want to give an overview?
#
cwebber2 nedjo: sure! so I'm relatively new to AP, I've gone through a process similar to most of you... I looked around and started to collect what I needed to get going, found some notes, and saw conversations about that. I saw the drafts about activitypub.rocks site, started working on that dividing it into three parts: general intro to AP, one generally short guide for users who want to get using, and the third is a guide for AP
#
cwebber2 implementors
#
cwebber2 this sounds great!
#
cwebber2 nedjo: this is here in this wiki just as an interim step I think
#
cwebber2 nedjo: I'm interested in participating in improving it and finding a more usable site for it
#
cwebber2 nedjo: balancing it with a need for a format that can be easily community edited... "oh, I didn't put anything with FEDERATION.md here!"... so that's the current status!
#
nightpool[m] https://socialhub.activitypub.rocks/t/draft-guide-for-new-activitypub-implementers/479
#
cwebber2 nightpool: right now it exists as a publicly editable wiki, linked above
#
cwebber2 q+
#
Zakim sees cwebber on the speaker queue
#
Zakim sees no one on the speaker queue
#
nightpool[m] ack cwebber
#
nedjo q+
#
Zakim sees nedjo on the speaker queue
#
nightpool[m] ack nedjo
#
Zakim sees no one on the speaker queue
#
cwebber2 cwebber2: this looks great, think it's been needed, how to get it on ap.rocks also is a conversation
#
cwebber2 nedjo: great, I'd love to talk about next steps, maybe a team or etc that works on it, or? I think getting some group review would be really important because obviously I'm coming as a relative newcomer and want to put what I come up with that it's had more eyes on it
#
cwebber2 q+ to suggest we follow this up on the next meeting
#
Zakim sees cwebber on the speaker queue
#
cwebber2 nedjo: maybe we can have a documentation team and get it somewhere
#
cwebber2 nightpool: yes we should follow up with this next meeting, and let's get updates to ap.rocks website in feb
#
emacsen +1
#
lanodan +1
#
cwebber2 cwebber2: big thank you to nightpool for organizing and running the meeting, great work :)
#
nedjo +1
#
cwebber2 nightpool: sounds like we have a great set of next steps, want to make sure it gets even better in 2020. I think that's all we have for today, we'll continue this stuff on socialhub.ap.rocks
#
cwebber2 nightpool: my guess is next meeting will be in 2 weeks, I'll make a new agenda item for it and we can fill it in
#
cwebber2 nightpool: have a good day everyone!
#
lanodan Bye o/
#
nightpool[m] Zakim, bye
#
Zakim leaving. As of this point the attendees have been emacsen, melody, cwebber, nightpool[m], lanodan, tsyesika, sl, nedjo, setthemffree-at-mamot-dot-fr
Zakim left the channel
#
nightpool[m] RRSAgent, make logs public
#
RRSAgent I have made the request, nightpool[m]
#
nightpool[m] RRSAgent, create minutes
#
RRSAgent I have made the request to generate https://www.w3.org/2020/02/08-social-minutes.html nightpool[m]
#
nightpool[m] RRSAgent, bye
#
RRSAgent I see no action items
RRSAgent left the channel
#
melody cwebber2: i've been reading the threads you linked & while i'm not sure i can see the vulnerability described, it occurs to me to ask a separate question -- how critical is the ability to publish edge names for a petnames system to work? like in your example (publishing Alice Smith vs. Little Brat) -- one is de-anonymizing and the other is potentially abusive, it's not hard to imagine attacks based on publishing abusive edge names or doxxing via them
#
lanodan Wouldn't the abuse part be avoided if the petname be only local?
#
cwebber2 melody: one can always do that even without edge names
#
cwebber2 "<link-to-user> is <whatever-name-you-want-to-give-them>"
#
cwebber2 so as outing someone
#
cwebber2 the behavior already exists
#
cwebber2 however it does increase the places one may see it
#
lanodan (And well we can already do @<slur> in mentions)
#
melody yes, but edge names become part of the automated system - they are displayed in the interfaces of other people and used for attestation, so it becomes integrated into the system
#
cwebber2 melody: that's true and I won't deny that
#
cwebber2 I do think people will do things like eg write bad things about a politician they don't like
#
cwebber2 let alone trolling each other
#
cwebber2 but
#
cwebber2 I do think it is necessary in a decentralized naming system, yes
#
nightpool[m] the de-anonymizing concern is I think less of an issue, because de-anoynmization doesn't get the same "benefit" from being integrated into the system that abuse does
#
cwebber2 and I think it reduces phishing level
#
cwebber2 nightpool[m]: I think that's accurate
#
cwebber2 it's more the trolling aspect
#
melody there's also issues of updating self-ascribed names, which in a petname system is a vulnerability but can be necessary when the old name is no longer accurate -- i think there's ways to maybe solve this (like publishing an update request that other users can accept) but this is a downgrade from say, twitter, where your self-ascribed name will just populate
#
cwebber2 I think, when initially integrated, what we'd see is a lot of initial trolling, and we'll always see it used that way for high profile people. hopefully over time, a "netiquitte" will appear
#
cwebber2 melody: yes, we were thinking the same of pushing an update request that is "sticky" in your UI
#
cwebber2 that you have to act on accepting/rejecting
#
lanodan And maybe some kind of moderation on it?
#
melody i think we'll also see like, channers use mass publication of edge names to propogate abusive information about a target
#
lanodan ^
#
cwebber2 melody: I do think you're right they'll be used that way, though I don't think it's entirely new either
#
cwebber2 the other thing is
#
cwebber2 you'll only see the edge names of channers you're following, if you're following any
#
lanodan I specially see this one because on the fediverse an abuser can create basically as much actors as they want.
#
cwebber2 this actually I think is *less* severe in the "as many as you want" problem
#
melody hmmm
#
lanodan So it needs to be resistant to this kind of abuse
#
cwebber2 because it's only for your network of people you follow
#
cwebber2 it does have the "people who are assholes co-conspiring" problem
#
cwebber2 I agree with that
#
cwebber2 but it isn't more vulnerable to a sybil attack
#
cwebber2 it's less vulnerable to that one
#
melody i might have been thinking of it more like attestations on keyservers than i should have been, need to think through the implications of follow networks
#
cwebber2 afaict
#
cwebber2 melody: yes, so when you add someone as a contact, *that's* when you get their edge names
#
nightpool[m] in some senses this is a very similar problem to "allowed replies"
#
cwebber2 (which you could turn off a particular person's edge names, if you want to remember who they are but don't want to get their edge names)
#
lanodan I guess if it's followers-only that could be okay
#
cwebber2 yes it *has to be* that edge names only flow from your petnames.
#
nightpool[m] i.e. "how do you block people from replying to you and then passing that information around to their followers"
#
cwebber2 that's the only way it works.
#
melody yeah, i might have been thinking of publishing these as being more global than local scope
#
cwebber2 yep petnames are entirely a local scoping system, with discovery from there
#
cwebber2 start with your contacts, bridge outwards
#
cwebber2 of course that can be used as a harassment tool for harassers who want to conspire with other harassers
#
cwebber2 but kiwifarms shows we don't need a petname system for that too
#
melody assuming people don't circumvent the system by creating like, a global followable actor that aggregates edge names so that people can be aware of more nodes or see more content
#
cwebber2 melody: well, you can choose to have a large scale naming hub
#
cwebber2 eg
#
cwebber2 I could add a special petname for dns
#
melody yeah i mean people will 100% do that thing i just said
#
cwebber2 and get dns "absorbed" into my system
#
cwebber2 dns => dustycloud.org
#
lanodan Only thing is that we shouldn't make it too easy, if it's only kiwifarms that's fine but if it can be done by all edgy kids… meh
#
cwebber2 and of course several of these will become major naming hubs
#
cwebber2 but the thing is
#
cwebber2 those naming hubs are no more privileged than any other naming hub
#
cwebber2 dns has no more power than your local baking club
#
cwebber2 in that you can also do
#
cwebber2 baking club => Chris Webber (cookie baker)
#
melody maybe not technically, i think pragmatically there's a risk of one becoming a de-facto standard and then being used abusively but i guess welcome to the internet
#
cwebber2 I actually don't bake cookies
#
cwebber2 melody: yes we can't prevent that, instead we should contain it so that they're not *systematically* privileged... they just may have network-effect power
#
cwebber2 https://github.com/cwebber/rebooting-the-web-of-trust-spring2018/blob/petnames/draft-documents/petnames.md more on petnames for those new to this conversation
#
melody yeah, i worry about like, a popular platform privileging a naming hub because they don't understand the risks, or understand and want to take advantage of them, like say, if gab were to add its million users or w/e to a popular naming hub or if some future social networking tool that most instances ran built one in to make things more user-friendly
#
melody its really easy to compromise a system via network effects with good intentions and easier with bad ones
#
cwebber2 melody: yes, and there will always be limits to what we can do
#
melody nods
#
cwebber2 we can't remove all bad things from the internet, but we can help mitigate them the best we can
#
cwebber2 as you well know :)
#
cwebber2 (I know I'm not saying anything new there, just good to remind ourselves sometimes!)
#
melody 100% for sure, I'm just accustomed to thinking through like "Okay, we've designed this system, how are people going to screw up implementing it or break it to work around its flaws"
#
cwebber2 melody: that's good opsec :)
#
cwebber2 melody: btw "what's wrong with that system" in the first link I posted
#
cwebber2 is answered by the second link
#
cwebber2 but I need to follow up with the first one
#
cwebber2 it's about confused deputy attacks
#
cwebber2 basically ocaps don't have them
#
cwebber2 *until*
#
cwebber2 you introduce either "rights amplification" (hidden information) or identity stuff
#
cwebber2 it's stuff I need to work out on how to describe more clearly
#
cwebber2 I don't expect the links to be completely followable
#
cwebber2 since I posted them to an audience very familiar with a certain vocabulary of speaking about things
#
melody yeah i got that it was a confused deputy from the hints but the second link is too steep in jargon for me to identify which part introduces the confused deputy
#
cwebber2 the challenge is how to extract that from that community to a more general audience
#
cwebber2 melody: yep
#
cwebber2 my goal from the threads is to figure it out so that the ocappub writeup simply doesn't have them
#
cwebber2 with an appendix explaining why some things are as they are to avoid the vulnerabilities
#
melody rights amplification meaning like, giving somebody a proxy capability that they can't inspect so that another person can act through them?
#
melody in which case a middleman could be a confused deputy if they use the wrong uninspectable box to let somebody act through them?
#
melody or am i off base
#
melody i can also just wait for you to sort it out and read about ocappub later, this doesn't have immediate implications for me beyond my curiosity in this moment
#
melody i don't wanna ask you to do a bunch of work explaining it or trying to figure out how
#
cwebber2 melody: the example that lead me to understand rights amplification comes from this paper https://www.uni-weimar.de/fileadmin/user/fak/medien/professuren/Virtual_Reality/documents/publications/capsec_vr2008_preprint.pdf
#
cwebber2 which you'll see the influence that paper had on spritely :P
#
melody i'll poke at that if i get a chance, thanks
#
cwebber2 it basically explains how to build virtual worlds on top of ocap systems
#
cwebber2 the relevant example
#
cwebber2 is the teachers and students
#
melody will look at it
#
cwebber2 there's a classroom with a teacher and a bunch of students in it
#
cwebber2 or more importantly, the teachers and students in the room are proxies of them for that particular chat room
#
cwebber2 let's say we poke at a student
#
cwebber2 student1.description()
#
cwebber2 may show us the profile description of a student... maybe they have brown hair and purple eyes or something.
#
cwebber2 everyone has access to all the methods of the student1 proxy object in the classroom
#
cwebber2 you can also find out how to get to the student to send them private messages... for now, we'll assume in this particular system that you can "pass notes" unrestricted by accessing as student and doing
#
cwebber2 student1.passNote("Hey, what is the teacher talking about? I don't understand")
#
cwebber2 now let's say the student is being very noisy and disrupting class
#
cwebber2 remember, these are proxy objects for the particular room
#
melody yep
#
cwebber2 rather than the student "themselves"
#
cwebber2 so what happens when we do this:
#
cwebber2 student1.mute()
#
cwebber2 this returns
#
cwebber2 <sealed for-teachers>
#
cwebber2 now what the heck is that???
#
cwebber2 we understand the motivation, so now let's put a pause here, and talk about sealers/unsealers for as ec
#
cwebber2 se
#
cwebber2 sec
#
cwebber2 bleh
#
cwebber2 sealers/unsealers are very similar to encryption/decryption, except they don't necessarily use cryptography
#
cwebber2 let's say we do the following
#
cwebber2 [lunchSealer, lunchUnsealer] = newSealerPair()
#
cwebber2 I want to leave my lunch in the fridge
#
cwebber2 lunchSealer.seal("chickpea salad")
#
cwebber2 returns
#
cwebber2 <sealed lunch>
#
cwebber2 the 'lunch is just informative about what sealer it is, doesn't matter, just debugging info
#
cwebber2 this is almost like a magical canner
#
cwebber2 now we can put our sealed lunch in the fridge
#
cwebber2 what are we having for lunch? maybe even the lunch object instead of a string was a food item that had a .consume() method
#
cwebber2 we don't want people to know what we're eating, and we certainly don't want them to eat it! so we're glad it's sealed
#
cwebber2 so we put it in the fridge
#
cwebber2 and at lunch we take it out and do
#
cwebber2 lunchUnsealer.unseal(ourLunch)
#
cwebber2 now the interesting thing is we can split up who has the sealer and unsealer
#
cwebber2 let's say we're a lunch middleman company
#
cwebber2 we can give a sealer to the lunch factory and an unsealer to the customer
#
cwebber2 now when the factory makes the lunch
#
cwebber2 they seal it
#
cwebber2 it goes on the truck
#
cwebber2 the delivery driver can't open it
#
cwebber2 and when it arrives in the office, the person there can use the unsealer
#
cwebber2 so you can pass these things around.
#
cwebber2 makes sense so far? I'll tie it back in a second
#
cwebber2 (to the classroom)
#
melody yes
#
cwebber2 ok cool
#
cwebber2 so now, back to that student
#
cwebber2 let's say we give out teacher-administrative sealers to each teacher
#
cwebber2 recall
#
cwebber2 <cwebber2> student1.mute()
#
cwebber2 <cwebber2> this returns
#
cwebber2 <cwebber2> <sealed for-teachers>
#
cwebber2 so now we have teacherUnsealer
#
cwebber2 muteThisStudent = teacherUnsealer.unseal(student1.mute())
#
cwebber2 muteThisStudent()
#
cwebber2 now the student is muted
#
melody do the teachers have sealers or unsealers or both? just want to be 100% clear that wasn't a typo up there
#
cwebber2 they only need the unsealers
#
cwebber2 whetrher they have the sealers doesn't matter
#
cwebber2 for this example
#
melody you said "lets give the sealers to each teacher"
#
cwebber2 ah
#
melody so i wanted to be clear
#
cwebber2 sorry
#
cwebber2 meant unsealers
#
melody i thought you meant unsealers and it's good i was able to catch that, means i'm probably following :P
#
cwebber2 we may even choose to only give them the unsealers, because PoLA
#
cwebber2 yes!
#
cwebber2 so as you can see
#
cwebber2 we had a mute method on all the students
#
cwebber2 but not everyone could use it!
#
cwebber2 only the people with the corresponding unsealers
#
cwebber2 that's rights amplification
#
cwebber2 there's more power there, hidden in plain sight
#
cwebber2 but you need the right unsealer to access it
#
melody yeah, because the mute method was a sealed capability that required an unsealer that only the teacher held
#
cwebber2 yes exactly!
#
cwebber2 and we could pull in a substitute teacher
#
cwebber2 and they can use the same one.
#
cwebber2 now, let's imagine how we could use this on the fediverse
#
cwebber2 what if we want to add restrictions so that only certain people will get their replies attached to and distributed by us
#
cwebber2 we could have {"type": "Object", "replyTo": {"type": "Sealed", "cap": <encrypted>}}
#
cwebber2 now there's a capability attached to that object
#
cwebber2 that allows people to reply
#
cwebber2 but only people we've handed the ability to reply with
#
cwebber2 because we handed them the unsealer (in this case, corresponding private key, since in this one I am using encryption)
#
cwebber2 the semantics of sealers/unsealers work without encryption, and can be done in just plain old programming languages, no encryption required
#
cwebber2 I can demonstrate how if there's interest
#
cwebber2 but
#
cwebber2 in a network we'd probably use encryption.
#
cwebber2 melody: does that make sense?
#
cwebber2 so it's kind of like groups
#
cwebber2 but by handing out unsealers
#
cwebber2 there's a way to add a proxy that wraps the unsealer too so we can hold users accountable
#
cwebber2 but I won't go into that right now
#
melody i assumed the sealer would just wrap a proxy reply-to for that reason
#
melody is it better the other way around?
#
melody anyway i'm still following so far
#
cwebber2 melody: yeah proxies are involved
#
cwebber2 so let me explain the confused deputy
#
cwebber2 for those unfamiliar with confused deputies, this is a good intro: https://www.youtube.com/watch?v=Yfsmc0b8o78&vl=en
#
cwebber2 capabilites don't have confused deputies "on their own", because there's no separation of designation and authority. Once you have the designation of something, that gives you the authority to act. confused deputies rely on tricking something that has more power than you do into giving you privilege you shouldn't have
#
cwebber2 since "what you see is what you can do" (kinda) they just don't exist there. but we need to be able to do a couple of things
#
cwebber2 a) be able to refer to the same object and hold different experiences, thoughts, opinions, associated capabilities to it
#
cwebber2 b) be able to have the same object and not necessarily have the same power, just like the teacher can silence classroom-student-proxies but others can't.
#
cwebber2 both of those introduce an asymmetry
#
cwebber2 now there is designation for something where someone else may have the same designation, but more authority than we have.
#
cwebber2 a confused deputy attack is where we try to trick them into giving us the power to do something we want to do but weren't meant to
#
cwebber2 phishing attacks are examples of human beings being confused deputies, for instance
#
cwebber2 someone has some power, you want to trick them into giving you that power, so you trick them into a context where they think they're doing something different
#
cwebber2 the same thingss happen in browsers with CSRF attacks, also confused deputies
#
cwebber2 my concern in raising that thread was, "well, once we have rights amplification or identity whereby we associate things, now we have similar asymmetry... we can do a lot of code without rights amplification and identity, but social networks definitely at least involve identity, and things like the reply-to control are desirable, so did we accidentally introduce attacks?"
#
cwebber2 so that was the setup for seeing if people spotted things in https://groups.google.com/forum/#!topic/cap-talk/icey8aO5ABo
#
cwebber2 and then the analysis from there happens in https://groups.google.com/d/msg/cap-talk/5Q8BM3aW0Gw/lHzTgXaQAgAJ
#
melody identity because that means you have shared designations for a user and necessarily different authority
#
cwebber2 melody: right.
#
cwebber2 and maybe even different information
#
cwebber2 associated with them
#
cwebber2 eg
#
cwebber2 let's say we have an evil boss of Mallet, Inc
#
melody and rights amplification because it's specifically for having shared designations with different authority
#
cwebber2 yes
#
cwebber2 yeah you've got it
#
cwebber2 another real-world confused deputy attack is where the boss wants to know whether employee A called in sick for work just because they were hung over
#
cwebber2 so they approach their friend and start talking about "oh I heard Bob was at some really nice bars last night... can you recommend any?"
#
cwebber2 and the friend tells a hilarious story about Bob being very drunk last night
#
cwebber2 that's an example of information leakage as a confused deputy.
#
cwebber2 it's not authority as much as it is information
#
cwebber2 some level of these attacks will always be possible on the human level
#
cwebber2 because we are associative machines
#
cwebber2 but I want to reduce them through the help of systems like petnames
#
cwebber2 and want the systems themselves to not be vulnerable
#
melody they're the same thing in a lot of social tech systems, where the capability of reading data is an authority
#
melody like the whole thing is about controlling access to information
#
cwebber2 yes and access control lists (ACLs) are *inherently* sources of confused deputies
#
cwebber2 because the whole thing is about "Alice has access to X Y and Z" instead of Alice holding onto references that give her access
#
cwebber2 if we use an ACL approach, we inherently make our system more vulnerable to confused deputies and ambient authority attacks
#
cwebber2 an ocap system can help, but by introducing identity and rights amplification, we re-introduce some subset of attacks
#
cwebber2 and I'm trying to plan for and mitigate them
#
cwebber2 melody: you did a great job of following along
#
melody so the question becomes, does a capability system with identity and rights amplification reduce to an ACL because it reintroduces the same asymmetries, the way that adding mutability to immutable systems reintroduces all the conflict possibilities immutability was meant to prevent
nedjo joined the channel
#
cwebber2 melody: I think it doesn't fully reduce it, but it introduces a smaller scope of places they may occur. And I think that there are a few practices we've been identifying in the cap-talk list so that misuse does not occur
#
cwebber2 the way to prevent rights amplification confused deputies
#
cwebber2 is that what you *don't* do is "hunt for an appropriate unsealer in a bucket"
#
melody & there can be reasons it can still be worth going the roundabout way and introducing mutability on top of an immutable system, likewise i imagine there's reasons to still use ocaps here
#
cwebber2 instead, you have a context in which a relevant unsealer is pre-expected
#
cwebber2 and if someone provides something sealed with a *different* sealer
#
cwebber2 it simply throws an error
#
melody i think the piece i'm missing is the mechanism by which searching for an unsealer in a bucket introduces this
#
cwebber2 because you already knew what unsealer should apply
#
cwebber2 melody: aha, ok, I think i wrote this up let me see if I can find where
#
cwebber2 right
#
melody like i think i pre-assumed only one unsealer would work for any given thing anyway
#
melody so i got really unclear how having to search for it introduces this problem
#
cwebber2 melody: right! that's the right way to do it
#
cwebber2 is to have one-off sealer/unsealer pairs
#
cwebber2 the way people *usually* do encryption
#
cwebber2 is to build one keypair for a person's identity
#
cwebber2 for everything
#
cwebber2 instead here we advocate a single sealer/unsealer pair per context of use
#
melody ahhhhh
#
cwebber2 so that helps
#
cwebber2 but if you hunt in a bucket you still have a vulnerability
#
melody by the time we were dealing with so many proxy objects and everything i just assumed we were well past "sign everything with the same key"
#
cwebber2 yes we should be
#
cwebber2 even so a vulnerability could be introduced like so
#
cwebber2 now let's say that we have a blogpost that Alice makes that has replyTo sealed
#
cwebber2 or whatever
#
melody can i take a shot at a guess before you explain?
#
cwebber2 yes
#
melody we've got the blogpost
#
melody alice gives an unsealer to bob
#
melody nah wait i lost it
#
melody go ahead and explain haha
^Connor_ joined the channel
#
cwebber2 ok! :)
#
cwebber2 let's say that at least that Mallet knows Bob
#
cwebber2 and Mallet would like someone to be upset at Alice's blogpost
#
cwebber2 even though it's a nice blogpost
#
cwebber2 if Mallet could write a "This is really terrible and offensive, how could you write this?"
#
cwebber2 Mallet absolutely would.
#
cwebber2 even if it was a nice friendly post
#
melody meanie
#
cwebber2 and Alice is sick of getting rude replies
#
cwebber2 so Bob can reply
#
cwebber2 so what Mallet does is:
#
cwebber2 Mallet makes a new blogpost, and attaches the sealed reply-to object from *Alice's* blogpost to his blogpost!
#
cwebber2 Mallet says a bunch of terrible things in it
#
cwebber2 and then Bob replies and says "this is terrible, and offesnive, how could you write this?"
#
cwebber2 but Bob actually replies to Alice's post
#
cwebber2 not only could Mallet not post ot it
#
cwebber2 Mallet got Bob, Alice's friend, to post
#
cwebber2 double-win for Mallet
#
melody yep thats bad
#
cwebber2 two mistakes were made
#
cwebber2 a) we lost track of which reply capability belonged to what
#
cwebber2 b) Bob "searched in a bucket" to find the relevant unsealer
#
cwebber2 even though that unsealer was meant for a different context
#
cwebber2 if instead Bob had a context that expected a relevant unsealer for Mallet's post, and tried using that one, and it threw an error
#
cwebber2 it would have "failed safe"
#
cwebber2 now the question is how to make it so that contextual stuff happens right automatically
sl007 joined the channel
#
cwebber2 and explain that in a way that people will implement right the first time, without thinking much about it
#
cwebber2 melody: whew! that was a lot of explaination, but does it make sense now?
#
melody that sounds tough, because it feels like you essentially will need to double-sign everything and rely on systems to be implemented correctly to check this, since you'll need to sign the context so that it can't be forged when mallet stuffs the essentially-public-key representing the sealed cap
#
melody into the wrong thing
#
cwebber2 melody: it does sound tough. I think it's possible to make it simpler than that.
#
cwebber2 that's what I'm working on now
#
melody best of luck
#
cwebber2 I want to prototype it
#
cwebber2 I wanted to prototype the attack first and be able to explain it
#
cwebber2 I have the general idea in my head about how to make the solution simple
#
cwebber2 but I won't be able to explain it until I get the pieces down
#
cwebber2 and thanks melody
#
melody I'm trying to think of a way to re-analogize the attack now that i think I understand it
#
cwebber2 melody: (I have to make lunch but look forward to reading anything you write when I get back)
#
melody but especially a version of this that requires like, cloning the sealed capability and then hiding it does not lend itself to meatspace examples, it's a lot harder to trick somebody into sending a message to the wrong person when you can't create a wormhole labeled "Mallet's Mailbox" that sends things to Alice's Mailbox instead
#
melody lol
#
melody i was typing up a whole thing but the implications get pretty rough performance-wise and usability-wise the more i try to dig myself out of this hole, looking forward to seeing what you've come up with there
#
nightpool[m] i haven't been following too much of this ocap situation, but I had a different conceptual approach to the replies problem bouncing around in my head that I wanted to get someone's thought on
#
nightpool[m] it feels like it overlaps with ocap but i'm not sure how because i only have the most cursory understanding of ocap technology
#
nightpool[m] so the fundamental problem that replies seems to get at is the idea of "who is allowed to link to my object"
#
nightpool[m] and so the proposed solution I had bouncing around in my head is just a version of an "authorized" link, i.e. some method for third party verification of a specific URL and the context its used in.
#
melody i would maybe reframe it as "how should software behave when somebody links to my object" - linking to the object is not preventable, but software can choose not to amplify people's attempts to do so without my permission, or attach their messages to my feed and a space i control
#
nightpool[m] so like in the simplest case this would be a query param that says something like `https:​//nightpool.club/post/1?link_source=https:​//dustycloud.org/post/2`
#
nightpool[m] and if the `link_source` is allowed, the URL resolves, and if it isn't, it returns a 401 or something.
#
melody the problem with that is that somebody could just forge the link source, you'd need cryptography or similar to actually identify the source of the request
#
nightpool[m] i don't think cryptography is helpful?
#
nightpool[m] you just need to make sure the person resolving the link puts the link source in
#
nightpool[m] instead of the person authoring the content.
#
melody the person resolving the link could just put a link source in that they know you'll accept
#
melody whether they actually got it there or not
#
melody and people will pass around accepted sources as full urls
#
nightpool[m] right, but that's not useful because the person resolving the link is the person who's interesting in whether the link is authorized or not
#
melody are they?
#
nightpool[m] that's like saying "you can just return `true` from your verify_signature function"
#
nightpool[m] it's true, but it's not useful.
#
nightpool[m] this doesn't prevent people from replying to your content, but it allows a third party to determine whether or not the reply was allowed.
#
melody I think I would want a better option than this
#
nightpool[m] better in what sense
#
nightpool[m] * better in what sense?
#
melody I think it should be my responsibility to redistribute replies to my posts, so 3rd party software should not need to be independently verifying that I allowed them
#
nightpool[m] i guess i'm not following
#
nightpool[m] if mastodon needs to make the decision "is this post a reply to this other post?"
#
nightpool[m] it needs to have some logic for determining that
#
nightpool[m] that could be "was this sent to me by the actor that the post is replying to"
#
nightpool[m] or it could be something based on cryptography or resolving the post with a `link_source` parameter
#
nightpool[m] but I think those are both types of independent verification?
#
nightpool[m] when I say "independent" I just mean "someone who is not the replier or the person being replied to"
#
melody I dunno, the link source thing feels wrong to me, it seems like well-behaving software should stop me from trying to reply at all, and ill-behaving or malicious software shouldn't be able to forge a reply that's convincing enough to require another request for verification, but maybe there isn't an obvious cryptographic solution here and I'm missing something
#
melody it's been a while since i've thought deeply about this
#
nightpool[m] well i guess my thought is that the cryptographic solution can be pretty easily put on top of this one, as an enhancement
#
nightpool[m] in the same way, e.g., linked data signatures are an enhancement on "just looking up the post"
#
nightpool[m] but it gets hard to, say, delete a reply after it was made if you sign them.
#
melody i think i'm concerned about all the ways that trying to find a way to allow list domains or actors could be complicated or bypassed -- like what happens if there's an implementation that allows setting up instances on wildcard subdomains/what does that do to the logic for checking whether the activity in a link source should be allowed, or changing URI schemes
#
melody if returning a valid answer to a link source requests requires another three requests to validate the link source is an activity owned by an allowed actor
#
melody this suddenly gets very weird
#
nightpool[m] hmm.
#
nightpool[m] that's only the case if you haven't seen the activity/actor already though?
#
melody changing uri schemes are a concern for populating historical replies otherwise it'd be easy enough to just check against replies you've already published
#
melody but you also have to resolve the activity to find out of if it has moved
#
melody ideally activities are permanent identifiers but we know they aren't
#
nightpool[m] sure but again that's just the slow path of "i haven't seen the activity before"
#
nightpool[m] which requires 1 lookup ever per domain change or whatever
#
melody for that activity -- a new instance backfilling a post history with its replies could be requesting whether hundreds or thousands of activities from that domain are authorized
#
melody and each one will detect as new
#
melody + then multiply for every user it's doing that for on your instance
#
melody there's always throttling, etc. but it seems like there must be a better option
#
melody i'm open to there not being a better option, using URIs for this just feels fragile & complicated
#
nightpool[m] activity URI updates are already a problem with 1) maintaining historical content and 2) mutable identifiers though
#
melody fair enough
#
nightpool[m] sorry my computer crashed before I could type up the rest of my reply but just generally i'm wary of trying to solve unrelated problems when working on something specific like disabling replies.
#
cwebber2 speaking of mutability
#
cwebber2 I think that people are really worried both for and against mutability on a few fronts
#
cwebber2 and also immutability
#
cwebber2 so actually let's say 3 things
#
cwebber2 actually I'm just going to list all the worries I see :)
#
cwebber2 - I can't update my posts / my gender profile / etc? I need to change history
#
cwebber2 - I can change it but people can see the history? Now you might use that to deadname me, shame me for past actions, etc
#
cwebber2 - I don't want changes! If I make a post and I reply to it and someone changes the original post, now they might change the context in which my update is meant to be seen!
#
cwebber2 - Changes without history? Deletes without an ability to archive? How can we hold people (especially powerful institutions and political entities) accountable?
#
cwebber2 - also, voluntary vs forced vs accidental takedown/disappearance of content VS archival
#
cwebber2 there are a lot of concerns here
#
cwebber2 This would be well described as "incompossibilities", similar to this talk about tradeoffs in Tor protocol design https://media.libreplanet.org/u/libreplanet/m/incompossibilities-ubiquitous-engineering-tradeoffs/
#
cwebber2 furthermore, there are some system design restrictions:
#
cwebber2 - forced deletes are not possible
#
cwebber2 - updates are not guaranteed to propagate
#
cwebber2 - consensus is expensive
#
cwebber2 my proposal on the local optima is, given that "we can't have everything, and are forced to have to accept that we can't have some things"
#
cwebber2 we do want some update mechanism. we do want history tracking and exploration. we'll want some way for this to be content-addressed / p2p distributable. we do want people to be able to express that they would like something to be perceived as dead, however.
#
cwebber2 that last one, effectively, is a tombstone.
#
cwebber2 this does mean that deadnaming is possible, but deadnaming was already possible sadly. What we can do is allow and encourage people to create many personas, and allow the system to make requests that might be respected by good entities about what to display / keep around.
connormagnusson_ joined the channel
#
melody there are definitely mutually incompatible goals, i think i tend to try to make the local more friendly to changing history and less friendly to tracking it, but i see the merits, if you can't prevent tracking it, to making it very visible so that everyone is at least aware that they should think about that when they post -- but my preference is still to discourage + mitigate as much as possible, to narrow windows of opportunity for harm
#
cwebber2 melody: narrowing windows of opportunity for harm is definitely good
#
melody like, i can imagine a system where leaving an audit trail on your posts is optional, but it's visible whether or not you have that feature enabled, and that could be used to encourage public figures & institutions to do it, without requiring ordinary people to be held to that standard
#
cwebber2 melody: but all posts, if they have signatures, can be part of an audit trail
#
melody there's room for less technologically bound trust signals to encourage better outcomes here
#
cwebber2 I do agree that sending signals of what you expect or desire is useful
#
cwebber2 though
#
cwebber2 we have to keep in mind "bad actor shopping lists"
#
cwebber2 such signals can sometimes be used as an inverse interest guage
#
melody i meant social signals there, not technological ones
#
cwebber2 thinking about social signals is good
#
melody re: signatures, i'm definitely concerned about the options there, there are certain parts of decentralized systems that feel like bad tradeoffs the whole way down, and that's an area where it feels like there's no winning
#
melody "trivial impersonation/forgery or no privacy" is a painful tradeoff
#
melody idk if there's options w/r/t ephemeral keys and republishing like OTR that can still work in a less synchronous system to reintroduce deniability
#
melody but if i'm honest, people are a lot easier to fool than computers are even with extremely obviously faked things with zero proof provided so maybe i should be less concerned about technological deniability since deniability doesn't even work when the claims are baseless
#
melody it's a lot, regardless
#
melody as a general rule though, i prefer the problems caused by mutability to the problems caused by immutability, it's reasonable to have a different preference, especially in different contexts, but i definitely lean distrustful of immutable systems, the stakes are just too high
#
melody the ability to delete things and have them be really gone is important