#indiewebcamp 2014-06-10

2014-06-10 UTC
brianloveswords joined the channel
#
pauloppenheim
aaronpk: i would love to be an auth buddy, but i am not sure i will be a very good auth buddy
#
pauloppenheim
i have been working a bit lower in the stack lately
#
aaronpk
lower? wow
#
pauloppenheim
i am angry at administering servers
#
aaronpk
ah yeah
#
pauloppenheim
and have written two more wsgi frameworks
#
pauloppenheim
i really need to learn docker instead of wasting my life wating for VMs
#
@ShaneHudson
@pmarca @bhorowitz oh btw Marc, while you're online... Did you see the tweets about #indieweb and @withknown? Definitely the way forward.
(twitter.com/_/status/476164389830410240)
#
pauloppenheim
aaronpk: what do you need an auth buddy to do?
#
aaronpk
brainstorming, helping make UI sketches and docs, and possibly also to make your own implementation of parts of this.
#
KartikPrabhu
err what's an auth buddy?
#
aaronpk
just someone i can bounce ideas off of while working on this stuff
#
KartikPrabhu
this = indieauth?
#
KartikPrabhu
oh ok that was my guess too :)
kylewm joined the channel
#
aaronparecki.com
edited /login-brainstorming (+36) "/* Web Sign-In Form */ add img"
(view diff)
#
pauloppenheim
aaronpk: the To Do list from http://indiewebcamp.com/IndieAuth, or other new works?
#
aaronpk
new stuff
#
aaronpk
but a lot is still only in my head
#
pauloppenheim
i'm not very familiar with OAuth 2
#
pauloppenheim
actually i'm not even great with OAuth, i usually just bug termie
#
aaronpk
forget everything you know about oauth 1
#
aaronpk
I suppose I need to write a page "how to build an authorization endpoint" next
#
aaronpk
to go along with how to build a token endpoint
#
aaronparecki.com
edited /simple-indieauth-example (+36) "/* Web Sign-In Form */ add img"
(view diff)
#
aaronparecki.com
edited /auth-brainstorming (+36) "/* Web Sign-In Form */ add img"
(view diff)
#
pauloppenheim
aaronpk: yeah, this is complicated, i see what you mean
#
aaronpk
it will all be super straightforward once there's enough docs and diagrams
#
aaronpk
(no really, I swear!)
#
pauloppenheim
it feels very intertwined with micropub, which i have not been following closely enough
#
aaronpk
it partly is, but there's a whole section that is not
#
aaronpk
indieauth for authorization is, indieauth for authentication is not
#
aaronpk
like when you sign in to the wiki, you're authenticating only, no micropub involved
chrissaad joined the channel
#
pauloppenheim
this whole thing is very chicken-and-egg
#
pauloppenheim
aaronpk: is anyone else implementing their own auth / micropub?
#
aaronpk
there's several micropub endpoints now
#
aaronpk
nobody else has built an auth server afaik
#
aaronpk
there are a few token endpoints
#
bret
what if people start putting ads into h-entries?
#
Loqi
who, me?
#
bret
pretty much
#
pauloppenheim
when the indieweb gets discovered by spammers, we're gonna have problems all over
#
pauloppenheim
it'll be fun ;)
#
bret
we shall destroy spammers
#
aaronpk
i'm looking forward to it
#
pauloppenheim
oh i doubt that
#
pauloppenheim
but we'll have a good ol' war
#
bret
we can do social graphs with xfn!
#
bret
pauloppenheim i managed to get a working endpoint the other day
#
bret
which means basically so can a lot of people
#
bret
posting is way to easy now
#
aaronpk
oh wow I just realized an auth provider could let you sign in with a pgp key
#
aaronpk
by making you sign a challenge with the private key for a public key that's on your site
#
bret
aaronpk: any use for keybase there?
j12t joined the channel
#
aaronpk
quite possibly yeah
#
pauloppenheim
aaronpk: or you could encrypted email a link with an unguessable url
#
aaronpk
well it already supports email auth via persona
#
aaronpk
more interested in having fewer parties involved
#
aaronpk
see this is why I need a "how to make an auth endpoint" tutorial
#
aaronpk
so that someone good with pgp can go make an auth endpoint that lets people sign in to whatever with their pgp key
#
acegiak
morning, all
#
aaronpk
morning!
#
aaronpk
it's always morning in #indiewebcamp
#
colbyaley.com
edited /2014/Guest_List (+282) "Adding myself to West guest list"
(view diff)
#
acegiak
aaronpk: channel runs on UGT?
#
aaronpk
there's just enough people from different timezones here that someone is always saying good morning!
#
pauloppenheim
aaronpk: i would be interested in that
#
pauloppenheim
is kbs still around?
#
bret.io
edited /2014/Guest_List (+0) "Updated west count"
(view diff)
#
bret.io
edited /2014/Guest_List (+183) "/* West */ Updated some details on my rsvp"
(view diff)
#
bret.io
edited /2014/Guest_List (+38) "/* West */ Added my github too"
(view diff)
#
aaronpk
pauloppenheim: sweet. yeah need to get this tutorial up
#
aaronpk
once I finish my silly test endpoint i'll be able to document it
#
pauloppenheim
i think you have enough docs that were i close enough, i could make that
#
bret
pauloppenheim have not seen kbs in a few days
#
aaronpk
but that is written from the point of view of the consumer so is not as easy to read if you're actually building the auth endpoint
#
aaronpk
whereas I wrote http://indiewebcamp.com/token-endpoint for people building a token endpoint, not just using one
benwerd joined the channel
#
aaronparecki.com
edited /token-endpoint (+0) "/* Access Token Request */ typo"
(view diff)
tantek joined the channel
#
aaronpk
omg i made an auth endpoint
#
pauloppenheim
aaronpk: what kind?
j12t joined the channel
#
aaronpk
simple password auth on my own site
#
aaronparecki.com
edited /token-endpoint (+177) "redo headers and add section for verifying an access token"
(view diff)
fmarier and benwerd joined the channel
#
aaronpk
pauloppenheim: question since you're the only pgp person I think is online right now... with this new feature you will be able to point to an auth endpoint that supports pgp auth from your home page. would you be comfortable using a service that handles the pgp verification?
#
aaronpk
you'd certainly be able to create your own auth endpoint that does whatever, but it would be convenient if you didn't have to build it of course
#
pauloppenheim
i'm not sure what you're asking
#
pauloppenheim
would i feel comfy with challenge / response?
#
pauloppenheim
or would i consider such a site trustworthy?
#
pauloppenheim
i mean, challenge / response from a pgp pubkey is no worry at all, of course i would use that
#
pauloppenheim
i don't know how much i would trust a site that used that, depends on the implementation
#
aaronpk
similar to the way you can right now point to multiple auth providers like twitter or github, you will be able to point to one or more indieauth providers, which can be something you implement on yuour own domain or a service like indieauth.com
#
bear
I would have to challenge/response to the site, establish a token and then that site would then challenge/response to a user and provide that token
#
pauloppenheim
i think just trusting a key sitting on a web server by itself is bad form
#
pauloppenheim
aaronpk: i'm not sure if i'd reuse yours, depends how it fits in the rest of my environment
#
aaronpk
say for example there is a service called thebestpgplogin.com which you've established a relationship with (you're paying for it, or whatever)
#
aaronpk
you'd add a tag to your site: <link rel="authorization_endpoint" href="https://thebestpgplogin.com/auth">
#
pauloppenheim
would i trust that to log me in across the web? maybe, depends on the impll
#
pauloppenheim
does it check for key revocations?
#
pauloppenheim
do it hit keyservers?
#
aaronpk
and then it would show up in the login prompt like this https://farm4.staticflickr.com/3837/14193432239_2ac9a4e7ff_o.png
#
aaronpk
I guess my question is would you be willing to trust this third party service to do things responsibly for you?
#
aaronpk
it's entirely your choice to use this service of course
#
pauloppenheim
aaronpk: depends on the things :)
#
aaronpk
say you've done your due diligence, and you're ready to pay $20/year for this
#
pauloppenheim
what needs to even pass through the auth endpoint?
caseorganic joined the channel
#
aaronpk
the auth endpoint issues and then verifies auth codes
#
pauloppenheim
aaronpk: part of security is not needing to trust in the first place
#
bear
so my website would do a "hey, is this code valid" check?
#
aaronpk
the auth endpoint is the thing you're used to seeing that says "this app would like to ____" like twitter's oauth screen, etc.
#
pauloppenheim
i would imagine that would run on my site, not externally
#
pauloppenheim
i haven't even thought of the implications of that running externally, it sounds very weird
#
aaronpk
in the case of the auth server I just made, it lets me modify the scope that the app requested https://farm6.staticflickr.com/5279/14364551756_7751334482_o.png
#
pauloppenheim
principally, i do this kind of thing over an ssh tunnel right now, which usually means only using software i have written to handle that
#
aaronpk
like a poor man's "checkboxes bitches" https://benward.me/blog/tumblr-968515729 (hi benward!!)
#
pauloppenheim
"fire up this app pipeline that will expect to see json on stdin"
#
pauloppenheim
if i'm doing anything important on a box, probably not
#
pauloppenheim
if it's all public anyway, yeah, probably
#
pauloppenheim
i wouldn't want my web apps to have the decision to accept or reject something be made externally, if i care about their security
#
KartikPrabhu
aaronpk: 2010! and Google Buzz O_O
#
pauloppenheim
why does 2010 not even feel all that long ago
#
bear
for me it would be ok to take this type of external auth to say that someone can leave a comment or webmention - but not to do anything else on my site
#
aaronpk
interesting
#
pauloppenheim
right, depends' what's being authorized
#
bear
but i also do a lot of server side static stuff - so me logging into my site is a much less likely thing to happen
#
bear
now I would love to see something that lets me trust a webmention as being validated
#
aaronpk
one thing at a time ;)
#
pauloppenheim
but isn't this for interactive use?
#
aaronpk
yes let me finish getting this out onto the wiki
#
bear
sorry, yea, I was jumping ahead in the story
#
pauloppenheim
but i would probably run that as a module on my own site
#
pauloppenheim
but i think then you have the problem of having the 3rd party trust it
#
pauloppenheim
because hoo boy, that's a lot of auth providers to just trust, for much the same reason
#
bear
right - especially in the indieauth realm - every domain hitting my site I would have to establish a trust relationship with
#
aaronpk
that's basically the openid situation, where every domain is potentially its own openid provider
#
pauloppenheim
i have a feeling this should look different than normal auth flows
#
pauloppenheim
i.e., certs are useful because that mechanism is decentralized
#
pauloppenheim
i don't think you need an oauth flow if you have certs
#
aaronpk
you always need the oauth flow in the context of micropub
#
bear
well, if you have certs >= 2014
#
pauloppenheim
but you can't invent your own PKI either, unless you really want to research the fuck out of it
#
bear
I like PKI - call me old fashioned
#
bear
you get my pub key, I get yours, we cross sign and verify… done
#
aaronparecki.com
edited /token-endpoint (+843) "/* Verifying an Access Token */"
(view diff)
#
bear
hmm, I wonder if IndieAuth used it's pgp key to sign a webmention user would I then be able to request from indieauth a token to allow the indieauth user to submit something to my site without them having to know/use pgp
#
bear
thinks he just described what the last 1/2 hr conversation was about
#
pauloppenheim
aaronpk: this is where i wish i knew more about oauth2
#
aaronpk
take a look at my "OAuth 2 simplified" article, it shouldn't take much to go through it and it covers all the basics
#
aaronpk
unfortunately if you look at the actual specs it's more complicated because it's been so abstracted out for lots of possible use cases
#
pauloppenheim
as i know it is flexible enough for "enterprise" now, i wonder if it is a superset of normal pubkey use
#
aaronpk
there is a whole saml2 thing which i believe is close
#
pauloppenheim
aaronpk: been reading that, it's what's on my screen when i get breaks from my current work situation
#
aaronparecki.com
created /authorization-endpoint (+694) "stub with section headers"
(view diff)
#
aaronpk
back in a bit. biking home before the sun goes down.
#
pauloppenheim
not a bad idea
brainTrain, j12t and caseorganic joined the channel
#
aaronpk
OH snap now that iOS 8 allows API access to the fingerprint reader I can make an indieauth login option that does fingerprint auth!
#
bear
laughs
#
aaronpk
i'm so doing that
#
aaronpk
i've gotta flash iOS 8 onto my test ipod
#
pauloppenheim
hmm, that would be cool
#
pauloppenheim
i think your auth is a different kind of thing than i am thinking of
#
aaronpk
imagine you're signing into a site, you click the "thumbprint" option and then a push notification appears and you have to launch the app and touch your thumb to it
#
pauloppenheim
right now indieauth is pretty great for what it is
#
pauloppenheim
i think maybe my perspective is bent, and thinking of situations that require more security than you are targeting
#
aaronpk
ideally this works for all levels of security, or is at least flexible enough
#
pauloppenheim
well, but you want inflexibility for high security applications, so that it can't be fucked up
#
pauloppenheim
effectively, flexibility presents much more attack area
#
pauloppenheim
and it becomes impossible to evaluate "security"
gRegor` joined the channel
#
pauloppenheim
the flip side is PGP, which by all appearances is getting worse, not better, as more people make "guides"
#
pauloppenheim
there's enough that's not specified, and there are enough people trying to make it easier in ways that wind up making it less secure
#
pauloppenheim
wow i sound like a grumpy old man
#
@CharlesPulliam
@schnarfed @islayblog 1 more Q--after enabling brid.gy should the webmentions populate a site's main page or will they appear on every page?
(twitter.com/_/status/476211086354427904)
#
bear
no, just someone who has had to deploy production security and had to deal with devs who follow bad guides
#
bear
that's why i'm all like "amen to that paul!" and shaking my head in agreement
#
dariusdunlap
From what I’ve read about the fingerprint auth, it’s nicely secure. No PII is exchanged… just “yep”, or “nope”.
#
aaronpk
that is exactly how I assumed they'd implement, and very glad
#
aaronpk
actually it unlocks keychain items, so it's a little more than yes/no but yeah, it doesn't actually provide the fingerprint image or anything
#
dariusdunlap
Yeah, it was in the cards readin ghte description of the fingerprint system laste year.
#
dariusdunlap
er, last year
#
dariusdunlap
Does either, actually.
#
dariusdunlap
BTW, after reading a good chunk of the Swift book, I decided I really needed to go back through it as a “playground”… so I’m doing that now.
benwerd joined the channel
#
dariusdunlap
Never did matter.. The objective isn’t perfect security. The objective is security that’s better than the crap password that you reuse everywhere, or even a good 6-digit pin.
#
aaronpk
pauloppenheim: that's incredible
#
@schnarfed
@CharlesPulliam incoming webmentions show up on individual posts, as Disqus comments. https://www.brid.gy/about#incoming
(twitter.com/_/status/476213518874587136)
#
dariusdunlap
It’s a pretty briliant physical hack.
#
pauloppenheim
it's better than the samsung galaxy 5, which evidently lets you make unlimited attempts
#
pauloppenheim
can't change your fingerprints!
dybskiy joined the channel
#
aaronpk
wow they made all sorts of domains for their proof of concept implementation... credential.club and login-hub.com and identus.org
dybskiy joined the channel
#
bret
so much of that is routed around if you have a domain available already
dybskiy joined the channel
#
bret
its neat they incorporate telehash
#
bret
except telehash isnt working yet
snarfed joined the channel
#
bret
well dht works fine but the libs are not ready yet
#
bret
aaronpk: is there an oauth meetup in town?
#
aaronpk
hm maybe I should make one
#
aaronpk
there were a few "state of the auth" meetups a while ago
wtd and dybskiy joined the channel
#
bret
that would be interesting
#
aaronpk
there were only 2 meetups. I gave a talk on OAuth 2, then ozten gave a talk on Persona lol
#
bret
where is manu!
dybskiy, lupinedev, j12t, snarfed, Jihaisse, cweiske and pfefferle joined the channel
#
Loqi
pfefferle: snarfed left you a message on 6/6 at 9:42am: no custom post types for my possed retweets, favorites, etc. just categories to hide them from front page etc.
sparverius joined the channel
#
pfefferle
snarfed: hmm… that is also a good idea!
#
pfefferle
good morning everyone
#
acegiak
pfefferle: morning
dybskiy, petermolnar, eschnou, jsilvestre, KartikPrabhu and krendil joined the channel
krendil joined the channel
#
@mapkyca
Pondering whether upload_with_media & QR codes might be a hack to get syndicated twitter posts feeding back brid.gy #indieweb comments...
(twitter.com/_/status/476289416592646145)
pfefferle joined the channel
dybskiy and dybskiy_ joined the channel
tobiastom and barnabywalters joined the channel
#
@knitatoms
Great post from @benwerd on why the Indie Web movement is so important and gaining momentum: http://werd.io/2014/backing-up-the-indieweb-some-evidence #indieweb @indiewebcamp
(twitter.com/_/status/476313722403979264)
#
@DoubleMalt
RT @knitatoms: Great post from @benwerd on why the Indie Web movement is so important and gaining momentum: http://werd.io/2014/backing-up-the-indieweb-some-evidence #indiewe…
(twitter.com/_/status/476314205063503872)
dybskiy joined the channel
#
tobiastom
barnabywalters: got two seconds for your php-mf2 classes?
#
barnabywalters
tobiastom: fire away
#
tobiastom
cool, thanks. when I run this input https://github.com/tobiastom/tests/blob/master/h-card/hcard/input.html with your parser, I do not get this (expected?) result: https://github.com/tobiastom/tests/blob/master/h-card/hcard/output.json
#
tobiastom
especially your parser does not create two h-card items. is that intentional?
#
barnabywalters
tobiastom: that test is wrong, it shows the nested microformat twice
Phae and JonathanNeal joined the channel
#
barnabywalters
IIRC there was a proposal ages ago to do exactly that — surface nested microformats at the top level too
#
tobiastom
I’m not playing the blame game here, but that comes directly from https://github.com/microformats/tests/blob/master/hcard.html
#
barnabywalters
or to provide an alternative representation which is completely flattened
#
barnabywalters
both of which turned out to be more confusing than useful
#
barnabywalters
tobiastom: I’ll raise an issue on the repo — thanks!
#
tobiastom
and actually, I can see to problem with returning it multiple times, but right now I would have to loop though all nodes (recursivly) to find all h-cards.
#
barnabywalters
tobiastom: that should be fairly straightforward, and https://github.com/barnabywalters/php-mf-cleaner might be of use if you don’t want to write all the code yourself
#
barnabywalters
findMicroformatsByType($mf2, ‘h-card’, true)
#
tobiastom
yeah, I see that. but wasn’t to goal of the JSON structure to have a good interoperatable format? implementing this search is not really a problem, but maybe we could find better ways for that.
#
tobiastom
for example a preferences key on each item, which will be an array with the references to the root nodes.
#
barnabywalters
tobiastom: the goal of the JSON representation was to have a canonical, easy to use representation of the microformats in a piece of HTML
#
barnabywalters
tobiastom: adding references to DOMElements in the parsed output is something I’ve considered before — what’s your use case for it?
#
tobiastom
nope. not to the DOMElements, give me a second, I’ll fake a gist.
Sebastien-L joined the channel
#
barnabywalters
so if it came directly from there, either the original has changed since then, or I’m missing something :)
#
barnabywalters
btw I *love* the idea of https://github.com/tobiastom/tests/, and can’t wait to start using it!
#
barnabywalters
I’ll create a utility which makes it easy to run them over arbitrary parsers
#
barnabywalters
tobiastom: what use-case does that make easier?
#
barnabywalters
for the most common (in my experience) case of accessing nested microformats, that approach complicates things unnecessarily
#
barnabywalters
also we should move this discussion to #microformats
#
tobiastom
thanks barnabywalters. I just needed the data in a more machine readable way, so that I can test the stuff I do here. that’s why I caught the ”žerror“ in the first place.
#
tobiastom
not sure how to continue in #microformats, without repeating stuff. :)
#
tobiastom
also, you are right, the test seem to have changed. I’ll regenerate mines.
#
rascul
ahh i figured it out
#
rascul
not gonna bother with markdown, just gonna write articles as html
#
rascul
no need for front matter or meta data, i can keep it inside the html and grab it with mf2py
#
rascul
oops i think i meant for that in #indiechat i got my channels mixed up
#
barnabywalters
rascul: publishing format discussion is fine, and encouraged in #indiewebcamp :)
#
barnabywalters
it’s totally on-topic
#
rascul
see i decided that markdown got silly when i put a bunch of html in it anyway
#
rascul
may as well just do it all in html instead of mixing markups all over the place
#
barnabywalters
rascul: personally I author articles and notes in markdown, manually adding HTML whenever necessary, but only save the HTML
#
barnabywalters
so future edits are to the HTML
#
barnabywalters
I’ve found that to be a good balance of markdown as a convenient authoring tool, and HTML as a precise, long term archival
#
rascul
also i don't have to keep any meta data around which makes it easier
#
tobiastom
damit. looks like I lost the genrator for that tests…
#
tobiastom
nice, time machine for the rescure.
tantek, dybskiy, ttepasse, pfefferle, jsilvestre and BjornW joined the channel
#
tantek
rascul, I'm very interested in your compare/contrast in using HTML vs markdown as your format for writing articles
#
tantek
here's a question, how about markdown, but put all the metadata in an HTML block at the top (instead of goofy JSON-like syntax)
#
tantek
i.e. is there some hybrid approach that would be get benefits of both?
#
rascul
hrm interesting idea you have
#
tantek
hasn't tried it. just thinking out loud based on what you said.
jonnybarnes joined the channel
#
rascul
tantek your idea is excellent that's what i'm going with now
#
rascul
i didn't want to use any sort of meta data because that stuff is already in the articles in microformats
Sebastien-L and caseorganic joined the channel
#
tantek
rascul - right, that was the idea. just a top level <article class=h-entry> with all the other (non content) properties right there at the top, and then </article> at the bottom
#
tantek
or even <div>
#
tantek
<div class=h-entry>
dybskiy, dybskiy_, scor, chloeweil and luxagraf joined the channel
#
luxagraf
is #indiechat logged anywhere? I'm curious what the markdown problem is that you're talking about
#
rascul
no problem, i was just considering not using it since i end up writing html anyway, then tantek came up with a solution that works for me
#
@ShaneHudson
@ryanhavoc That's too static for my needs, sadly! I need database (or a very strong data structure) for comments, webmentions etc
(twitter.com/_/status/476356831569514496)
#
GWG
!tell acegiak Might want to check out the latest push
#
Loqi
Ok, I'll tell them that when I see them next
#
luxagraf
i have a question for the no database crowd. how and where do you store incoming webmentions?
#
jonnybarnes
what is micropub
#
Loqi
Micropub is an API spec that is used to create h-entry or h-event posts on one's own domain using third-party clients http://indiewebcamp.com/micropub
#
barnabywalters
luxagraf: http://indiewebcamp.com/Taproot#Storage — any further questions, just ask
chrissaad joined the channel
#
@strwbrryLttr23
@jmenglund03 Perfect timing -- come join us next Wednesday! Would be great to meet you! https://www.facebook.com/events/805644702779370/ #indieweb
(twitter.com/_/status/476359182967263234)
#
luxagraf
barnabywalters: so you pull in the stored webmentions as the post is built and written out to html?
#
barnabywalters
luxagraf: yep, “querying” a CSV file
#
barnabywalters
I’m barely in the no-db crowd, I just have a fake database :)
#
luxagraf
barnabywalters: yeah, CSV huh? that's always seemed like a very fragile format to me.
#
luxagraf
barnabywalters: but it is pretty unlikely to corrupt data
pfefferle joined the channel
#
barnabywalters
luxagraf: yep, and can be rebuilt in seconds and is rather fast
dybskiy joined the channel
#
cweiske
the libraries accessing the csv file are the ones that corrupt them
#
cweiske
not the data themselves
#
luxagraf
cweiske: true.
brianloveswords, caseorganic and caseorga_ joined the channel
#
jonnybarnes
aaronpk: I can't log into indiewebcamp.com
#
jonnybarnes
I get RelParser::SSLError at /auth/start
#
jonnybarnes
file: relparser.rb
#
jonnybarnes
location: rescue in load_page
#
jonnybarnes
anyone else getting indieauth errors?
snarfed joined the channel
#
cweiske
but I don't use ssl
#
acegiak
GWG: missing bracket? :P
#
Loqi
acegiak: GWG left you a message 45 minutes ago: Might want to check out the latest push
#
GWG
acegiak: We all make mistakes.
#
cweiske
indieweb homepage points 2 and 3 are diametral
#
GWG
But, I was talking about kind-functions
#
cweiske
"your articles go to all services" vs. " with no one monitoring you"
#
acegiak
functions look good. ill have to check how the classes look for repost with comment
#
luxagraf
jonnybarnes: worked for me.
#
barnabywalters
cweiske: indeed, “monitoring” is too vague in this case
#
barnabywalters
“censoring” or “controlling” might be more accurate
#
GWG
acegiak: I based the functions on the syntax of existing Wordpress functions. kind_class is based on body_class.
#
GWG
acegiak: Besides, you can add additional cases. Anything for which there isn't a specific case will add in the kind slug as a class.
#
acegiak
yeah makes sense
#
cweiske
because now, every service is monitoring you
#
cweiske
which means that groups doing surveillance only need to monitor one service now instead of multiple :)
#
aaronpk
jonnybarnes: argh...
#
barnabywalters
cweiske: not necessarily — take the extreme case of facebook listening to the audio as you post, that can only be done by compromising people’s servers
#
aaronpk
that error is supposed to be caught better now
#
jonnybarnes
clicking rescan says there was an SSL error
#
barnabywalters
but agreed, the terminology could be better
#
cweiske
ah, you mean the microphone?
#
jonnybarnes
this is appearing in my nginx access.log if it helps: 173.230.155.197 - - [10/Jun/2014:16:27:48 +0200] "GET / HTTP/1.1" 200 5475 "-" "-"
#
jonnybarnes
I'm not sure what the 5475 part means
#
cweiske
number of bytes sent from the server
#
aaronpk
hm in this case i'm actually getting a more specific error that just isn't being displayed
#
aaronpk
"SSL ERROR: hostname does not match the server certificate"
#
barnabywalters
cweiske: yeah :/
#
barnabywalters
fortunately such things can’t be done without explicitly giving permission on web devices
gRegor` joined the channel
#
barnabywalters
s/web devices/web browsers
#
Loqi
barnabywalters meant to say: fortunately such things can’t be done without explicitly giving permission on web browsers
#
aaronpk
that almost sounds like an SNI error, except that I know indieauth.com works with SNI sites because mine is one
#
cweiske
aaronpk, does the indiewebcamp.com login support custom indieauth servers, or does it foce me on indieauth.com?
#
aaronpk
cweiske: did you read the logs from yesterday? :D
#
aaronpk
indiewebcamp.com uses indieauth.com to handle authentication. that is a decision you do not need to care about
#
jonnybarnes
aaronpk: it is an SNI type error
#
aaronpk
however i'm in the process of making indieauth.com recognize custom OAuth servers
#
jonnybarnes
without the -servername option openssl s_client gets the wrong cert sent back by me server
#
aaronpk
so when signing in to the wiki, you will see something like this: https://farm4.staticflickr.com/3837/14193432239_2ac9a4e7ff_o.png
#
jonnybarnes
obv with the servername option I'm serving the correct SSL cert
#
luxagraf
barnabywalters: that we know of :)
#
barnabywalters
luxagraf: don’t even go there :)
#
barnabywalters
I trust firefox not to do such things
#
aaronpk
cweiske: more generally, IndieAuth clients should look for one or more "rel=authorization_endpoint" servers and present those as an option to the user
#
cweiske
indieauth solves the nascar problem by not showing logos except for persona
#
luxagraf
I trust even the best, well-intention programmers to make mistakes
#
barnabywalters
luxagraf: yeah, and AFAIK a complete, independant security audit of firefox hasn’t been done.
#
jonnybarnes
aaronpk: I've "fixed" the issue by getting my server to return the jonnybarnes.net SSL cert when SNI is not in use
#
luxagraf
barnabywalters: cwesiek has an interesting point though and there doesn't seem to be a page on the wiki with that criticism
#
barnabywalters
luxagraf: indeed, makes those little webcam-cover vinyl things particularly necessary
#
barnabywalters
luxagraf: cweiske: this is true. not sure where it should go — /privacy?
#
jonnybarnes
aaronpk: I've logged into indiewebcamp.com now
#
barnabywalters
so far indiewebcamp work in general has been focused more on publishing than privacy, but it’s an important factor to many here
#
aaronpk
jonnybarnes: that's bizarre... can you open an issue here and document your SSL setup and versions of web server and openssl? https://github.com/aaronpk/IndieAuth/issues
#
luxagraf
barnabywalters: or a piece of electrical tap (goes well with DIY tinfoil hat)
#
jonnybarnes
aaronpk: opening now
#
luxagraf
s/tap/tape
#
Loqi
luxagraf meant to say: barnabywalters: or a piece of electrical tape (goes well with DIY tinfoil hat)
#
luxagraf
that's my one remaining use for Flickr, sharing photos with specific sets of people. i need an indieweb way to do that on my own site.
#
barnabywalters
I’m sure we had a page on access control somewhere
#
barnabywalters
as some people have experimented with that
#
barnabywalters
ew underscores — thanks! missed that one
#
waterpigs.co.uk
created /access-control (+24) "Created page with "#redirect[private_posts]""
(view diff)
#
waterpigs.co.uk
created /private (+24) "Created page with "#redirect[private_posts]""
(view diff)
#
gRegor`
kylewm tested sharing a note only to specific URLs using indieauth
#
waterpigs.co.uk
edited /access-control (+2) "Redirected page to [[private posts]]"
(view diff)
#
waterpigs.co.uk
edited /private (+2) "argh wiki syntax"
(view diff)
#
barnabywalters
gRegor`: yep, aaronpk has that working, I used to have it working but never used it so turned it off
#
waterpigs.co.uk
edited /private_posts (+26) "linked to privacy"
(view diff)
#
luxagraf
For my specific case I suppose a simple .htpasswd would work as well as anything. Not very scalable, but then I'm not sure that's something that will ever need to scale
#
waterpigs.co.uk
created /privacy (+585) "stubbed page"
(view diff)
#
luxagraf.net
edited /User:Luxagraf.net (+84) "added goal"
(view diff)
#
barnabywalters
^^^ luxagraf, cweiske, feel free to expand /privacy with brainstorming, criticism, goals, examples etc
#
gregorlove.com
created /PGP (+17) "redirect"
(view diff)
#
jonnybarnes
ooh, a new feature for Loqi could be to announce on here things from relevant Github repos
#
gregorlove.com
edited /privacy (+10) "/* See Also */"
(view diff)
#
jonnybarnes
such as this new issue I've opened on IndeAuth: https://github.com/aaronpk/IndieAuth/issues/55
dybskiy joined the channel
#
gregorlove.com
edited /pgp (+17) "+dfn"
(view diff)
#
jonnybarnes.net
edited /micropub (+285) "/* h-entry */ sending location with a note"
(view diff)
#
cweiske
aaronpk, why does the auth code verification do a POST instead of a GET? http://indiewebcamp.com/login-brainstorming#Verifying_the_authorization_code
#
jonnybarnes
cweiske: security maybe? if the request is done over HTTPS then no-one would see the info being sent
#
cweiske
do you mean http?
#
jonnybarnes
cweiske: no, the request is to https://indieauth.com/
caseorga_ joined the channel
#
cweiske
I don't talk about https vs. http
#
cweiske
I talk about GET vs. POST
#
jonnybarnes
yeah, just realised, doesn't matter, you have to negotiate a secure connection before you make a GET request
tantek joined the channel
#
cweiske
tantek, do you know?
#
cweiske
why does the auth code verification do a POST instead of a GET? http://indiewebcamp.com/login-brainstorming#Verifying_the_authorization_code
#
aaronpk
cweiske: because GET requests are more often logged by intermediate proxy servers, etc.
GWG joined the channel
#
tantek
aaronpk - sounds like a good addition to the FAQ!
#
tantek
(especially since you have a citation)
#
cweiske
why is that a problem? the token gets only verified, and after that the token is invalid anyhow
#
aaronpk
if you like I can try to dig up the actual email from the OAuth list where that was decided
#
cweiske
btw, I don't find anything related to get vs. post in section 5
#
aaronpk
yeah section 5 just shows it's a POST. I think they moved all the notes about it to a separate doc
#
cweiske
no, sect 5 does not show it's a post
#
cweiske
that's the response
#
aaronpk
gah whered it go
#
cweiske
that sentence talks about the response, not the request
#
cweiske
you might get lost with "parameters"
#
cweiske
because one would expect "parameters" only be used for requests
#
aaronpk
here we go
#
cweiske
not response "parameters"
#
aaronpk
"The client MUST use the HTTP "POST" method when making access token requests."
#
aaronpk
yeah hm that is poorly worded
#
aaronpk
found more references
wagle joined the channel
#
jonnybarnes
how should micropub clients send location info? see what I said in location at http://indiewebcamp.com/micropub#h-entry
#
jonnybarnes
is there any accepted way?
#
aaronparecki.com
edited /authorization-endpoint (+449) "add FAQ about POST vs GET"
(view diff)
#
cweiske
thanks
#
jonnybarnes
aaronpk: did you see my issue I opened?
ttepasse joined the channel
#
tantek
thanks aaronpk
#
aaronpk
jonnybarnes: yep thanks
#
aaronpk
jonnybarnes: right now ownyourgram.com is sending a geo: URI in the "location" field, along with a separate "place_name" field
#
aaronpk
i'm not entirely happy with that but it works
#
jonnybarnes
aaronpk: what would you prefer it did?
#
aaronpk
a geo: URI for location is fine, it's the place name that i'm uncertain about
#
jonnybarnes
are geo URI spec'd anwhere? microformats wiki?
#
jonnybarnes
so what do you think is wrong with the `place_name`?
#
aaronpk
it's just kind of arbitrary
#
aaronparecki.com
edited /micropub (+112) "/* h-entry */ add example geo URI"
(view diff)
#
luxagraf
is there a way to send a webmention such that only the relevant paragraph comes through?
#
aaronpk
that's more up to the decision of the side receiving the mention
#
GWG
I probably should leave the house today.
#
GWG
As opposed to coding indieweb plugins for Wordpress
#
luxagraf
aaronpk: that's what I figured
jsilvestre joined the channel
#
GWG
acegiak: Any ideas on what should be next?
dybskiy and caseorganic joined the channel
#
luxagraf
to go back briefly to the privacy things, does anyone here have any sort of privacy policy on their site?
#
luxagraf
e.g. when you come to this site, these services can track you sort of thing
#
tantek
luxagraf yes!
#
tantek
what is tracking
#
tantek
what is disclosure
#
Loqi
A disclosure is a bit of content, typically on a home page, on an indie web site that proactively discloses some aspect about the site that the site owner wants the user to explicitly be aware of http://indiewebcamp.com/disclosure
#
luxagraf
tantek: ah, disclosure. didn't try that term
#
tantek.com
edited /disclosure (+42) "privacy policy"
(view diff)
npdoty joined the channel
#
aaronparecki.com
edited /privacy (+17) "/* See Also */ [[disclosure]]"
(view diff)
benwerd joined the channel
#
tantek
luxagraf, please feel free to add to http://indiewebcamp.com/disclosure !
#
aaronpk
this post is public now that silicon florist posted about it:
#
aaronpk
somewhat relevant to the indieweb :)
#
luxagraf
tantek: working on getting a privacy statement on my site, when that's done I'll add it to /disclosure examples
#
tantek.com
edited /privacy (+198) "provide another reference for privacy policy"
(view diff)
#
tantek
luxagraf - are you researching existing privacy policies or are you just making one up?
#
tantek.com
edited /disclosure (+14) "see also privacy"
(view diff)
#
luxagraf
tantek: i was just making one up when i thought, huh, prior art might be good here
#
luxagraf
tantek: but I'm creating a privacy policy that just says, hey, i track your visits, but no one else does
#
luxagraf
unless arcgisonline.com sends something with map tiles. hmm, have to look into that.
#
aaronpk
that's not really a privacy policy, that's disclosure
#
luxagraf
aaronpk: i was just going off wikipedia's definition: "A privacy policy is a statement or a legal document (privacy law) that discloses some or all of the ways a party gathers, uses, discloses and manages a customer or client's data"
#
luxagraf
aaronpk: because wikipedia is never wrong
#
aaronpk
yeah I suppose, just feels wrong to call it a privacy policy
#
luxagraf
aaronpk: why?
#
aaronpk
a privacy policy seems like something I have to agree to in order to continue using the site
#
tantek
luxagraf feel free to start /privacy_policy
#
aaronpk
i may be overthinking it tho
#
tantek
even with just examples in the wild, even just from silos
#
tantek
links are good
#
aaronpk
yeah examples would be great
#
luxagraf
aaronpk: exactly. you're implicitly agreeing to it whenever you visit a site.
#
luxagraf
I'm not hung up on the name though, i can just add things to /disclosure
#
aaronpk
privacy policy might be better cause it's a more used term
#
luxagraf
aaronpk: doesn't mean it's better though
#
luxagraf
maybe adding a section to /disclosure that just says, "sometimes called a privacy policy" or something...
#
gRegor`
aaronpk: Ahh, that chirpify thing makes sense now. I saw your tweet and waxpancake say something about it being evil, but I didn't get why.
#
@pepelsbey_
It’s sad that @t and other guys from Mozilla are using 2012 @shower_me version for 2014 presentations — http://tantek.com/presentations/2014/05/indieweb/
(twitter.com/_/status/476398980575010816)
#
@pepelsbey
Грустно, что @t и другие ребята из Mozilla используют версию @shower_me 2012 года для презентаций в 2014-м — http://tantek.com/presentations/2014/05/indieweb/
(twitter.com/_/status/476399101610049536)
tantek, caseorganic and snarfed joined the channel
#
wtd
caseorganic: I liked your talk at AWE a couple of weeks ago.
#
caseorganic
wtd: thanks very much! glad you were there!
#
tantek
Minneapolis HWC meetup next week is a go!
#
wtd
caseorganic: Quite the event. I found it all a bit odd, but I'm not used to Silicon Valley.
#
caseorganic
wtd: where are you from?
#
wtd
caseorganic: Toronto, working in libraries.
#
caseorganic
wtd: last year's event was really good. very creative. now the industry is over the hype cycle and is applicable to industrial applications, enterprise and adverts
#
wtd
Heh, exactly.
#
caseorganic
wtd: want to continue this convo in #indiechat?
#
wtd
caseorganic: Sure, let move windows around.
#
caseorganic
any people in toronto interested in hosting a HWC or IndieWebCamp?
dybskiy, tantek, emmak, j12t and paulcp joined the channel
#
GWG
I am once again trying to figure out what a like looks like
iangreenleaf and j12t joined the channel
#
GWG
Anyone have strong feelings about it?
#
aaronpk
hasn't figured out what that's going to look like on his site yet
#
GWG
Maybe I should start with reply, but like seemed easier to code
barnabywalters joined the channel
#
barnabywalters
GWG: designing how to display a post is way more effort than writing the plumbing for it, so I’d recommend reply if you’re unsure how to display likes
#
GWG
I agonize over every decision
dybskiy, jsilvestre and squeakytoy joined the channel
#
bret
GWG: just do something and let the agony lead you
#
bret
even if its a small, unoticeable increment it will feel good
#
GWG
I also have to, because of my modular design, design two versions
#
bret
who is the second version for?
#
bret
i dont understand
tantek and chrissaad joined the channel
#
GWG
I am using WordPress, so the plugin needs a barebones implementation, and then I want a deluxe version in the theme
#
@jalbertbowdenii
@StanZheng i publish all my twitter shit via api onto my site. browser offers built in search. could be betta. #ownyourdata
(twitter.com/_/status/476422374334926848)
#
Loqi
gives GWG a deluxe version in the theme
eschnou joined the channel
Kyle-K joined the channel
#
benwerd
Whoa. Spoke to Domain of One's Own yesterday
#
benwerd
they've already written a POSSE plugin from Known => WordPress.
#
benwerd
Fast work.
#
@nobantu
Registration is OPEN for #IIW XIX #19 Take advantage of SUPER EarlyBird Prices now: https://www.eventbrite.com/e/internet-identity-workshop-xix-19-2014b-tickets-11845172229 #identity #VRM #UMA #Indieweb
(twitter.com/_/status/476426983463596032)
#
aaronpk
hm might be fun to go to that again!
#
caseorganic
aaronpk: yeah! i liked that one
#
aaronpk
that was the one I went to with benwerd and erinjo and kevinmarks a few weeks ago at the computer history museum
#
caseorganic
aaronpk: yay! comp hist museum
#
Loqi
does a happy dance!
eschnou joined the channel
#
caseorganic
aaronpk: i'll be speaking in nyc - perhaps i could fly to sf on the way back
#
aaronpk
hm! that could work!
shaners, lupinedev and gavinc_ joined the channel
#
aaronpk
whoa orchestrate.io is phasing out Persona login in favor of user/pass http://orchestrate.io/blog/2014/06/10/userauth/
#
aaronpk
that's like an... auth death?
#
aaronpk
what's the proper header for that on the /Persona page?
#
aaronparecki.com
edited /how-to-sponsor (+2551) "add more event background and details"
(view diff)
#
tantek
aaronpk - see /OpenID
#
aaronpk
#Shutdowns
cweiske joined the channel
#
aaronparecki.com
edited /Persona (+300) "add "shutdowns" section and note orchestrate.io"
(view diff)
KartikPrabhu and lionzan joined the channel
#
aaronparecki.com
edited /how-to-sponsor (+964) "/* Sponsorship */ reorganize sponsor amount sections"
(view diff)
#
cweiske
aaronpk, http://indiewebcamp.com/login-brainstorming - auth request: what is "state"? is that parameter app-specific?
KartikPrabhu joined the channel
#
cweiske
does the auth server have to support it?
#
aaronpk
it just passes it through, doesn't need to interpret it or anything
#
cweiske
can I invent my own parameters that the auth servers have to support?
#
aaronpk
no, that's what state is for
#
aaronpk
you can encode data in it if you want, or use it as a session token
#
cweiske
what is "response_type"?
#
aaronpk
this one i'm not 100% sold on yet. in OAuth 2.0, response_type will be either "code" or "token"
#
cweiske
login-brainstorming tells me to default to "id"
#
aaronpk
it's not really possible to support "token" for indieauth
#
cweiske
auth-brainstorming has "code"
#
aaronpk
OpenID connect supports an additional "id" type
#
cweiske
why do I have to put "state" manually in the callback url? why isn't it already part of the callback url?
#
aaronpk
so my thought is that it will be either "id" or "code". in the case of "id" it means the consumer is not requesting authorization, just authentication
#
aaronpk
if you omit response_type then it's the same as not asking for authorization, so that's why it defaults to "id"
#
aaronpk
re: state in the callback URL, who is "I" in your question?
#
cweiske
the server
#
@veganstraightedge
"The Internet With A Human Face" has so many great #indieweb lessons in it. http://idlewords.com/bt14.htm
(twitter.com/_/status/476443474015703040)
#
cweiske
the server gets it as parameter separate from the callback url, but is required to put it into the callback url when redirecting back
#
aaronpk
the callback URL shouldn't be dynamic per request so that callback URLs can be registered
#
aaronpk
"state" is allowed to vary per request
paulcp joined the channel
#
cweiske
why should callback urls be registered?
#
aaronpk
without registration it's easier to perform a redirect attack. more background here: http://tools.ietf.org/html/rfc6749#section-3.1.2.2
#
cweiske
ok. how does the client website register the callback at the server?
#
aaronpk
haven't written this part up yet, but the idea is for the client to publish its registered redirect URIs on its web page with a <link> tag
#
aaronpk
and since client IDs are always URLs, it's all discoverable that way
#
cweiske
I have the feeling the deeper I proceed in this rabbit hole, the more complex indie auth becomes
#
aaronpk
so for client_id https://example.com/ a server can find its valid redirect URIs by looking for <link rel="redirect_uri" href="https://example.com/callback"> at example.com
#
aaronpk
you asked
#
cweiske
yes, I asked. we'll see if indieauth is really simpler than openid
#
cweiske
I do still have my doubts
#
aaronpk
so far signs point to yes
#
cweiske
ha. not even everything is documented yet
#
aaronpk
and yet there are still a bunch of sites that use it :)
#
shaners
cweiske: at the very least, indieauth is MUCH easier as a user.
#
shaners
i can't speak to ease as an implementor, yet
#
cweiske
yes, you and your dunstkreis
#
aaronpk
believe me i'm trying really hard to make sure this doesn't rely on centralized services. at the same time, building login mechanisms is the last thing most peope want to do, so using swappable services for parts is useful.
gavinc_ joined the channel
#
cweiske
aaronpk, authorization request as described on http://indiewebcamp.com/login-brainstorming - is that a GET or a POST?
#
GWG
!tell acegiak Pushed again, updated roadmap with plans. Starting to build display elements
#
Loqi
Ok, I'll tell them that when I see them next
#
aaronpk
GET, because the browser is directed there with a Location header
erikmaarten joined the channel
#
cweiske
may it be a POST?
#
aaronpk
hm oauth2 says MUST support GET and MAY support POST http://tools.ietf.org/html/rfc6749#section-3.1
#
cweiske
and there is no location header. the login form on the wiki does a get request by the browser's form submit
#
aaronpk
i'm not sure why you'd want to do it as a post
#
aaronparecki.com
edited /login-brainstorming (+273) "/* Authorization Endpoint */ clarify directing the user to the auth endpoint with a Location header or link"
(view diff)
ttepasse joined the channel
#
aaronparecki.com
edited /how-to-sponsor (+278) "/* Sponsorship */ trying to make this look better"
(view diff)
#
cweiske
ok, now I understand. I have to discover the auth server first
#
cweiske
location makes sense then
barnabywalters and pauloppenheim joined the channel
#
aaronparecki.com
edited /how-to-sponsor (-132) "/* Sponsorship */ remove css"
(view diff)
fmarier joined the channel
#
cweiske
aaronpk, may the auth code be used multiple times?
#
aaronpk
(looking for citation)
#
cweiske
then I do not see why a POST needs to be made to verify the code. since it cannot be used multiple times, the validation request itself invalidates the code
#
cweiske
and thus cannot be used again
#
aaronpk
in practice most implementations allow the code to be used for x seconds, like 30 or 60, during which period it will be accepted multiple times
#
aaronpk
that is in order to avoid needing to store state on the server
#
aaronpk
indieauth.com currently stores the auth codes in a database but i'm going to replace that soon so that it doesn't require a DB
caseorga_ joined the channel
#
aaronpk
my token endpoint doesn't require any backend storage because it uses self-encoded tokens for everythign
caseorga_ joined the channel
#
@kevinmarks
RT @veganstraightedge: "The Internet With A Human Face" has so many great #indieweb lessons in it. http://idlewords.com/bt14.htm
(twitter.com/_/status/476456813286551553)
#
cweiske
so all data is encoded in token?
#
@Sociability
"The Internet With A Human Face" has so many great #indieweb lessons in it http://idlewords.com/bt14.htm (via @veganstraightedge)
(twitter.com/_/status/476457057856782336)
tantek joined the channel
#
aaronpk
looks like I was wrong about the auth code being used more than once. http://tools.ietf.org/html/rfc6749#section-4.1.2
#
aaronpk
"A maximum authorization code lifetime of 10 minutes is recommended. The client MUST NOT use the authorization code more than once."
#
aaronparecki.com
edited /authorization-endpoint (+1045) "/* FAQ */ add some more FAQs"
(view diff)
#
aaronparecki.com
edited /how-to-sponsor (+1078) "/* Sponsorship */ add details about sponsorship levels"
(view diff)
vanderwal joined the channel
#
tantek
anyone want to try a webrtc demo with talky.io in the next half hour?
#
tantek
I'm at W3C AC meeting, talking about tools
etymancer joined the channel
#
aaronparecki.com
edited /how-to-sponsor (+0) "/* Sponsorship */"
(view diff)
#
aaronparecki.com
edited /how-to-sponsor (+35) "/* Sponsorship */ add $ to the table"
(view diff)
#
aaronparecki.com
edited /how-to-sponsor (+31) "/* Sponsorship */ capitalize sentences"
(view diff)
Loqi joined the channel
#
@temporaryhuman
"How do we build an Internet we're not ashamed of?" MT @veganstraightedge: Internet w/ A HumanFace #indieweb lessons http://idlewords.com/bt14.htm
(twitter.com/_/status/476463243087855616)
brianloveswords, emmak_, Sebastien-L and lionzan_ joined the channel
#
bret
tantek: still need a demo?
#
tantek
hey bret
#
tantek
talky.io/w3c
#
bret
who is the epic beard?
#
bret
was the audio okay?
krendil joined the channel
#
aaronparecki.com
edited /2014/SF (+99) "/* Photos */ add photos"
(view diff)
snarfed, chrissaad and tantek joined the channel
#
tantek
bret - audio was good! Thanks much!
#
tantek
epic beard? this was a W3C meeting, you'll have to be more specific
caseorga_, dybskiy, benwerd and wtd joined the channel
#
aaronpk
hah best bio ever... "I write cache invalidation protocols, then name them" - https://twitter.com/mnot
#
aaronpk
i want to ask him if he can count to 2 as well
#
barnabywalters
aaronpk: “I wrote a cache invalidation protocol, then named them”
#
aaronpk
barnabywalters++
#
Loqi
barnabywalters has 45 karma
#
aaronpk
you win that joke
#
cweiske
aaronpk, did you have an app that supports authorization_endpoint?
#
aaronpk
ownyourgram.com does
#
aaronpk
it does the authorization on its own, not using indieauth.com even
#
cweiske
unfortunately, all want more than plain auth
#
cweiske
(token and micropub)
#
aaronpk
yeah, sorry
#
aaronpk
you can just point to https://tokens.indieauth.com/token for your token endpoint and put in a fake micropub endpoint if you want to test it
#
@t
Presented @W3C AC meeting on how @IndieWebCamp develops/implements specs (e.g. Webmention) WITHOUT email, ... http://tantek.com/2014/161/t1/w3c-ac-how-developed-specs-without-email
(twitter.com/_/status/476477108366348290)
#
aaronpk
it won't try to do anything with the micropub endpoint until you make a request
paulcp and KartikPrabhu joined the channel
#
cweiske
it works
#
tantek
nice!
#
cweiske
so I've got a indieauth-openid proxy now
#
aaronpk
whoa sweet!
#
cweiske
proxies all indieauth requests to the user's openid server
#
aaronpk
wow. congrats
#
tantek
cweiske++ for keeping the flame alive
#
Loqi
cweiske has 7 karma
#
cweiske
<link rel="authorization_endpoint" href="http://cweiske.de/indieauth-openid/www/" />
#
cweiske
everyone could use that one already
#
tantek
and for loosely joining the small pieces
#
tantek
seriously, well done.
#
cweiske
ok, time for bed now
#
@jorgeegomez
RT @t: Presented @W3C AC meeting on how @IndieWebCamp develops/implements specs (e.g. Webmention) WITHOUT email, ... http://tantek.com/2014/161/t1/w3c-ac-how-developed-specs-without-email
(twitter.com/_/status/476478474312757248)
#
@domenicoperri
RT @t: Presented @W3C AC meeting on how @IndieWebCamp develops/implements specs (e.g. Webmention) WITHOUT email, ... http://tantek.com/2014/161/t1/w3c-ac-how-developed-specs-without-email
(twitter.com/_/status/476480647871991808)
fmarier joined the channel
#
kylewm
huh, i think i'm confused. where https://indieauth.com/openid is a way to use indieauth as your openid provider, cweiske's proxy is a way to use openid as your micropub authorization endpoint?
#
aaronpk
haha yeah, it's the opposite
#
aaronpk
assuming you already have an openid endpoint, you can use his proxy to turn it into an indieauth endpoint
#
kylewm
cool!
#
kylewm
(i was confused because indieauth is my openid provider, so obviously got sent to indieauth when i went through his endpoint)
#
aaronpk
i'm gonna have to use it on a test domain for signing in to these test apps. it's getting to the point where I need to be able to sign in as different users using different mechanisms to test everything
#
aaronpk
kylewm: hahaha wow
#
aaronpk
yeah indieauth.com is serving several roles in this picture, which makes it kind of confusing to talk about
#
bret
i wanna make more graffles
#
bret
i just wish there was an esier way to share them
#
bret
the vector export failed pretty badly
tantek joined the channel
#
aaronpk
nice! I should totally do that too.
#
aaronpk
but it would be based on my current location, not just my hometown
#
bret
incorporate location
#
GWG
What is a graffle?
#
bret
omnigraffle
caseorganic joined the channel
#
GWG
bret: Haven't gotten to authorization yet
#
GWG
bret: Although I would have if I was going A to Z
#
GWG
I'm sort of meandering around the indieweb
#
bret
The endpoint is the fun part
#
bret
i skipped auth and tokens
#
bret
cause its easy to skip those
#
@davidkidd
@EdwardTufte This reads more like an argument for getting "a wonderful secretary" to handle your email, rather than ditching email.
(twitter.com/_/status/475520098027851776)
#
@mohamed
@sivers I like the idea of dealing in batch versus constant attention as a way to maintain focus.
(twitter.com/_/status/475538853995220992)
benwerd joined the channel
#
tantek
aaronpk, bret - interesting coincidence, fall of 1989 (september to december) was the quarter when Knuth taught his last class at Stanford as well (I was fortunate enough to take it).
#
bret
haha no way?
#
tantek
so it makes sense that he was able to drop email, since he no longer had to communicate with students re: classes.
#
tantek
as of 1990-01-01
#
bret
he passed along his taste for email i see ;)
#
tantek
I didn't read his screed about email until MUCH later - in fact - only after I wrote EmailEfail
#
tantek
tantek.com/w/EmailEfail
benwerd joined the channel
#
bret
some of those links have been murdured by about.me
dybskiy joined the channel
#
tantek
benwerd snarfed, SF location for next week's Homebrew Website Club? http://indiewebcamp.com/events/2014-06-18-homebrew-website-club
#
tantek
notes there's a Minneapolis location already :)
#
tantek.com
edited /Events (+103) "Chicago and Minneapolis"
(view diff)
#
tantek.com
edited /Main_Page (+19) "/* Homebrew Website Club */ -London, +Minneapolis"
(view diff)
#
aaronpk
ironically it seems that more people have rel=nofollow on their twitter and github links than rel=me
#
bret
hey, might be spam
benwerd_, paulcp and tantek joined the channel
vanderwal and kylewm joined the channel
#
snarfed
!tell tantek definitely! we'll start planning now
#
Loqi
Ok, I'll tell him that when I see him next
#
snarfed
benwerd_: thoughts on hwc 6/18? matter, quip, …?
#
KartikPrabhu
re: email - if you need a "wonderful secretary" to handle email you're doing something wrong... (says me who has never gotten loads of email)
tantek joined the channel
#
Loqi
tantek: snarfed left you a message 17 minutes ago: definitely! we'll start planning now
#
tantek.com
edited /Main_Page (+1) "/* Homebrew Website Club */ e"
(view diff)