#indiewebcamp 2015-03-10

2015-03-10 UTC
#
pwcc A some point I was linked to a micropub client for live tweeting a conference talk. Can't remember the link, any one know?
#
pwcc meeting, brb
Guest_ joined the channel
#
bret tantek: nice article http://tantek.com/2015/057/b1/disappointed-in-w3c
KartikPrabhu joined the channel
#
KevinMarks !tell pwcc might have been noterlive.com but that doesn't (yet) support micropub
#
Loqi Ok, I'll tell them that when I see them next
KartikPrabhu, interactivist, KevinMarks_, Guest____ and G________ joined the channel
#
tantek Good afternoon #indiewebcamp - I'm deep in the depths of writing a blog post about web standards and security, but thought I'd check in here to see what's new for the past few days.
#
Loqi tantek: elf-pavlik left you a message on 3/9 at 3:04am: please check your messages on #social (W3C), otherwise Henry may have problems with reaching you http://socialwg.indiewebcamp.com/irc/social/2015-03-08/line/1425835447131
#
tantek !tell elf-pavlik I'll check #social messages before the telcon. When did you become Henry's secretary? And perhaps you can encourage him to write his opinions as blog posts on his own personal site. I'm still preferring to focus on fixing microformats examples in AS.
#
Loqi Ok, I'll tell them that when I see them next
#
pwcc back from meeting.
#
Loqi pwcc: KevinMarks left you a message 45 minutes ago: might have been noterlive.com but that doesn't (yet) support micropub
#
pwcc KevinMarks: thanks, that's the one - will be making use of it for a couple of confs in coming weeks.
KevinMarks_ joined the channel
#
KevinMarks great - let me know if you have any problems
#
tantek KevinMarks: not sure what you mean by noterlive does #2 except for … where the … includes the key aspect: offline
#
KevinMarks noterlive works offline
#
KevinMarks in that it puts the notes into the post buffer
#
tantek really? where does it store the posts to be tweeted?
#
KevinMarks in the raw field
#
tantek I'm going to have to see you demonstrate this on Wednesday
#
KevinMarks though it doesn't mark which ones have sent
#
KevinMarks OK
#
tantek how is the field persisted locally?
#
KevinMarks browser form persistence :D
#
tantek without local persistence, it's not really a sufficient/good offline
#
tantek lol
#
tantek wow - that's the first time I've heard of an app being built depending on that
#
pwcc GWG: haven't thought about IWFP it a great deal more than the issues I've already popped in. Will go through my "one click" post and turn it into an issue dump.
#
tantek makes me wonder if we should expose the availability of that feature as a navigator.() DOM query
#
KevinMarks well, I was goign to use local storage but I found it tended to persist
#
GWG acegiak: You want in on the Fun Pack?
#
tantek KevinMarks: I know that "browser form persistence" works in Firefox. Are there any other browsers that support it? Especially mobile?
#
KevinMarks chrome does it well too
#
KevinMarks not tried on mobile as much
#
KevinMarks but the pages recur after launch
j12t joined the channel
#
tantek Would be interesting if the local field storage could keep track of <a class="u-syndication"> links for each post that made it to Twitter.
#
tantek That way you it would mark which ones have been sent
#
KevinMarks hm, doable
#
KevinMarks I thinkI have a callback for that
#
tantek plus those would make sense within the context of the HTML from that form field for your eventual summary post
#
KevinMarks I might need an extra field as buffer
#
KevinMarks but yes
#
kylewm what is browser form persistence?
#
Loqi It looks like we don't have a page for "browser form persistence" yet. Would you like to create it? https://indiewebcamp.com/wiki/index.php?action=edit&title=browser+form+persistence&summary=prompted+by+kylewm+https%3A%2F%2Findiewebcamp.com%2Firc%2F2015-03-09%2Fline%2F1425949698900
#
pwcc KevinMarks: Oh that's soo what I wanted. Not been micropub makes it a little easier :)
#
KevinMarks hmmm
#
KevinMarks well it was my itch
#
KevinMarks but postign to micropub too woudl eb good
#
pwcc Eventually, now easier with the updating defined in the protocol.
j12t joined the channel
#
GWG I'm thinking of making my h-card look like the Google Knowledge graph box.
#
tantek what is Google Knowledge Graph?
#
Loqi It looks like we don't have a page for "Google Knowledge Graph" yet. Would you like to create it? https://indiewebcamp.com/wiki/index.php?action=edit&title=Google+Knowledge+Graph&summary=prompted+by+tantek+https%3A%2F%2Findiewebcamp.com%2Firc%2F2015-03-09%2Fline%2F1425950137133
#
GWG Google doesn't mind if I inspire myself with their designs, do they?
#
GWG But, tantek, just for asking, I'm going to have to use the tantek knowledge graph as an example.
#
tantek oh dear
#
GWG I could do Dave Winer. Hmm...he went to my high school.
G________ joined the channel
#
david.shanske.com uploaded /File:tantek-knowledge-graph.png "Example of a Google Knowledge Graph Display"
snarfed joined the channel
#
david.shanske.com created /Google_Knowledge_Graph (+413) "prompted by tantek https://indiewebcamp.com/irc/2015-03-09/line/1425950137133" (view diff)
#
GWG Not sure if that is the best definition
benwerd_ joined the channel
#
tantek.com edited /Google_Knowledge_Graph (+197) "stub, bold dfn, expand a bit with tie to use in search results, linky, see also" (view diff)
#
tantek.com edited /Google_Knowledge_Graph (-25) "dedup search from dfn" (view diff)
#
tantek GWG - take a look - tried refining your dfn
yakker joined the channel
#
ben_thatmustbeme tantek re: itches, I have MobilePub working to post photos, but the save while offline hasn't been working quite yet
#
ben_thatmustbeme but it is an app. i know you are opposed to that
#
ben_thatmustbeme even though it is written with cordova, written in js/css/html
#
tantek the save while offline is *really* important, not just for *offline* directly, but as a method of achieving asynchronicity with network availability.
#
tantek as in - nothing in the UI should make me *wait* for the network. the posting progress of any post in particular should be an FYI / progressive bar like thing I can view, but doesn't block me from further edits / posts etc.
#
tantek and yes ben_thatmustbeme, it's important to me to figure out how to do this purely with web platform pieces, HTML, WebAPIs etc.
#
ben_thatmustbeme yes, exactly, it wouldn't take much to get it to the point of auto-submitting once it is online again
#
ben_thatmustbeme right now it works for posts, I hit 'save' instead of 'post' when offline
#
ben_thatmustbeme then when online i can have it submit all posts that i made while offline
#
tantek my point is that there should be no difference in your experience
#
tantek with whether you hit save or post
#
tantek except that post also immediately returns like save, but maybe has an asynchronous progress bar
#
tantek like a downloads window in reverse. I suppose an "uploads" or "posts" window
KartikPrabhu joined the channel
#
ben_thatmustbeme yes, its something i want to work towards
#
ben_thatmustbeme its just a matter of free time
#
ben_thatmustbeme right now its more of a proof of concept
#
tantek a-ha - it's an itch for you too - add it to your Itches!
#
ben_thatmustbeme been tracking work on it here for nowhttp://indiewebcamp.com/MobilePub
#
ben_thatmustbeme s/nowhttp/now http/
#
Loqi ben_thatmustbeme meant to say: been tracking work on it here for now http://indiewebcamp.com/MobilePub
lukebrooker_, jacus, Guest19267, KartikPrabhu, wolftune, Gu_______, tantek, gRegor`, snarfed, Jay- and lukebrooker joined the channel
#
acegiak GWG: wats this about a fun pack?
#
GWG acegiak: Basically, a github project for little WordPress indieweb bits
#
acegiak GWG: sounds good
gRegor`_ joined the channel
#
GWG acegiak: Got any ideas for it
#
GWG https://github.com/dshanske/indieweb-extras
#
acegiak I have so many tiny side plugins
#
acegiak https://github.com/acegiak/atlink
#
GWG The idea is to put bits together, sort of Jetpack style
#
acegiak yeah
#
acegiak maybe work prepop post into it?
#
acegiak plsu there's my weird little posse plugin
#
GWG I added my domain whitelist into it
#
acegiak good plan
#
acegiak is anyone else using the blogroll as a friends/subscription list?
wolftune joined the channel
#
GWG Not sure
#
acegiak GWG: is there a indieweb post kinds migration function somewhere?
#
acegiak I've preemptively backed up this time :P
#
GWG acegiak: No.
#
GWG acegiak: It changes over on display, post by post.
#
GWG Instead of migrating.
#
GWG I thought it would be less destructive.
#
acegiak so it's triggered when a post is displayed?
#
GWG Yes
#
acegiak version 1.2.1?
#
GWG Yes. I made another minor tweak.
#
acegiak isn't changing for me?
#
GWG Did you check the box: Do Not Store Cached Responses?
#
acegiak where is that?
#
GWG The Post Kinds settings page
#
acegiak I don't see the post kinds setting page in the dashboard menu
#
GWG Maybe I should invert that setting.
#
acegiak oh because I have to activate the post kinds settings page in a file?
#
GWG No
#
GWG It is under settings in my version
#
GWG I meant, the cache settings
#
acegiak yeah
#
GWG Maybe it should be select to cache.
#
acegiak but why can't I see the settings page?
#
GWG Instead of select not to cache.
#
GWG I'm not sure. First person who said they couldn't.
#
acegiak whats the url?
#
GWG But, if I need to change something, tell me
#
GWG wp-admin/options-general.php?page=iwt_options
#
acegiak deactivated and reactivated the plugin seems to be working
#
GWG Odd
#
acegiak hmm. a bunch seem to be displaying double now? but the conversion seems to have worked otherwise
#
GWG I'm still going to invert that setting
#
acegiak wait, I see
#
GWG acegiak: You are running an older version of mf2_s, I think.
KartikPrabhu joined the channel
#
acegiak I was! all fixed!
#
acegiak yay! I'm up to date!
#
Loqi giggles
#
GWG I mentioned the theme support changes, I think
tantek joined the channel
#
GWG acegiak: Keep me posted on your thoughts and impressions
#
GWG acegiak: For the first time, I added RSS support and Semantic Linkbacks support to the plugin.
#
acegiak how so?
#
GWG acegiak: pfefferle pointed out the context box doesn't appear in the RSS feed. I fixed that.
#
GWG acegiak: Also, because the comment text Semantic Linkbacks generates is based on post formats, I had to mod that
#
acegiak ah cool
#
acegiak nice
#
GWG acegiak: I keep iterating.
#
tantek posted about simplifying web standards, heavily inspired by work & experience on indieweb tech, and definitely applicable to social web wg efforts: http://tantek.dev/2015/068/b1/security-towards-minimum-viable-web-platform
#
GWG tantek: tantek.dev...
#
tantek grr - sorry
#
tantek I need a paste filter for that
#
tantek http://tantek.com/2015/068/b1/security-towards-minimum-viable-web-platform
#
@benwerd "No one had to be approved to get put on the web." The Internet is rigged: https://medium.com/@davepell/the-internet-is-rigged-d74b342505f0 #indieweb (twitter.com/_/status/575147899027226624)
KartikPrabhu and tantek joined the channel
#
tantek aside: first reference (AFAIK) on the web to "minimum viable web platform", which frankly, I find shocking.
snarfed, Guest_, tantek and KevinMarks_ joined the channel
#
snarfed hey mf2 people, is it kosher to nest u-* classes?
#
snarfed ie is this valid mf2? <a class="h-card u-url" href="...">Bob <img class="u-photo" src="..." /></a>
#
tantek snarfed: I don't think that means what you think it means
#
snarfed tantek: ok, thanks
#
tantek you *must* nest any property class names *inside* the root class name
#
tantek any property class name on the same element as a root class name applies to the containing object
#
tantek e.g. in your example - it's valid, however the u-url is a property of whatever is *outside* the h-card
#
tantek that's how class="p-author h-card" works
#
snarfed huh
#
snarfed i don't entirely follow, but honestly i probably don't i need to
#
tantek the p-author applies to the containing h-entry, not the h-card
#
tantek and it must
#
tantek it's a totally consistent simple rule
#
tantek property have to go inside the root. period.
#
tantek s/property/properties
#
Loqi tantek meant to say: properties have to go inside the root. period.
#
snarfed i believe it's a consistent simple rule, i've just never really grokked markup fundamentals. ie it's not you, it's me :P
#
snarfed don't worry
nloadholtes joined the channel
#
tantek snarfed: in the case where all you're trying to do is make an h-card with an name, URL, and photo, you can use the very simple h-card with just root class name
#
tantek thought I put that in the issue
#
tantek gets a link to an example
#
snarfed i'm looking at the repost example here: https://github.com/snarfed/bridgy/issues/371#issuecomment-77612729
#
snarfed oh, actually, nm. the like does what i want. so the key thing is to not declare u-url or u-photo explicitly
#
tantek right, always be lazier by default :)
#
snarfed and in this case, you *have* to be for it to parse correctly…?
#
tantek snarfed - no, you have to either keep it simple, or if you want to be more explicit, you have to add more markup
#
tantek there's no halfway there
KevinMarks__ joined the channel
#
tantek it's the halfway trying to do extra work that gets you into trouble ;)
#
snarfed thanks
#
snarfed i am so the wrong person to implement all this :P
#
snarfed but no matter!
KevinMarks___, lukebrooker, KevinMarks_ and Unifex joined the channel
#
@CaptainKurtis @benwerd @peacekeeper Man, I'm still working towards getting this type of set up. Say, will you be at the #indieweb conference in Boston? (twitter.com/_/status/575175742037741569)
KevinMarks__ and lukebrooker joined the channel
#
@kevinmarks "@ev: The Internet is Rigged—@davepell https://medium.com/@davepell/the-internet-is-rigged-d74b342505f0 http://t.co/2Dhe5b3ZRh" the Internet isn't rigged, just the silos #indieweb (twitter.com/_/status/575181919987482624)
#
Loqi [mention] posted 'My has kept me quite busy and this leads to me often catching up on how things in various communities I lurk/inhabit after I’ve been...' linking to https://indiewebcamp.com (/bearlog/2015/069/static-site-hybrid)
elf-pavlik, cweiske, friedcell, LauraJ, Jihaisse, KartikPrabhu, krendil, nloadholtes, michielbdejong and sanduhrs joined the channel
#
@metrotipu bubarkan pers!! #indieweb @dewanpers "@maspiyungan: Ucok Sky: Kenapa Dana CSR Masuk Ahok Center? http://t.co/gb5RGZMccB" (twitter.com/_/status/575217244378021888)
elf-pavlik, modem, KartikPrabhu, Sebastien-L, wagle_, stream7, KevinMarks_, alanpearce, scor, friedcell, frzn, interactivist and pfefferle joined the channel
#
pfefferle good morning folks
elf-pavlik, loic_m and pfefferle joined the channel
#
fkooman cweiske: indiecert.net should now be compatible with indieauth :)
interactivist joined the channel
#
cweiske fkooman, that's good news
#
cweiske what do I have to use as authorization_endpoint?
#
fkooman cweiske: https://indiecert.net/auth
pfefferle and upper-- joined the channel
#
cweiske hm. login on https://ben.thatmustbe.me/ does not work with indiecert; I get "No Auth Endpoint Found" - but that could be the cacert.org certificate
#
cweiske ben_thatmustbeme, does your website accept certificates from cacert.org?
#
cweiske and strangely, login on https://waterpigs.co.uk/ works with http (without indiecert), but for https urls I get redirected to indieauth.com
#
cweiske !tell barnabywalters and strangely, login on https://waterpigs.co.uk/ works with http (without indiecert), but for https urls I get redirected to indieauth.com
#
Loqi Ok, I'll tell him that when I see him next
#
fkooman are there also some examples I can try that actually implement distributed indieauth correctly? :-)
#
cweiske https://quill.p3k.io/ and http://ownyourgram.com/ at least show that the auth endpoint can be found
#
cweiske fkooman, https://indiewebcamp.com/distributed-indieauth#Sites_that_support_distributed_IndieAuth
#
cweiske I tried them all
#
cweiske fkooman, since you have your certs from a different ca - please try ben.thatmustbe.me
dns53 joined the channel
#
cweiske kylewm, do you still have a login form on your website? I don't find it
loic_m joined the channel
#
fkooman cweiske: No Auth Endpoint Found is also what I get... but it seems the service doesn't follow redirects or something
#
fkooman or doesn't work with HTTPS at all...
#
fkooman hmm it does work somewhat
#
fkooman if i enter https://tuxed.net
#
fkooman but then it still says authorization failed
#
fkooman Quill also wants a token endpoint
#
cweiske yep, and an micropub endpoint
#
cweiske so we can't use it to test
#
cweiske oh, you could use the indieauth.com token endpoint for testing
#
cweiske but then the micropub one is still missing
#
fkooman ownyourgram doesn't have a valid SSL cert
#
cweiske since 3 days :)
#
cweiske aaronpk, the ownyourgram.com ssl cert has expired three days ago
ben_thawr joined the channel
#
ben_thatmustbeme cweiske, unfortunately i don't have control over what certificate authorities I accept. I'm on a hosted solution
Pierre-O joined the channel
#
ben_thatmustbeme shared hosting*
#
cweiske do you verify certificates?
#
fkooman cweiske: ben_thatmustbeme it seems that the auth endpoint is never posted to verify the code...
#
ben_thatmustbeme i just run curl, but i believe curl will verify them
#
fkooman maybe it is still hardcoded to https://indieauth.com/auth?
#
cweiske yes, curl does unless you do -k
#
ben_thatmustbeme no, i didn't hard code indieauth.com
#
ben_thatmustbeme and I don't add the noauth option to curl
#
fkooman ben_thatmustbeme: i don't see any request coming to indiecert.com/auth to verify the code...
#
ben_thatmustbeme fkooman, if your cert in from cacert.org and it isn't in the root certs on the machine, I won't succeed at curling your site, and thus won't ever be able to find your auth endpoint
#
fkooman ben_thatmustbeme: it is not, i have trusted certs everywhere :)
#
cweiske ben_thatmustbeme, only mine is
scor joined the channel
#
ben_thatmustbeme hmmm
#
fkooman there is just no POST request coming to https://indiecert.net/auth after the authentication step is done
#
fkooman the redirect back to your site works perfectly
#
fkooman ben_thatmustbeme: it just says "Authorization Failed." in the top right corner
pfefferle joined the channel
#
cweiske.de edited /authorization-endpoint (+16) "/* Software implementing the authorization endpoint spec */" (view diff)
#
ben_thatmustbeme fkooman, try again. I'm logging a lot more now
#
ben_thatmustbeme hopefully i can nail the issue down
#
tuxed.net edited /indiecert (+17) (view diff)
#
fkooman ben_thatmustbeme: done
#
fkooman maybe i forgot to implement something in indiecert, could very well be ;)
#
ben_thatmustbeme woah, not what i expected... hmmm
#
fkooman now i'm curious :)
elf-pavlik joined the channel
#
ben_thatmustbeme i think i know what the problem might be, but fkooman, one more try please
#
fkooman done
#
ben_thatmustbeme oh damnit, sorry
#
ben_thatmustbeme i logged out post instead of get
#
fkooman what? :)
#
ben_thatmustbeme once again
#
fkooman done
#
ben_thatmustbeme okay
#
ben_thatmustbeme there is no 'me' value set when you hit the callback
#
fkooman ben_thatmustbeme: yeah, because there doesn't have to be one :)
#
ben_thatmustbeme i depend on that, hmmm
#
fkooman ben_thatmustbeme: why?
KevinMarks_ joined the channel
#
ben_thatmustbeme thats what i use to search for your auth endpoint to validate your code
#
fkooman ben_thatmustbeme: does indieauth.com provide the me parameter?
#
ben_thatmustbeme yes
#
cweiske but the token/code should be enough
#
cweiske oh wait
#
cweiske I set "me", too
#
fkooman ben_thatmustbeme: you use the 'state' parameter, so you have to keep state in your application as well, you can store the 'me' parameter there as well :)
#
cweiske http://git.cweiske.de/indieauth-openid.git/blob/HEAD:/www/index.php#l155
#
ben_thatmustbeme state is optional
#
cweiske no
#
cweiske state must be supported by the server
#
cweiske https://indiewebcamp.com/authorization-endpoint#Does_the_auth_server_have_to_support_the_state_parameter
#
fkooman and we also really MUST enforce https:// uris
#
fkooman ben_thatmustbeme: so you send the state parameter, but don't verify it? :-)
#
cweiske fkooman, do you have some docs where the optionality of "me" is stated?
#
fkooman cweiske: i didn't see any docs that say you have to provide it at all?
#
ben_thatmustbeme must support vs required on all is different, heh but yeah, i need to walk through this code again
#
ben_thatmustbeme the state is part of a checksumming i do, i don't store anything unless they actually get a token
#
cweiske fkooman, https://indiewebcamp.com/login-brainstorming#Response
#
cweiske the example callback URL call at least includes the me parameter
#
cweiske it does not say anything about must or optional
KevinMarks_ joined the channel
#
fkooman cweiske: but it is not on the indieauth.com/developers page
#
cweiske ah
#
fkooman also you MUST use state to prevent CSRF
sanduhrs joined the channel
#
ben_thatmustbeme indieauth.com/developers tells you to hard-code indieauth too
#
fkooman and of course validate it on the callback
#
ben_thatmustbeme fkooman, thats about YOUR endpoint supporting state
#
fkooman relying parties must also support it of course :-)
#
ben_thatmustbeme my client uses state, as does my endpoint
#
ben_thatmustbeme i have to go catch my train, i'll be back in about an hour
#
ben_thatmustbeme if i can't get on from the train that is
#
fkooman i'm writing distributed indieauth relying party that implements all this
#
fkooman just a lib
#
cweiske fkooman, I think indieauth.com docs are simplified down to remove all things that make the protocol distributed
#
fkooman cweiske: well, the me parameter is not needed to make it distributed :)
acegiak joined the channel
#
cweiske oh, it is
#
cweiske wait
#
cweiske no, it isn't
#
cweiske but if "me" is mandatory, then there is something less to care about
#
fkooman it is actually dangerous, what if i change it to another value when using the callback?
#
fkooman s/using/calling/
#
Loqi fkooman meant to say: it is actually dangerous, what if i change it to another value when calling the callback?
#
fkooman Loqi++
#
Loqi Loqi has 341 karma
#
cweiske that depends on the client
#
fkooman yeah of course
#
fkooman if you want to shoot yourself in the foot you can :)
#
cweiske as a rogue indieauth server (which the user has to link from his website), you could use the changed "me" parameter to give do actually nothing.
#
cweiske the client will verify that "me" and the code actually match
#
fkooman you can change it to your own webpage with a different indieauth server and send back any 'me' parameter
#
fkooman well, not if it doesn't keep state :)
pfefferle joined the channel
#
fkooman and saying only the server needs to support state, but the relying party not makes state useles...
#
cweiske but not for relying parties that use it..
#
fkooman so what happens if i authenticate as https://tuxed.net and a MITM changes the callback to cb?code=12345&me=https://attacker.com ?
#
cweiske then the client/RP asks the auth server if code and me match
#
cweiske in the verification phase
#
fkooman yeah, but if it uses https://attacker.com to fetch the authorization_endpoint it can be anything and return any 'me' parameter
#
cweiske that's right
#
cweiske that's super-stateless
#
cweiske "what is your auth endpoint?"
#
cweiske "what was your auth endpoint again?"
#
fkooman exactly
friedcell, tantek, sdboyer, michielbdejong, GenioDiabolico and frzn joined the channel
#
john.onolan.org edited /Ghost () "(-772) Removing complete crap. We rejected a PR to the default theme so that we could add Microformats in *every single* theme: http://blog.ghost.org/structured-data/" (view diff)
#
john.onolan.org edited /Ghost () "(-542) Removing complete crap. ghost.onolan.org was the first production Ghost blog in the entire world - it literally wasn't possible to "selfdogfood" anything before that site existed. This entire thing is incredibly poorly researched." (view diff)
#
john.onolan.org edited /Ghost () "(-606) Removing more crap. See last edit." (view diff)
#
john.onolan.org edited /Ghost (+5798) "Rewrote page with accurate information" (view diff)
pfefferle_, wolftune and stream7 joined the channel
#
fkooman hmm it also seems that distributed indieauth with indieauth.com returns a 'token' on the callback, and not a 'code'
#
ben_thatmustbeme it returns code for me
#
ben_thatmustbeme ii get code, me, and state
#
ben_thatmustbeme btw, i don't store state, state is a verification value for me. I don't store it
Gu_______ joined the channel
#
ben_thatmustbeme trying to read back the log, kfeeman, whats the problem with it changing to attacker.com? i'll say, lets say they even happen to send a valid state param (I don't store it)
#
ben_thatmustbeme i don't really care, they will have just logged in as attacker.com, if their auth provider agrees that the key is valid
#
ben_thatmustbeme they are only logging in as themselves
j12t and alanpearce joined the channel
#
ben_thatmustbeme how did i get kfeeman from fkooman
stream7 joined the channel
#
ben_thatmustbeme dyslexia in the morning
#
ben_thatmustbeme cweiske, not totally sure the benefits / drawbacks to supporting non-root-certs
#
cweiske it was just a question; you don't have to
#
cweiske cacert is a kind of special thing in my eyes
#
ben_thatmustbeme fkooman, actually, not storing anything prior to the callback I think is better. If someone wants to use their own site to log directly in, all they have to do is generate a token for themselves (assuming they are their own auth provider)
verdi_ and j12t joined the channel
#
ben_thatmustbeme well... hmm, didn't think that one through
#
ben_thatmustbeme me trying to get logs..... ?h=feed&url=irc://freenode.net/#indiewebcamp
#
ben_thatmustbeme that doesn't work quite as desired
#
ben_thatmustbeme hehe, much better
#
ben_thatmustbeme well i'll have something to show off, don't know how nice it will be, but I'll have some interesting strange things i have been messing with to show off for sure
#
ben_thatmustbeme at IWC that is
#
ben_thatmustbeme ever feel like you are talking to yourself?
#
ben_thatmustbeme yes, sometimes
#
fkooman :D
#
fkooman ben_thatmustbeme: but if you do not store state and validate it, there is no point in using in, and thus you are vulnerable to CSRF attacks
#
ben_thatmustbeme CSRF attacks?
#
fkooman cross site request forgery
#
ben_thatmustbeme no
#
ben_thatmustbeme i don't store me
#
ben_thatmustbeme because i require the me value on callback, the request can come from anywhere, i don't care
#
ben_thatmustbeme but the key they provide has to be valid for the auth provider listed on the me they provide
#
ben_thatmustbeme now, if the auth provider a person is using isn't secure, thats not my problem
#
fkooman ah okay, so you accept unsollicited authentication requests from anywhere on the web
#
ben_thatmustbeme yeah, i don't care, all i do is curl the me val they gave me, get their auth provider, and confirm that the code they gave me works. that allows them to script authenticating with me, which i think would be pretty important once we get in to any sort of private messaging
#
fkooman so the CSRF attack you are vulnerable to is the one where you trick a user to login to a service using your own account, exposing the user to leaking private data
#
ben_thatmustbeme so you are saying they login to some hacker site, and that site uses the auth token to immediately log in to me as well?
#
fkooman no
adactio joined the channel
#
ben_thatmustbeme can you explain it a little clearer so i understand
#
fkooman we both use 'legitimate' service X, i create a new account and use the code i obtain to redirect you to the service callback, and thus you'll be logged in as me :)
#
fkooman so if this is a diary service where you store your deepest secrets you'll all of a sudden store them in my account :)
#
ben_thatmustbeme "and use the code i obtain to redirect you"
#
ben_thatmustbeme so in this scenario, I am the attacker
#
ben_thatmustbeme correct?
#
fkooman no, you are the victim
#
ben_thatmustbeme okay
#
fkooman I create a callback URL with my code in it, and trick you to follow it
#
ben_thatmustbeme okay, so i log in as you
#
fkooman exactly
#
ben_thatmustbeme i don't see that as really a vulnerability
#
fkooman well, that's a different issue :-)
#
ben_thatmustbeme i will be doing everything as you
#
ben_thatmustbeme i will see 'logged in as "fkooman" '
#
ben_thatmustbeme etc
#
ben_thatmustbeme you can do that with the auth token after login as well
#
fkooman well, that depends on how you determine 'me' as the relying party
#
fkooman if you take the value from the URL, or the one from the verification step
#
fkooman or maybe you compare them, and they have to be equal, then it would be a bit better :)
#
fkooman but not all services always show logged in as 'fkooman', or maybe it is not something the user will check all the time
#
fkooman indiewebcamp for example doesn't show it at all
#
ben_thatmustbeme it does, but not very clearly
#
fkooman oh you are right, at the bottom somewhere :)
alanpearce joined the channel
#
fkooman but anyway, for serious services you don't want to be open to this kind of vulnerability is all i'm saying :)
#
ben_thatmustbeme for posting yes
#
ben_thatmustbeme the login on my micropub client for example is where i can see this making sense
#
ben_thatmustbeme but for the auth on my site, there are no scopes requested, the most it would do is give them access to your private data
#
fkooman fair enough :)
#
ben_thatmustbeme this is also very simple to do by giving a link with the auth token in the URL, i believe aaronpk and I had set that up at one point to get autologin working to pull private messages
#
fkooman if at least you are aware of this CSRF attack I'm happy :)
#
ben_thatmustbeme no, thank you, i'm usually pretty security minded, but this is an intersting case of giving away access rather then trying to gain in
#
ben_thatmustbeme s/gain in/gain it/
#
Loqi ben_thatmustbeme meant to say: no, thank you, i'm usually pretty security minded, but this is an intersting case of giving away access rather then trying to gain it
#
fkooman yup :)
#
ben_thatmustbeme which is something i had not thought about, but if it were posting privately, it would certainly matter
#
ben_thatmustbeme i think because of PHP i am vulnerable to this no matter what actually
#
ben_thatmustbeme in order for Authorization: Bearer token bit
#
ben_thatmustbeme to work in php
#
ben_thatmustbeme err apache
#
ben_thatmustbeme there is some funky .htaccess
#
ben_thatmustbeme actually i think that just changes it to a different header....
#
ben_thatmustbeme checks
friedcell joined the channel
#
ben_thatmustbeme feel free to poke fun at my auth code at https://github.com/dissolve/postly/blob/master/controller/auth/login.php I know what I could have to do though to get rid of it. I am trying to think of why i accept access_token in a post request. (in micropub)
#
kylewm ben_thatmustbeme: if it is of interest, I implemented CSRF protection in my flask-micropub extension https://github.com/kylewm/flask-micropub/blob/master/flask_micropub.py#L122
#
ben_thatmustbeme its just a matter of storing a randomized me/code at first login attempt and then validate them later
#
ben_thatmustbeme and probably best to remove the available post values, I'm pretty sure they can't set the headers, so that part is fine
#
ben_thatmustbeme i know we had set that up at one point, but I can't remember why
#
ben_thatmustbeme i think aaronpk and I were trying to create a system that specifically did not require interactive login, so our sites could connect and validate without user intervention
#
jcap is there a philadelphia indiewebcamp chapter? aaronpk?
#
jcap I searched around but didn't come up with anything
Sebastien-L joined the channel
#
@metrotipu Merasa Disudutkan Media, Haji Lulung: Kita Belepotan Diedit, Ahok Kayak Comberan Nggak. #MediaBlackout #IndieWeb @pribumi_org @PP_Djayakarta (twitter.com/_/status/575318217482104832)
#
ben_thatmustbeme jcap, not that i know of, maybe its time to start one :)
pfefferle and KartikPrabhu joined the channel
#
kylewm.com created /CSRF (+939) "stub with definition" (view diff)
#
Loqi [mention] http://www.aaron-gustafson.com/notebook/what-do-we-own/ linked to http://indiewebcamp.com/ (webmention)
#
Loqi [mention] http://www.aaron-gustafson.com/notebook/what-do-we-own/ linked to http://indiewebcamp.com/webmention (webmention)
#
Loqi [mention] http://www.aaron-gustafson.com/notebook/enabling-webmentions-in-jekyll/ linked to http://indiewebcamp.com/webmention (webmention)
#
kylewm.com edited /authorization-endpoint (-47) "/* Does the auth server have to support the state parameter */ linkify CSRF" (view diff)
#
kylewm.com edited /CSRF (+115) "add link to the OAuth2 spec" (view diff)
tantek joined the channel
#
fkooman ben_thatmustbeme: i have a REST framework in PHP that takes care of IndieAuth stuff :)
#
tantek good morning #indiewebcamp!
#
fkooman ben_thatmustbeme: oh, and also Bearer tokens through apahce header rewrite yes
KartikPrabhu joined the channel
#
kylewm fkooman: I took a stab at defining CSRF on the wiki, would you mind confirming I didn't say anything too dumb on here? https://indiewebcamp.com/CSRF
#
tantek checks logs
#
tantek wow lots of auth conversation. I'm just going to assume cweiske and fkooman and ben_thatmustbeme know what they're talking about and read the results of their subsequent wiki edits.
#
tantek and hey look at that - a big /Ghost update from the founder himself! hopefully that's a good sign that Ghost might start supporting / deploying indieweb support!
#
tantek hmm - I don't know about the deletion of the history and issues
#
tantek probably worth still keeping them since they did happen
#
tantek anyone here in touch with John O'Nolan? bret?
#
bret who dat?
#
fkooman kylewm: i think the attack to protect against is a little different
#
bret I dont use ghost
#
tantek didn't you send the pull request to add microformats?
#
bret no barnaby I think, I sent a PR to pump
#
tantek hmm - in his edit claiming they were adding microformats to the core, they linked to http://blog.ghost.org/structured-data/ which only mentions metacrap
KartikPrabhu joined the channel
#
fkooman kylewm: but the link to the OAuth spec is very clear I think... maybe that should be copy/pasted instead :)
#
bret i read their priorities are interoperating with the major social networks, and not focusing on indieweb or other distributed strategies
#
fkooman kylewm: the OAuth spec says MUST, why do you make it SHOULD? :)
#
kylewm fkooman: I was hoping to have a quick blurb that explains it in the context of IndieAuth since it is not clear in the IndieAuth spec yet that the state param is needed
#
kylewm no point in copy pasting the spec, we can remove the parts that are unclear in my definition and just link to it
#
kylewm fkooman: MUST is fine
#
fkooman kylewm: http://oauth.net/articles/authentication/
#
aaronpk If anything is MUST in OAuth 2, we should have it be MUST for IndieAuth too since IndieAuth is mostly a subset of OAuth 2.0 plus identity
#
Loqi aaronpk: kylewm left you a message 1 day ago: the "prev" link on https://indiewebcamp.com/irc/2015-03-09 goes back two days to 2015-03-07... daylight savings time edge case? :)
#
aaronpk kylewm: lol probably. I think I find "previous day" by doing -86400 which of course there are fewer seconds in a day on DST change
#
KartikPrabhu aaronpk: since IndieAuth is a subset (not superset) it need not adopt any MUSTS of OAuth2
modem joined the channel
#
kylewm John O'Nolan's wiki edits seem to have been made in anger :(
#
KartikPrabhu what is Ghost?
#
Loqi https://indiewebcamp.com/Ghost
#
kylewm and copy pasted from wikipedia
#
fkooman kylewm: i'm just gonna remove support in indiecert for requests that do not have a state parameter :-)
#
bret its like wordpress for node, but has a more focused feature scope
#
kylewm http://en.wikipedia.org/wiki/Ghost_%28blogging_platform%29
#
KartikPrabhu https://indiewebcamp.com/wiki/index.php?title=Ghost&action=history
#
aaronpk Do I need to make a giant notice on the edit screen that says do not copy paste from Wikipedia?
#
kylewm This is basically vandalism...
#
aaronpk fkooman: do it! But also make sure to add a helpful error message for when the state is missing, with links to docs and such
#
aaronpk kylewm: is he at least using ghost for his main site instead of Wordpress now?
#
kylewm and makes some comment about microformats being supported by http://blog.ghost.org/structured-data/ which just discusses silo metacrap
#
kylewm aaronpk: yeah I added that to the wiki a long time ago, that he was self-dogfooding as of whenever
#
KartikPrabhu interesting that he took the time to setup indieauth and all that just to do that
#
tantek kylewm yup - any copy pastes from wikipedia should be reverted - incompat license
#
aaronpk Hey john.onolan.org is running ghost now, that's progress
#
kylewm aaronpk: it has been for a long time
#
tantek ok we should revert the page to the last version before his edits, and then apply updates according to citable facts, e.g. john.onolan.org is running ghost
#
aaronpk Feel free to revert the Wikipedia import and also update the section that says his site wasn't running ghost
#
tantek not just update, but move it to history
loic_m joined the channel
#
tantek important to capture how long it takes a creator to start selfdogfooding
#
kylewm aaronpk: tantek: i made that edit a long time ago http://indiewebcamp.com/wiki/index.php?title=Ghost&diff=8101&oldid=8100
#
aaronpk Oh!
#
tuxed.net edited /CSRF (+137) (view diff)
#
kylewm fkooman++ thanks for the revisions!
#
Loqi fkooman has 3 karma
wagle joined the channel
#
kylewm aaronpk: tantek: that's why I was a little surprised he was angry about the current state of the page, because i thought it accurately reflected the history and current state of things...
#
kylewm may have been overly critical
#
tantek of course it was critical (because it was accurate) and of course he took it personally - that's no surprise at all
#
tantek nevermind that there's a Ghost *Foundation* now - talk about institutionalizing a /monoculture
#
aaronpk Well regardless of anyone's feelings, te Wikipedia text can't be on our wiki
#
tantek yup - please revert to before all his edits accordingly
#
kylewm this is a lot like the issue with Dave Winer, Ghost encourages self-publishing and independence... the wiki should reflect that
#
tantek kylewm: yes the wiki should reflect both their stated intent, and their actual actions (and lack thereof)
#
kylewm minor incompatibilities with our principles and/or plumbing shouldn't be like the "primary" thing on the page
#
tantek kylewm: agreed
KartikPrabhu joined the channel
#
tantek better to start with what something does that *does* agree with our principles, and put Issues / Criticism in a section farther below
#
tantek except for obsolete and legacy tech, which should be clearly called out in the definition, along with what has superseded it
#
kylewm !tell bear I got an Internal Server Error from your site when I sent this wm https://kylewm.com/2015/03/woo-glad-to-have-you-on-the-case-it-s-one-of-those
#
Loqi Ok, I'll tell him that when I see him next
#
bear kylewm yep, looking at it now - I saw the log this morning
#
Loqi bear: kylewm left you a message 28 seconds ago: I got an Internal Server Error from your site when I sent this wm https://kylewm.com/2015/03/woo-glad-to-have-you-on-the-case-it-s-one-of-those
#
bear thanks for the issue note!
wolftune joined the channel
#
@kylewm2 @JohnONolan thanks for your edits the indiewebcamp wiki; we can’t copy verbatim from Wikipedia (incompatible… https://kylewm.com/2015/03/johnonolan-thanks-for-your-edits-the-indiewebcamp (twitter.com/_/status/575335102957252608)
#
bear sighs
#
bear computering is hard
#
rhiaro.co.uk edited /User:Rhiaro.co.uk (+208) "A couple more itches" (view diff)
#
rhiaro It still blows my mind how I get an IRC notification for an edit before my browser has even finished loading the page
#
tantek and that is the fundamental challenge for building a browser based "reader" to replace IRC.
#
tantek good luck on beating that latency (aaronpk, ben_thatmustbeme, etc.)
#
rhiaro In other news, I discovered my indieweb talk is still up on the livestream site for anyone who missed it :) http://new.livestream.com/accounts/8047110/events/3803239
#
tantek rhiaro: awesome!!!
#
rhiaro I'm not sure how much longer for
#
tantek is there any way to persist it somewhere, e.g. can you upload to archive.org's media/video hosting?
#
rhiaro I filed an issue to prompt someone to upload it to their Vimeo channel
#
tantek do you have license to do so?
#
tantek archive.org is better than the Vimeo silo
#
rhiaro I don't have the file
#
tantek can you request it?
#
rhiaro I have done
#
rhiaro The next door neighbour of one of the event organiser is who did the recording... so the communication channels aren't fast or straightforward
#
rhiaro I could always screen record it from the livestream if I have time
#
millette http://pdvod.new.livestream.com/events/00000000003a0867/4c56a9ef-3a21-478f-9930-e21458d97196_2096.mp4?__gda__=1426027868_0c1ef8fd661dfc144a41474e0aa58fe3 ?
#
millette step 1) display: none on the login overlay; step 2) grab video url
#
rhiaro oh yeah, i forgot you have to log in ... good solution!
#
aaronpk that's what I did to watch it... display:none ftw
#
millette héhé
#
rhiaro There's a list of talks on the wiki somewhere I was going to add it but now I can't find it..
#
rhiaro s/it/the talks page
#
Loqi rhiaro meant to say: There's a list of talks on the wiki somewhere I was going to add the talks page but now I can't find the talks page..
#
millette 1.7 GiB video file
tilgovi and danlyke joined the channel
#
tantek definitely upload it to archive.org
#
tantek they'll do all the cross-conversions and everything
#
Loqi slack/snarfed: millette: looks like youtube-dl also supports <http://livestream.com|livestream.com>, for next time
#
Loqi slack/snarfed: very easy
#
rhiaro.co.uk edited /videos_about_the_indieweb (+272) "Edinburgh indieweb talk video" (view diff)
#
tantek rhiaro++
#
Loqi rhiaro has 15 karma
#
rhiaro I hope downloading this mp4 doesn't upset my internet connection too much for SIP for socialwg :)
pfefferle_, snarfed, wolftune, Sebastien-L and KevinMarks_ joined the channel
#
@call_user_func [New]fkooman/rest-plugin-indieauth IndieAuth plugin for fkooman/rest https://packagist.org/packages/fkooman/rest-plugin-indieauth (twitter.com/_/status/575345473323556865)
Guest_ and KevinMarks_ joined the channel
#
kylewm copyright question ... https://twitter.com/JohnONolan/status/575337885785792512
#
@JohnONolan @kylewm2 Well I wrote the wikipedia page so AFAIK I have first ownership and copyright of the content ;) (twitter.com/_/status/575337885785792512)
#
aaronpk that is true then
#
aaronpk as long as no other edits were made on WP
#
aaronpk and then if he contributes it to the IWC wiki he's making it CC0 licensed
#
kylewm still no point in replicating wikipedia
#
aaronpk i agree
interactivist joined the channel
#
kylewm brief but interesting discussion of how they use the P2 theme internally at wordpress instead of email here http://fourhourworkweek.com/2015/02/09/matt-mullenweg/
#
kylewm warning, that's a long long podcast
#
kylewm the email talk starts around 39 minutes in
Guest_, snarfed, tilgovi, KevinMarks_, KartikPrabhu, marclaporte, friedcell, j12t_ and _________ joined the channel
#
bret kylewm: probably didn't like what was there?
#
ben_thatmustbeme https://www.reddit.com/r/IAmA/comments/2ykyht/i_am_sir_tim_bernerslee_inventor_of_the_web_join/
#
kylewm bret: are you referring to the Ghost edits?
#
bret ya
#
kylewm yeah, it was totally unnecessarily critical
#
bret we need to fix that
#
fkooman aaronpk: hm, i am playing with distributed indieauth, but it seems indieauth.com returns a token parameter instead of a code parameter
#
kylewm it's beautiful software that's helping people publish on their own domain
#
kylewm we don't need our wiki page to just be full of criticisms
#
bret im going to start a list of criticisms i find that need revising as I come across them
#
kylewm bret++
#
Loqi bret has 56 karma
#
bret its a turnoff to those people who need to see them when they show up
#
bret obv, not just blanket delete them, but at least try to take into consideration how the person who runs the project will take it
#
bret maybe I should start by criticizing my own works pitfalls
#
bret s/need to see/might benefit from the feedback
#
snarfed kylewm++
#
snarfed bret++
#
Loqi kylewm has 134 karma
#
Loqi bret has 57 karma
#
bret but first, need to to get a job for bills and stuff
#
kylewm I'm not totally sure how to retain the information that was captured at the time... like it's interesting that barnaby opened a microformats pull request, and it's nice to have a link to it
#
kylewm without the page being like "THEY REJECTED MICROFORMATS!"
#
kylewm bills--
#
kylewm job++
#
Loqi bills has -1 karma
#
Loqi too much karma!
#
snarfed kylewm: maybe an "Indieweb-related work" section with links to the commits and PRs and neutral descriptions?
#
snarfed including both barnaby's and the one john mentioned
#
kylewm "We rejected a PR to the default theme so that we could add Microformats in *every single* theme: http://blog.ghost.org/structured-data/"
#
kylewm snarfed: yeah I like that
#
KevinMarks do they support mf2?
#
KevinMarks or just silos
#
kylewm just silo metadata
#
kylewm so that's a misunderstanding between us and him
KevinMarks_ joined the channel
#
GWG _s for WordPress rejected microformats 2 pending support in core.
LauraJ joined the channel
#
KevinMarks https://www.reddit.com/r/IAmA/comments/2ykyht/i_am_sir_tim_bernerslee_inventor_of_the_web_join/cpaje6o
#
KevinMarks vote me up plz
#
KevinMarks is unsure of the reddit dialect
#
bret GWG: we had a core WP contributor at HWC a while back. he was enthusiastic about the idea but again, monoculture projects are pretty adverse to any idea not as large as themselves
#
Loqi slack/kylewm: kevinmarks: <http://i.imgur.com/ZC4Bm.gif>
#
GWG bret: I have a ticket filed with Wordpress. Maybe I need a patch.
#
GWG bret: What was the person's name?
#
bret GWG: i dont remember he pops up in my twitter stream routinely ill ping you next time I see his pic
#
bret (with the name)
friedcell joined the channel
#
GWG bret: Kennedy by any chance? I saw him suggesting mf2
#
KevinMarks do we have patterns for to do lists?
#
bret GWG: unfortunately I only remember the face... have his URL handY?
#
bret KevinMarks: not that I know of
#
GWG Would have to look it up.
#
KevinMarks do you remember which HWC?
KevinMarks_ joined the channel
#
bret late 2014
#
bret *i think*
#
KevinMarks I may have it in notes
#
bret hes noted as a participant im pretty sure just cant look right now
#
GWG Either way, no one other than pwcc has commented on my ticket.
#
GWG Might have to propose actual code.
#
KevinMarks code is a good idea
#
GWG KevinMarks, core is hard because of its scale.
#
snarfed KevinMarks: itches is the todo pattern?
#
GWG I am not against trying. I think I may need help.
#
KevinMarks I mean to mark up as mf2/indieweb
#
snarfed ah
KartikPrabhu1 and LauraJ joined the channel
#
Loqi [bridgy] Elodie Lemonnier favorited a tweet https://indiewebcamp.com/2015/Germany/Guest_List (https://twitter.com/xtof_fr/status/573588762954858496)
snarfed and stream7 joined the channel
#
Loqi slack/kylewm: the most upvoted question on that timbl AMA is a two parter, and one part is "What are your views/thoughts/feelings on the modern internet?"
#
Loqi slack/kylewm: way to ask a specific question dude
iandevlin joined the channel
#
aaronpk fkooman: indieauth.com returning a token instead of code is legacy because existing implementations rely on it
#
KevinMarks which timbl ignored
#
aaronpk if you pass a client_id you'll get back a code
#
fkooman aaronpk: yeah, i found that out :-) i'll add client_id, and which parameters are required when verifying? and the accept header has no effect ;)
#
aaronpk hey it's only been a day, give me some time to add it ;)
#
fkooman :D
#
aaronpk everything used for authorization is required when verifying
#
fkooman makes sense :)
#
@voxpelli @maxogden Some #indieweb! Really looking forward such a diverse future – so many great ideas stifled in the current silo mono-culture (twitter.com/_/status/575379679089201152)
#
aaronpk are you doing authorization or authentication?
#
fkooman aaronpk: but even state?
#
fkooman authenticatino
#
fkooman oauth doesn't require state
#
aaronpk oauth2 doesn't require state because people couldn't agree
#
aaronpk but it basically requires state
#
fkooman but i mean on the code verification step in the POST
#
aaronpk you're righ
#
aaronpk t
#
fkooman (it is not even mentioned in the spec, also not optional)
#
aaronpk huh that might be worth me asking the OAuth WG about
#
fkooman but i don't really see the benefit of providing the state again, as state is useful for the client only
#
fkooman to keep state, or basically as a csrf_token
#
aaronpk i'm trying to think if there is some benefit to prevent CSRF attacks again
#
fkooman i never saw it used anywhere or even be required...but yeah that doesn't necessarily mean anything :)
#
aaronpk fkooman: ok yeah now i'm curious about this
#
fkooman aaronpk: my guess, it is not needed :)
#
aaronpk my question is why
#
aaronpk or if it is actually bad if it's included
#
fkooman aaronpk: well, for client csrf protection it is not needd I think, state will suffice, but maybe it could have some other benefits...
#
aaronpk i think i may have included it because for indieauth there are N number of authorization servers
Unifex joined the channel
#
aaronpk whereas for OAuth 2.0 there is only one
#
fkooman in my oauth server i don't even store the state value at all
KevinMarks_ joined the channel
#
fkooman the client_id, (redirect_uri) and code bind it to a client
#
aaronpk yeah it's meant for client verification only...
#
aaronpk huh now I can't figure out if we need it for htis or not... gonna have to keep thinking about it
#
fkooman i'll include it for now with a FIXME
#
fkooman or maybe indieauth.com doesn't really need it, but it just doesn't complain if it is missing, didn't test that
#
aaronpk indieauth definitely checks to see if it matches
#
aaronpk maybe open an issue on https://github.com/aaronpk/IndieAuth?
#
aaronpk we can keep discussing there
#
fkooman aaronpk: https://github.com/aaronpk/IndieAuth.com/issues/81
friedcell and PMurphs joined the channel
#
PMurphs ohai
#
ben_thatmustbeme aaronpk, fkooman brought up a good point about security with our methods for autologin across domains
frzn, michielbdejong and krendil joined the channel
#
KevinMarks_ Silo as même is doing well https://twitter.com/davewiner/status/575392570009911296
#
@davewiner @BrendanEich @dangillmor @davepell -- bust out of the silos. do something good for freedom on the net. it ain't over yet. (twitter.com/_/status/575392570009911296)
#
KevinMarks_ Hah, thank you autocorrect for meme as même
KevinMarks_ and snarfed joined the channel
#
Loqi slack/kylewm: même: <http://i.imgur.com/Mx1H9Hb.jpg>
#
kylewm puts down the Slack
#
bear is this channel now sync'd with slack ?
#
aaronpk yep! http://slack.indiewebcamp.com
#
bear nice!
Tilley joined the channel
#
bear if I didn't have 5 slacks already open I would join
KartikPrabhu joined the channel
#
ben_thatmustbeme haha
#
@bblfish Drama at @W3C Social !! Explosion of channels! The Group can't communicate https://www.w3.org/Social/track/issues/19 #indieweb #social (twitter.com/_/status/575404904442916864)
#
aaronpk lol wut
#
KevinMarks henry is using twitter to ping us
#
aaronpk it worked!
#
@elfpavlik @bblfish http://indiewebcamp.com/irc/2015-03-10/line/1426022195333 #IndieWeb bots in action... (twitter.com/_/status/575409447515918336)
#
elf-pavlik ;)
#
Loqi elf-pavlik: tantek left you a message on 3/9 at 5:53pm: I'll check #social messages before the telcon. When did you become Henry's secretary? And perhaps you can encourage him to write his opinions as blog posts on his own personal site. I'm still preferring to focus on fixing microformats examples in AS.
#
elf-pavlik :D
interactivist joined the channel
#
elf-pavlik what is webfinger?
#
Loqi WebFinger is a discovery protocol for the web that uses email address-like identifiers to get info about users; it has been largely superseded on the indieweb by the use of personal web sites and representative h-card https://indiewebcamp.com/WebFinger
#
elf-pavlik fkooman, ^ ;)
#
tantek scrolls up about 143 lines ;)
#
fkooman Aaarrgh
#
fkooman and JSON signatures are better than XML signatures
#
fkooman runs
#
elf-pavlik fkooman, of course! ;) https://twitter.com/manusporny/status/568091383686414336
#
@manusporny Video explanation of how Linked Data Signatures work (JSON-LD + Cryptography): https://www.youtube.com/watch?v=QdUZaYeQblY #jsonld #w3c (twitter.com/_/status/568091383686414336)
#
elf-pavlik https://twitter.com/manusporny/status/568139303102099456
#
@manusporny A video introduction to verifiable credentials on the Web (JSON-LD + Cryptography + Identity): https://www.youtube.com/watch?v=eWtOg3vSzxI #jsonld #w3c (twitter.com/_/status/568139303102099456)
#
fkooman noo comment :)
#
elf-pavlik getting silly - time to sleep ZZZzzz...
#
aaronpk Not sure if elf-pavlik is serious or trolling
#
@mapkyca Good read, and the last paragraph sums up why #indieweb and similar are important to avoid a very distopian future http://www.theguardian.com/technology/2015/mar/10/nsa-gchq-technology-create-social-mobility-spy-on-citizens?CMP=share_btn_tw (twitter.com/_/status/575415804621164545)
#
elf-pavlik aaronpk, bit trollish of me :S
#
elf-pavlik let's talk another day how you verify 2000 likes on a post
#
elf-pavlik i mentioned this example with how I understand IndieWeb does it in... mailing list email :| https://lists.w3.org/Archives/Public/public-credentials/2015Mar/0007.html
#
bret elf-pavlik: lets see a 2000 liked post verified with json-ld in the wild
#
bret 30 likes is better than 0 from what I've seen
#
tantek anyone had a chance to repair the /Ghost page?
#
aaronpk bret++
#
Loqi bret has 58 karma
#
bret elf-pavlik: i have nothing against json-ld, other than i've seen few REAL examples of its use in a social context, and find it generally harder to comprehend and use
#
bret please prove me wrong
#
elf-pavlik bret, challange taken! meanwhile i recommend checking out more explenatory videos http://json-ld.org/learn.html
#
bret im not going to take the time to learn something when the authors cant even use it for the advertised purpose
#
bret ive read a bit about it, and understand the claims
#
elf-pavlik https://github.com/digitalbazaar/bedrock
#
tantek you know that expression (maybe it's a meme?) "cool story bro", perhaps it's time to start "cool silo post bro"
#
bret thats a github repi
#
tantek as in, nice youtube link, cool silo post bro
#
bret s/repi/repo
#
Loqi bret meant to say: thats a github repo
#
tantek or perhaps better syllabic parallelism...
#
tantek cool sharecrop bro
#
tantek what is sharecrop?
#
Loqi sharecropping in the context of the IndieWeb is the practice of primarily or exclusively creating/publishing content on silos as opposed to doing so first (or primarily) on your own site, and those that do publish primarily or exclusively on silos are known as sharecroppers https://indiewebcamp.com/sharecrop
#
bret AS is used widely in pump and activity-streams-unofficial, so I can SEE the use
#
tantek bret - which version of AS in each?
#
elf-pavlik please don't get me wrong, i very much appreciate your attitude!
#
tantek referring to AS as "AS is used" or "AS is supported" now has the same problem as "RSS is used" or "RSS is supported"
#
bret my blog is marked up with mf2 and can interpret other blogs with a similar markup
#
bret i just dont see it from json-ld other than theory
#
tantek elf-pavlik: I think bret is just asking to see some …. links …. to your …. data …. ;)
#
bret i mean well elf-pavlik :)
#
elf-pavlik bret++
#
Loqi bret has 59 karma
#
bret json-ld has a LOT, dont get me wrong, I just dont see how I can use it... and I need to see how others use it first
#
elf-pavlik you have a very good point! http://socialwg.indiewebcamp.com/irc/social/2015-03-10
KevinMarks_ joined the channel
#
elf-pavlik i'll start with merging https://github.com/elf-pavlik/webprofiled into https://github.com/hackers4peace/plp-provider and then will start publishing more on wwelves.org and hackers4peace.net!
#
elf-pavlik good night #indiewebcamp
#
bret sweet! definately do what you think is right :)
#
Loqi gute nacht!
#
bret later
#
bret simple usage patterns are just as important as specs in a lot of ways
#
bret at least in my experience
#
tantek continues to appreciate fkooman aaronpk ben_thatmustbeme going deep on auth and stuff
#
tantek good night elf-pavlik!
#
tantek thanks for implementing what you believe in. you're helping grow the web.
#
tantek implementing *and* deploying *and* posting
#
bret what I really want to hear more from in the socialwg is some direction from people who use AS extensivly IE evan and snarfed
#
tantek bret, which AS?
#
bret the json version? i thought they were using a fairly similar set of AS
#
tantek bret - haha that's funny
#
tantek I mean, can you even cite a URL of what version of AS either (or any implementation) is using?!?
#
tantek just like RSS, sure the versions are similar, but also strangely different and incompatible.
#
kylewm based on https://github.com/snarfed/activitystreams-unofficial/ it uses http://activitystrea.ms/specs/json/1.0/
#
tantek at least RSS has thousands (millions?) of feed URLs out there across numerous different codebases producing it (though a huge proportion is likely versions of wordpress)
#
snarfed deja vu, i've talked about this a bit before re AS and a-u
#
tantek kylewm: right. and my site publishes AS 1.0 / Atom/XML (not JSON)
#
tantek but what version does pumpio support? anyone?
pwcc joined the channel
#
pwcc Good morning indiewebcamp.
#
bret tantek: i think json 1.0
#
tantek !tell aaronpk I found broken permalinks on caseorganic.com - namely all presentation posts appear to have died / gotten redirected. E.g. http://caseorganic.com/presentations/2013/10/19/1/files/slides/?full#6 gets redirected to a completely different presentation :/
#
Loqi Ok, I'll tell them that when I see them next
#
kylewm https://github.com/e14n/pump.io/blob/master/API.md#activity-streams
#
snarfed re a-u, short answer is, i'm not strongly attached to AS specifically. when i started the project (beginning of 2012), i just wanted *some* common social data format, and AS seemed the most appropriate
#
tantek reuse++ snarfed
#
kylewm snarfed: unfortunately I think that makes you a leading authority on AS
#
Loqi reuse has 2 karma
#
snarfed lol sad
#
snarfed right now most a-u users are either 1) indieweb or 2) academics/hobbyists who feel the same way, ie they want something common but don't care much what
#
tantek yeah AS eventually become more talk than code by even the creators/authors of it, who I think were tired of continuing to switch backend syntaxes from Atom, to JSON, to JSON-LD etc.
#
tantek feels like a bunch of format-fashion-farting around
#
tantek we'll see if any implementation bothers with switching to JSON-LD - since no user-level advantages have been demonstrated
#
millette tantek, https://github.com/e14n/pump.io/blob/1029ac71b94dec2b51f6b2aa461b5b2a514e585a/test/comment-test.js AS 1.0 accoding to that test
#
tantek millette good to know. so no one is bothering with AS 2.0 JSON nevermind JSON-LD.
#
tantek what is pump.io?
#
Loqi https://indiewebcamp.com/pump.io
#
millette well, pump hasn't moved in 8 months either
#
millette I figured Evan was too busy with w3c :-(
#
tantek millette that's not encouraging, that's about how long social web wg has been "very" active, perhaps distracting evan from pump :(
#
tantek yeah
#
tantek this is not good. I'm not sure what pump or indieweb is gaining from socialweb wg.
#
kylewm I think it has more to do with e14n switching gears
#
tantek we were both brought in to co-chair to help bring more practical perspectives to the social web wg
#
millette kylewm, what do you mean?
#
tantek but it seems like it has both slowed us down, and simultaneously few people there actually *want* to learn about indieweb or pump innovations
#
kylewm millette: I'll look for a permalink
#
fkooman distributed indieauth working with support for indieauth.com and indiecert.net (https://www.tuxed.net/distributed-indieauth-demo/)
#
millette kylewm, I know after statusnet he wound down from a few employees to just him - if that's what you mean
#
millette but that was a few years ago (I was one of those employee)
alanpearce joined the channel
#
tantek millette were you at the Federated Social Web Summit of 2010 or 2012?
#
bret an indieweb/pump bridge would be an interesting project
#
kylewm millette: ok i can't find a specific announcement, but Fuzzy.io was founded in Sept last year, just a little after pump development stopped
#
millette tantek, no, I don't get out much. Haven't left Canada in 20 years and I don't even think I'm allowed in the USA.
#
bret i wonder what it would take to get bridgy to work as such
#
millette I hadn't heard about fuzzy
#
bret it would be nice not to have to posse to pump, as bridgy assumes now
#
bret (or pesso)
#
tantek hmm - I'm not seeing any response from evan.prodromou.name nor Evanprodromou.name - anybody else?
#
snarfed bret: sounds like ostatus?
#
bret snarfed: i should read about it
#
bret at least for context
#
tantek.com created /User:Evanprodromou.name (+120) "stub with an h-card and note context" (view diff)
#
bret tantek: https://e14n.com/evan
KartikPrabhu joined the channel
#
snarfed bret: definitely! see also https://github.com/snarfed/ostatus-unofficial :P
#
snarfed (rusty at best)
#
tantek bret - never seen him sign-in with indieauth with that URL
#
tantek feel free to update his user page if you wish
#
bret tantek: because no mf2
#
bret ok
#
tantek bret - indieauth does not require any mf2, only rel=me
#
bret i though rel=me was part of mf2?
#
millette rel=me, it's so old it's cool :-)
#
tantek millette - what we call "well established" :) or "legacy" when there's something better. ;)
#
bret tantek: the other issue is pump profiles are not subdomains
#
tantek bret - rel=me was introduced in XFN 1.1 in 2004.
#
bret so... anyone with a profile on a pump url can sign in for the entire pump server
#
tantek bret - please add to /pump.io#Issues !
#
millette bret, http://gmpg.org/xfn/
#
tantek.com edited /rsvp (-56) "/* IndieWeb Examples */ use user templates" (view diff)
#
bret the larger issue is with indieauth
#
bret actually, im not sure, does indieauth only work on the root domain?
lukebrooker joined the channel
#
bret ie https://e14n.com/evan would check for rel=me on only https://e14n.com/?
#
tantek bret nope, see elf's sign-in for example
#
tantek the wwelves perpetual tripper one
#
bret so you can slug scoped signin?
#
tantek.com created /Template:evanpro (+152) "create since I'm using" (view diff)
#
tantek bret - by default RelMeAuth works on URLs, not just domains
#
tantek with IndieAuth, and in particular IndieWebCamp's subset of IndieAuth, we enforce a tighter policy
#
tantek to encourage independent domain ownership
#
bret nm what i said, i need to look into it more
KartikPrabhu joined the channel
#
KevinMarks realising that todo's are a bit like invite/RSVPs
#
tantek.com edited /cURL (-177) "curlable deserves its own page" (view diff)
#
tantek.com edited /curlable (+234) "stub its own dfn page" (view diff)
KevinMarks_ joined the channel
#
tantek KevinMarks example URL of a To Do that shows what you mean?
#
loqi.me created /js;dr (+142) "prompted by tantek and dfn added by tantek" (view diff)
#
GWG Good time period all
lukebrooker joined the channel
#
tantek GWG indeed ;)
#
GWG tantek: I look forward to saying it in person soon enough.
#
tantek GWG - oh I thought meant the recent few hours, like since the morning (PDT)
#
GWG I just didn't feel like getting into the chat room standard time issue, actually
#
GWG But I was enjoying the discussion as I read up
#
@kevinmarks “All your fancy front-end-JS-required frameworks are dead to history, a mere evolutionary blip… ” @t http://tantek.com/2015/069/t1/js-dr-requires-javascript-dead #indieweb (twitter.com/_/status/575440658015485952)
snarfed, yakker, KevinMarks_ and KartikPrabhu1 joined the channel
#
@bblfish Updated issue 19 with a publicaly readable pointer to the OuiShare use case http://bblfish.net/tmp/2015/03/10/OuiSharetechnicalcomplexity.html #indieweb #social (twitter.com/_/status/575445240091406336)
#
tantek interesting, bblfish has learned to use hashtags for distribution
#
tantek hopefully one day he will post notes to his own domain instead of just sharecropping on twitter