Social Web Working Group 5th face-to-face

17 Mar 2016

Attendees

Present: tantek, wilkie, dmitriz, eprodrom, rhiaro, aaronpk, shevski, ben_thatmustbeme, cwebber, tsyesika, sandro, Karli, AnnBass
Regrets Chair: eprodrom
Scribe: ben_thatmustbeme, Ben Roberts, cwebber2, rhiaro, wilkie, sandro

Agenda Items

Prelude: Positive work environment

annbass: I have a comment. The socialwg interest group has always been considering what it is they are do. it is still an open question if we need such a group.
... My suggestion is to move the IG to be a Community Group (CG), so that anyone in the world can participate, without being a W3C member or Invited Expert. I suggest the main goal of the CG might be to collect additional social use cases that we haven't thought of, especially from people who haven't participated before, or who are from cultural environments we personally haven't experienced.
... so I do think there are use cases we aren't aware of.

tantek: do you want some time to talk about that?

<dmitriz> @rhiaro - there is an issue open for what you mentioned, in fact, https://github.com/w3c-social/activitystreams-validator/issues/16

annbass: yes.
... Also, I am now co-chairing the W3C Positive Work Environment Task Force (PWET) with Amy van der Hiel. Our interest in the consortium is to make a good place to work and so I would like some feedback, public or private, about the w3c and what could improve.
... the challenges haven't been where I thought they would be

tantek: such as?

annbass: you would think about diversity and such but the problems have been mainly technical

tantek: and some social interactions

annbass: yeah

tantek: that's a problem that has made it up fairly far in the organization

annbass: how we can address that is something worth discussing

tantek: yeah, there is what you could say is w3c's broad tolerance for different social behaviors.
... which are obstacles to technical discussion and finding solutions. so if we could find solutions to that.

annbass: yeah, and certainly there are people who have a problem with this. such as women or quieter people who have a problem with people who are strongly argumentative and vocal.

shevski: which is what tantek was saying. those people can be disruptive and at times bullies.
... the problem is when nothing happens to those people visibly, then people see that and say 'I don't want to be involved. this is not a safe space.'

annbass: me too. I see that and I try and then I say "nah, I'm done"

tantek: and you've seen that at the highest

annbass: I'm not sure about that. But we've all seen it in various situations. What can we do to improve?

shevski: a code of conduct is what you do

annbass: we have one

tantek: it's a rather new thing

annbass: no, it has been there for 10 years I think
... but also, what we have to do is maybe training

Karli_: the problem with a code of conduct is that people may not see it or it isn't enforced and people don't respect it

annbass: another thing is that people don't realize THEY have behaved that way, even when you call it out; that they have done something wrong and correct for that

shevski: on the community group stuff. I like having /something/ is good.
... having something from the community about what they want is good. such as "I want quick communication among many devices" and there isn't that.

tantek: *whispers* that's not social, those are machines

shevski: but it is! I'm talking to people. through machines.

tantek: [evan enters] photo time!

AS2 open issues

eprodrom: has everybody taken a look at the issues?

<eprodrom_> https://github.com/jasnell/w3c-socialwg-activitystreams/issues

<ben_thatmustbeme> https://github.com/jasnell/w3c-socialwg-activitystreams/issues

eprodrom_: what I would like to do is work from oldest to newest and see what we can do to clarify those.

<eprodrom_> https://github.com/jasnell/w3c-socialwg-activitystreams/issues/249

tantek: to be clear these are ones you think need discussion

eprodrom_: these are ones that are open... let's say that of the ones we have there are 3 that are significant changes...

tantek: want to go through the hardest ones first?

<eprodrom_> https://github.com/jasnell/w3c-socialwg-activitystreams/issues/249

eprodrom_: maybe the easiest ones first?

tantek: ok

eprodrom_: 249. so, some of the examples don't have the properties described in the text. james is +1, I'm +1. so there isn't a problem with this.

tantek: if you and the other editors think something is editorial then we don't need to look at it. we trust your judgment.

<tantek> https://github.com/jasnell/w3c-socialwg-activitystreams/issues/279

<tantek> https://github.com/jasnell/w3c-socialwg-activitystreams/issues/280

eprodrom_: for the CR exit issues. we need explicit exit criteria (279), a list of separate features (280)

<tantek> https://github.com/jasnell/w3c-socialwg-activitystreams/issues/281

eprodrom_: let's just say that when these are resolved and assuming the editorial issues are solved, we're good

tantek: these are not editorial. the conformance clause is certainly normative. the separate features may be editorial but might not so you may still want group review.
... but the group has reviewed the conformance clause and said it looks good. so anything that has been reviewed can just be dropped in.
... so there is really only one thing left to review

<eprodrom_> https://github.com/jasnell/w3c-socialwg-activitystreams/issues/289

eprodrom_: the issue is we don't have a good vocabularity around relationships

<eprodrom_> http://jasnell.github.io/w3c-socialwg-activitystreams/activitystreams-vocabulary/#connections

eprodrom_: in the specification, we said there should be an external vocabulary for this

<eprodrom_> http://jasnell.github.io/w3c-socialwg-activitystreams/activitystreams-vocabulary/#dfn-relationship

eprodrom_: we don't refer to one but we talk about one

dmitriz: you show it in the examples

eprodrom_: right. if we defer this part of the specification to a TBD section about extensions, why don't we push the relationship stuff to a future extension
... it makes sense to me
... james has had a chance to comment but I feel that there isn't a reason to wait for him. my opinion as an editor is that we should just push it to extension.

<tantek> +1 on dropping relationships from AS2 per comment in issue: https://github.com/jasnell/w3c-socialwg-activitystreams/issues/289#issuecomment-197916259

cwebber2: it seems like maybe some verbs or vocab would be lost. do you know of any use-cases that may be lost by dropping this to an extension?

eprodrom_: AS1 didn't even have relationships like this

cwebber2: I'm +1 on this then. If people feel strongly about this as an extension then we can do that. it doesn't seem like a blocker for activity streams itself.
... just wanted to make sure we didn't drop something else as a consequence

tantek: I would just propose the issue and see if anyone objects to the editor's proposal
... I don't hear any objections

eprodrom_: ok I'll just mark that as group resolved

<eprodrom_> https://github.com/jasnell/w3c-socialwg-activitystreams/issues/290

eprodrom_: next one is 290. it is around transitive activities.
... the idea is to add one of the classes in vocab to core. james is fine with it. I'm fine with it. it is a reasonable thing to do.

<cwebber2> sounds good to me

eprodrom_: basically, transitive classes are an extended class and they are used often enough that it seems more useful in core.
... any objections to that?
... great
... the last one [is 292] which is adding a deleted tag to objects

<eprodrom_> https://github.com/jasnell/w3c-socialwg-activitystreams/issues/292

eprodrom_: the idea is to add a deleted timestamp to provide a tombstone for objects
... so you can have an image and they say this image has been deleted

cwebber2: this seems useful because you were already talking about 410 GONE and this would be useful certainly in activitypub and media goblin right away

<tantek> aaronpk, didn't #indiewebcamp recently discuss a dt-deleted? what was the conclusion?

eprodrom_: there are cases where you want to say this object is deleted but valid

<tantek> (or at list citation to prior discussion)

dmitriz: it can be as useful or not depending on your server's retention policy
... if you are the kind of server that commits to sending 410s whenever possible you want this, if not you may want to garbage collect and 404
... so this is an option for those servers with permanent retention policies

cwebber2: it seems this doesn't require people to do it

eprodrom_: we have seen this before and then we pushed it to an extension but seeing it come up again we consider adding it to the spec

<Zakim> aaronpk, you wanted to point out privacy implications of sharing the deleted timestamp

<cwebber2> +q

aaronpk: I think we should have a way to specify the deletion without the timestamp for when people want to delete but not disclose when

cwebber2: since there is already the deleted flag

aaronpk: what is the deleted flag

<dmitriz> I think chris means the deleted timestamp?

<tantek> per jasnell comment: "type": "Delete",

cwebber2: the thing we are discussing. for instance we can send a 'delete' verb to servers and they might ask 'why is this gone' and people can do that but it is optional.

eprodrom_: I think what aaronpk is saying is that it is good to have a delete property. but it being a timestamp there are privacy concerns.
... people want to delete things because they don't want them to be published and thus may not want it there

dmitriz: you can place the timestamp date but not return the data and just 404

aaronpk: but the problem is when you want to propagate that

cwebber2: then you can have a timestamp or boolean

aaronpk: that would solve it

<tantek> How does Twitter notify deletes?

<jasnell> this is why for Atom we came up with the deleted-entry

<jasnell> atom tombstones rfc

<jasnell> https://tools.ietf.org/html/rfc6721

eprodrom_: and if that is good we can do that. the only problem is when implementations are only checking if it is truthy, but they will likely do that anyway.

<eprodrom_> jasnell: so, deleted becomes a timestamp or boolean

<eprodrom_> Sound OK?

<jasnell> not sure I understand the privacy concerns around deleted being a date but ok

tantek: I do think the timestamp is important especially for synchronization

<jasnell> yes, having deleted as a timestamp is fairly critical for sync

aaronpk: for the twitter api, the tweets generally come through as just the data on the tweets. there are some actions that come through for instance a scrub-geo action to remove location.

tantek: so they are using keys as verbs sometimes

aaronpk: yep

tantek: what is the proposed solution?

eprodrom_: to add a deleted property to the object and its range is either a timestamp or a boolean

cwebber2: can I request we note that it is optional to handle cases where people prefer a 404

<jasnell> eprodrom_: +1

aaronpk: when there is a delete action in the stream, it should be required to have that flag to know it is deleted

<jasnell> however, if deleted is a boolean, it should be noted that synchronization will be difficult

<jasnell> it should also be noted that just because there's a deleted property in the object, it doesn't mean implementations have to delete the content

aaronpk: I'm thinking when a system is pulling in a feed, how does it know to delete, so it needs to see that delete to know when to get rid of it

cwebber2: there is a delete verb

eprodrom_: cwebber2 is addressing the idea that there is a controversy between sending a 404 or 410

aaronpk: that's pulling the individual object

eprodrom_: yes

<jasnell> also keep in mind... {"type": "Delete", "object": {"id": "http://example.org"} work perfectly well for this too

eprodrom_: if we don't have objections, I'm going to say this is our resolution

<jasnell> without introducing a new property

tantek: this is a new introduction

eprodrom_: yeah, this is the first new property is a while

tantek: would you consider marking it as at-risk?

cwebber2: we could but we are going to use it immediately in media goblin

dmitriz: even though the field is optional

tantek: that doesn't alter the fact that it is in the spec
... [to cwebber2] that is good to know. it is useful to know.

ben_thatmustbeme: jasnell says we can add a type "Delete"

<jasnell> also, if you're going to go down the tombstone route, please make sure you take the additional security issues into consideration

cwebber2: we already have a type "Delete"

eprodrom: yeah, I think the idea there is that we have a "hole"

cwebber2: you can still see the case where you have a Photo and you want that deleted
... we could do this but it doesn't seem as interesting when the group came to some consensus around the property
... adding an object doesn't seem less tricky than adding the flag

eprodrom: the reason I like this is say you have a naive implementation and it is looking at a collection of image objects.
... if it is not aware of tombstoning it may show an image that has been deleted. or its metadata.
... however if the type has changed, the tombstone will look foreign and it will skip it.
... basically, naive implementations will do the wrong thing with the flag

<jasnell> please keep in mind that adding a tombstone does not compel anyone to actually delete anything

dmitriz: the argument is essentially if somebody writes something and is wrong to the spec it will break

<jasnell> if the content has been syndicated, the best you can do is distribute the *intent* for it to be deleted

aaronpk: it is worth considering since doing it wrong leaks information

tantek: it is good practice to assume partial implementations and decide if such a thing would do bad things for users

dmitriz: so how does it work? it replaces the id?

eprodrom: yes. it shares the id.

dmitriz: is the worry about retrieving the collection? then it is up to the server to not send that deleted image.

<tantek> what about undeleting?

aaronpk: it is talking about synch. a server has already seen the image and now needs to remove it.

cwebber2: tsyesika, how do we handle this?

tsyesika: it is much like a tombstone. it is in a tombstone table and it is a field in that table.

tantek: is there undeleting?

cwebber2: there is an undelete verb but we don't handle that

tantek: there seems to be an idea in social media: to delete and then undelete

cwebber2: there is interest in undelete and undo actions but doesn't have bearing on this decision

tantek: I'm just trying to see if the solution would be lossy for privacy purposes, but un-lossy for undeleting purposes

cwebber2: I don't see how the structure of this would prevent the UI experience
... it seems more at the API or stream level

<jasnell> this conversation is mixing two different things. (a) A server hosts it's own content, publishes at content at one point, then needs to indicate that it's been deleted. (b) A consumer has received content from someone and needs to be told that it's been deleted

eprodrom: my experience is that deletion is something that gets implemented late and involves lots of bug squashing
... whereas every activity streams processor needs to handle types it doesn't recognize

dmitriz: do we say every consumer must ignore every type it doesn't recognize?

<jasnell> for both, a {"type": "Delete", "object": "http://example.org"} is sufficient. For (a) the thing being deleted simply goes away and a new activity is published indicating what happened to it. For (b) the new activity is a signal that it ought to get rid of the thing that was deleted.

eprodrom: let's not call it type "Delete" but rather "Tombstone" that has a formertype

cwebber2: former type flag?

eprodrom: yeah if you really need that

cwebber2: I'm more sold on this than I thought I would be
... in which case there is an optional field for the date. so two fields 'when' and 'formertype'

<jasnell> for undelete, if you assign an ID to the delete activity, {"id": "http://example.org/delete/1", "type": "Delete", "object": "http://example.org/note"}, you can easily follow that up with a {"type": "Undo", "object": "http://example.org/delete/1"}

tantek: maybe we give jasnell some time to reflect on this

eprodrom: ok I'll take an action to review this with jasnell this afternoon

<cwebber2> we would probrably want to call it whenRemoved

<cwebber2> the type

tantek: maybe that will cause it to converge a little bit more

<cwebber2> mainly because properties can merge and "when" could appear unclear

<cwebber2> between multiple type objects at least

<cwebber2> and each property needs its own uri anyway

tantek: how well does this mesh well with activity streams at large?

<tantek> format vs protocol? overlap vs separation?

eprodrom: the tombstone kind of blends in the noun or verb distinction

tantek: many of these social web implementations have delete. I also like this tombstone approach.

eprodrom: we have still a couple of questions

<eprodrom> https://github.com/jasnell/w3c-socialwg-activitystreams/issues/296

eprodrom: name is a should not a must but it is not in many of our examples

<eprodrom> https://github.com/w3c-social/activitystreams-test-documents/blob/master/vocabulary-ex161-jsonld.json

tantek: you could say the examples need to be fixed, or you could say the examples show that you don't need a name and should stay a SHOULD

<eprodrom> Most of the "Activity"

<eprodrom> "While all properties are optional (including the id and type), all Object instances SHOULD at least contain a name (or equivalent nameMap)."

cwebber2: I think SHOULD should be removed since we fold the title in to name and many don't have name. why should it be there if the biggest producer of AS doesn't have them.

eprodrom: there are many objects that have a type but not a name. I think it should remain a SHOULD.

aaronpk: if you are going to say things SHOULD have a name, I worry that people will just throw a name into things.

<eprodrom> jasnell: for Activity and IntransitiveActivity types, does it makes sense to SHOULD a name?

cwebber2: there are cases where you don't know exactly what to put for it.

eprodrom: what I'd like to do is recommend we leave it as a SHOULD right now and get jasnell's feedback and follow up this afternoon

tantek: when a SHOULD is good in a spec is when it is explicit about when it is used and when it is ok to not

cwebber2: I think I would want to know the motivation for a SHOULD in the first place

eprodrom: the idea is you could take a collection of objects and show them in a list

tantek: it was required in Atom I think which is where it may be coming from

eprodrom: how about we propose to explain the reasons for this being a SHOULD

<eprodrom> PROPOSAL: explain the reasons for this being a SHOULD

tantek: I've already seen this soak up a lot of discussion time

<cwebber2> seems weird but no objections

eprodrom: with Atom, yeah

tantek: any objections to explaining why you should put a name and why you shouldn't in some other cases
... no objections, I think you are good to go on that proposal

<jasnell> re: Tombstones ... https://github.com/jasnell/w3c-socialwg-activitystreams/issues/292#issuecomment-197935286

eprodrom: dmitriz, do you want to discuss 297?

<jasnell> historically, with AS1, "displayName" was strongly recommended only when extension types were used, to give implementations something to use if they did not understand the type

dmitriz: in as vocab, we have several types for representing polls and stack-overflow-like questions and answers

<jasnell> "displayName" was not required, however, if the type was well known

<jasnell> the same rule would apply here

dmitriz: how do we handle closing polls or locking a question?

<jasnell> if the object is using a core type from the vocabulary, then name is largely optional

dmitriz: I believe jasnell's answer was "no we don't"

<jasnell> if the object is using an uncommon type or an extension type, name should be provided

<eprodrom> jasnell: Good example

tantek: does anybody implement polls?

eprodrom: statusnet

tantek: should we mark polls at-risk
... this fits jasnell's answer that this can be done as extension

eprodrom: I think it makes sense to have it be an extension

tantek: any objections?

<tantek> no objections. move Poll to an extension

dmitriz: I have another issue. about 'scope' and 'context' properties in the vocabularity

<jasnell> fwiw, closing a question is actually an activity. one could easily imagine {"type": "Close", "object": {"type": "Question", ... }

dmitriz: it seems like the two are fairly similar

<jasnell> dmitriz: they aren't

<tantek> jasnell, any objection to moving Question / Poll to an extension?

<jasnell> tantek: I see no reason to move it to an extension but whatever the WG decides

<dmitriz> https://www.w3.org/TR/activitystreams-vocabulary/#dfn-scope

<tantek> (evan said it would give us a chance to give them a more proper thorough treatment that implementations that care about those would like)

<jasnell> dmitriz: scope deals with scoping the intended audience for the object and relates to the to/bto/cc/bcc fields

dmitriz: 'context' seems like reply-to and useful for comments. 'scope' seems like access control and is this appropriate at this level?

<tantek> (no current implementations - in the room - have intent to implement, hence it made sense to consider as an extension)

dmitriz: it seems to fit the same purpose as the 'to' field

cwebber2: do we have any known uses of 'scope'?

eprodrom: no

<jasnell> yes

cwebber2: can we drop it?

eprodrom: I would like to give time for jasnell to review and answer

tantek: do we open the issue?

eprodrom: yes

cwebber2: I think dropping scope seems ok

<jasnell> -1 to dropping scope

<jasnell> -1 to dropping context

<dmitriz> what is the use case for scope?

tantek: can jasnell get on talky?

<tantek> jasnell: can you get on the talky?

<dmitriz> it seems to be overloading access control / to: field

<jasnell> no I cannot, I'm on another call concurrently

tantek: alright. open the issue and note we have some consensus at the meeting. we will have to come back to it.

<tantek> but we have an important outstanding objection from jasnell so we will have to come back to it to better understand it

<tantek> jasnell, no problem, we are capturing the current state for future discussion

eprodrom: that means we are done

tantek: you have a bunch of editor, not editorial, editor actions. we only have two after that?

eprodrom: right

tantek: do we want to consider publishing a new working draft of activity streams? even before CR draft.

eprodrom: I think that makes sense. what does that mean for going to CR.

tantek: it doesn't harm anything. it just puts another draft out such that the changes between that draft and CR are fewer.
... and it helps to get stuff like the conformance section to get more review

<jasnell> re scope and context, https://github.com/jasnell/w3c-socialwg-activitystreams/issues/300

<jasnell> to/bto/cc/bcc deal with notifications

<jasnell> scope deals with scope the audience, it's a different role than to/bto/cc/bcc

eprodrom: I should be able to have that by next telecon

<jasnell> context is something else entirely... it describes a larger context in which the object exists

tantek: you don't have to wait til the next telecon
... proposal is to publish new AS working drafts with outstanding edits completed

eprodrom: great

<eprodrom> +1

<tantek> PROPOSED: publish new AS2 working drafts with outstanding (agreed, reviewed) edits completed

+1

<ben_thatmustbeme> +1

<aaronpk> +1

<eprodrom> +1

<cwebber2> +1

<dmitriz> +1

<tsyesika> +1

<annbass> +1

<rhiaro> +1

RESOLUTION: publish new AS2 working drafts with outstanding (agreed, reviewed) edits completed

<sandro> +1

tantek: that is completely in your camp. the sooner the edits are done, the sooner we get a new draft. so close to CR.
... we have 10 minutes but lunch is here so let's break for lunch. any objections?

<jasnell> fwiw, I'm entirely -1 to removing Relationship

<ben_thatmustbeme> scribenick: ben_thatmustbeme

<tantek> chair: tantek

(continuing from informal conversation during break)

Create update and delete of social objects

<tantek> https://www.w3.org/wiki/Socialwg/2016-03-16#March_17

rhiaro: I want to start with a demo of my own

(the lunch conversation will be recapped soon)

<tantek> DEMO: Activitypub posting to a site (Amy)

<tantek> (setting up)

rhiaro: i started building posting clients
...
... the first i want to show is checkins. I made a checkin client, it authenticates with indieauth, and endpoint discovery the micropub way but its an activitypub client
... (in terms of the data)

(technical difficulties)

rhiaro: creates an arrive activity on her site
... backdated the checkin so it says she has been there for an amount of time
... using another client I create an AS extension object of Consume activity with what i ate (Lunch - Free)

rhiaro.co.uk/stuff?format=json

scribe: shows the AS objects that were just created

shows another client for rsvps / travel plans / etc

rhiaro: all of these are posting activitystreams json object through activitypub by a micropub discovery method (as i just reused the code for it for now)
... the interesting thing was that i was able to do activitypub create without caring about the other parts of the activitypub spec
... when i post with quill my micropub endpoint translates it to activity pub first

tsyesika: you said its to a micropub endpoint, do you also output the activities as microformats?

rhiaro: there are some, but in my mind these are completely decoupled. The pages use accept-headers to return AS2 json
... it is different as if you visit my endpoint (in this case the equivalent of outbox) it shows nothing
... in doing this is became really clear how close these two were together

aaronpk: i can sort of summarize from break

<tantek> aaronpk is giving a state of Micropub

aaronpk: the state of micropub is that when i created Micropub originally it was just create. That simplicity has led to many many clients.
... the main goal of micropub is to allow many clients you didn't write to post to your site
... for the majority of cases there already exists a way on your own system to edit and delete

<tantek> (how many clients do create only?)

aaronpk: that said there is also a lot of value to being able to create and delete
... i'm not super happy with the version i have in MP now
... it works, but i'm not tied to it.
... right now it accepts form encoded or json for create
... the form encoded is important for posting images and video at the same time by multipart
... i was looking to see if there was a way to use non-form encoding for update & delete but still allow files

(explains some examples from the spec)

aaronpk: It would be more convenient if there were only one path for updates as it right now allows both
... looking at the twitter API there are seperate endpoint for images
... that returns an ID and then you have to just use that ID or it gets deleted in an hour
... i like that method as it gets rid of form encoded
... that simplifies the whole update and delete process for me
... when you do that there is very little difference between that and activitypub
... this is where i see the overlap
... why should i bother making up this new type if activitypub already has this?
... this is why rhiaro and I were talking about this earlier with the naming of "SocialPub" being the join of the two
... if you look at it as just updates and deletes. micropub is a special case of create

cwebber2: would that be for just notes or other things as well

aaronpk: it could cover things as well, images, videos, events, etc
... i also have the same for flights and legs of flights, thats super ugly as form encoded
... for that one i would rather use a json object. There are plenty of cases for json format but i want that simple version for posting, thats the micro in micropub

sandro: can i rephrase this? why not do it as micropub is the form encoded posting and "activity update" is the indirect way to modify the resource that has activity streams data on it? how does that not address your use case?

aaronpk: i'm not creating acitivites i'm creating posts, so its a different vocabulary

sandro: activity sreams gives us a patch for those

aaronpk: thats what i could use
... the other major difference between the specs, activity pub expects you send the entire object but i want to just modify single properties and i think activity pub would benefit from that

cwebber2: do you think thats something that should go in to AS2 as an object

aaronpk: i don't know

cwebber2: i don't know either

tantek: what if i gave you a week to discuss this asyncronously then maybe you can get consensus between you two and you can pitch it to the group

cwebber2: we do also have some method of an undelete

<tantek> tsyesika: we discussed some of this before lunch

tsyesika: presumably this would be in both our specs we would refer to this social pub document. creating is still different. in activity pub we currently require you to always create posts in an activity
... we could allow this to post a single object for client to server but not server to server

aaronpk: i do support that idea, i think creating is the most important action and that should be as simple as possible
... we would be looking for creating a CRUD syntax both specs could use

<Loqi> Tantekelik made 1 edit to Socialwg https://www.w3.org/wiki/index.php?diff=97778&oldid=97769

aaronpk: maybe you make that exception, but the idea is that there would be 1 way to create things that would be in common

cwebber2: this sounds appealing of reaching consensus on something that has previously been very different on

tsyesika: i think its a good idea to make use of this time to see if we can resolve this as we have an open issue on activitypub now

cwebber2: evan was a strong objector to seeing a "pure system" of always having activity wrapped objects go away
... he didn't seem happy about it. i asked about the api only, and he didn't seem happy about it.

aaronpk: i can see that making sense in the stream as well

cwebber2: i think i'm ok with it, but i think its important that tsyesika be convinced since she is the main implementor

<tantek> (example of creating offline on a plane, and publishing later)

tsyesika: i'm certainly in support of convergence. the create activity is useful in itself as it can contain information that is different from the object, say the offline creation is different from the publish date

<tantek> (note: dt-created property has been discussed in other contexts for this reason too)

<tantek> (separate from published or updated)

tsyesika: i'm interested in seeing if on the micropub side you would be willing to have it so that the server can always accept the wrapped activity as well as the unwrapped format

rhiaro: micropub doesn't say anything about what the server does with it when it gets the item, that's not part of the spec. all you have to do is have an endpoint that advertises itself as such

aaronpk: we have a difference in authors, you could set the author in the object or the created date, so its assumed that the server will fill those in

tsyesika: its the same in activity pub

cwebber2: it sounds like thats not so big a difference.
... this seems like a minimalist create mode

sandro: creation shortcut mode

tsyesika: with a few caveats, i'm on board with this

cwebber2: if our side supports that and your side supports the unwrapping activities

aaronpk: whats left in micropub is having the file uploading endpoint, form encoding ..

cwebber2: we might be able unify on the image endpoint too
... that's an easy collaboration endpoint

tantek: i'd like to see that image endpoint written up

<cwebber2> https://github.com/w3c-social/activitypub/issues/23

<cwebber2> the out-of-band create mechanism

rhiaro: there are a couple places where the two specs are unsure of things so this is great

aaronpk: this would be great for me to keep micropub as simple as it should be

<Loqi> Tantekelik made 1 edit to Socialwg https://www.w3.org/wiki/index.php?diff=97779&oldid=97778

cwebber2: if it is much smaller and we have a way to translate vocabularies
... i can see it getting added to mediagoblin

rhiaro: i was able to do that method to determine what data is being send

tsyesika: i'm curious vocab convergence

aaronpk: i think that's a separate discussion that we could have
... i tried to leave it out of micropub as much as possible
... that way i can post to it without even knowing what its posting
... i like the aspect of it

tantek: what to most implementation support?

aaronpk: most support only creating and most already have some other storage properties that they are matching to
... when i built mine i specifically have the endpoint write directly to storage, so that it is sorted out when rendering

cwebber2: i feel like where we are at a point where we are at a point where these are practically going to be shared but we need some idea of what mapping between the vocabularies means

aaronpk: the problem that keeps coming up in the indiewebcamp channel is how do we propagate changes to old posts
... the readers are all based around new posts
... this is where i'm seeing activity streams being useful for this, and while i might not have a mapping on my main site, but i might use it as a stream of what's going on

cwebber2: rhiaro you were working on the mapping between the two at some point i think

rhiaro: elf did some work on this, there are some wiki pages, but the other important part is post type discovery
... so there are some properties that map directly but there are a few places where it takes some work

cwebber2: so will micropub will reference this socialpub document
... is there going to be a separate socialpub document or will it be both specs take on some changes?

rhiaro: i think since i've implemented this separately as the create part, i'm in favour of breaking up activtypub into smaller docs

tsyesika: i have to admit one of the things i want for activity pub is to break it up into smaller steps that are implementable separately
... so if i want to use only part of it, i can, but if some larger system wants to do all of it, they can

cwebber2: so here's a proposal kind of based off of what amy has done previously, would this be a reasonable restructuring of the document would be just "how to write a simple document" and then 'servers handling the client to server api' and then 3rd was server to server api

rhiaro: i would see it as 'heres how to get data to the server' then 'heres what to do with it once it gets to the server'
... so if you wanted to do the second half you could do that separately. you could do client to server just sending files for examples

cwebber2: so maybe socialpub becomes client to server entirely and then activitypub becomes server to server
... is that a proposal that we are willing to work towards?

tsyesika: well there are more ways to break this up than just client to server and server to server
... like posting an activity vs updating

rhiaro: i think the client to server separates very easily

cwebber2: i think the simpler way is saying socialpub is client to server and activitypub becomes server to server

tantek: i feel like there is part of it you are agreeing on some and others you are not
... it seems like you are talking the same language now and thats a huge step
... i want to capture this as a set of action items

rhiaro: i could start with this as a section of social web protocols

tantek: i also so a number of suggestions for next steps for activity pub that could be done
... i'll trust you as editors to continue to converge on these proactively
... but i'd like to see you not depend on each other.
... amy you have a bunch of stuff written up, do you feel you can add that to social web protocols

rhiaro: yes

aaronpk: i can help with that

tantek: for now you can add it and publish and iterate
... so we can action you and then the rest can happen asyncronously
... so that if anyone gets stuck on their document they are not stopping anyone else

aaronpk: it sounds like the best thing i can do is replace the whole update and replace section and assume it will be moved to the social web protocols eventually

tsyesika: i think the main this for us is to update our spec to allow this simple editing

tantek: i think the other idea you had to update to do this separate sections of incremental implementations that would be great

action rhiaro to incorporate your work done in to the social web protocols document for the others in the group to review

<trackbot> Created ACTION-88 - Incorporate your work done in to the social web protocols document for the others in the group to review [on Amy Guy - due 2016-03-24].

<cwebber2> https://github.com/w3c-social/activitypub/issues/32 <- issue here

tantek: both of you (aaron and tsyesika) to keep track of that on your githubs

ben_thatmustbeme: i would like to see outbox read and write separated out

cwebber2: i think there is some more discussion on that

tantek: can you create an issue on social web protocols to capture that amy?
... we are now breaking for 15 minutes

<tantek> resume at 14:30 EDT

<Loqi> I added a countdown for 3/17 11:30am (#5819)

<Loqi> resume

<Loqi> Countdown set by tantek on 3/17/16 at 11:15am

<tantek> Thank you Loqi

<KevinMarks_> hi there

<KevinMarks_> I can see a tantek

<aaronpk> KevinMarks_: can you hear?

open issues for activitypub

<KevinMarks_> yes i can

eprodrom_: i think the idea was to put some time this afternoon in to resolving open issues

cwebber2: i would like to proceed by first addressing issue 71

<cwebber2> https://github.com/w3c-social/activitypub/issues/32

<cwebber2> sorry https://github.com/w3c-social/activitypub/issues/71

<sandro> scribe: sandro

tsyesika: we have certain terms like inbox, outbox, ... and rhiaro suggested generalizing this as a stream array
... also a way to achieve (something) about inbox and outbox

cwebber2: So the question is... Amy's suggestion is instead of followers, .... use types, ....
... What could be true is we could have a term in activitypub that here's a term for ...

<Loqi> Tantekelik made 1 edit to Socialwg/2016-03-16 https://www.w3.org/wiki/index.php?diff=97780&oldid=97776

<Loqi> Aaronpk made 1 edit to Socialwg/2016-03-16 https://www.w3.org/wiki/index.php?diff=97781&oldid=97780

cwebber2: Amy's propositiyon soun ds interesting but I dont think object types is the right way to break it up
... c-s or s-s might have different streams, and maybe this is a way to do that

<shevski> i'll be back

cwebber2: so there could be a "likes" stream, maybe a subset of collection, or maybe it's own URI,
... I'm not sure which, I'd like to open it for discussion
... I think people do have arbitrary streams

aaronpk: I have struggled with this problem. I think I understand why you have these distinctions
... on my homepage I have some kinds of posts, but not others, and down at the bottom I have links to the others
... I curate the collections based on how I want people to read it, NOT on types
... so I have health
... and travel
... and events I'm going to that are not in Portland
... so these are very much mixed types
... and I have my primary stream
... In an old version of my site I had them by type, but that didn't work well

eprodrom__: Certain groups, like Chris' Friends, or Chris' main feed, or Things Chris Likes, ... a core set of five predefined
... then have other unqualified streams

cwebber2: Because followers and likes have API specific purpose

eprodrom__: Right
... So just have a relationship Stream might do this

cwebber2: WIth the addition of arbitrary labeling of these new streams
... Sounds like have consensus, which I'm recording on the issue

"So we will have special API specific collections, like likes and followers and inbox, but streams should be supported as a general bucket for interesting collections."

<cwebber2> https://github.com/w3c-social/activitypub/issues/48

cwebber2: This kind of moves into Who Do You Trust
... I think we've agreed, you trust same origin, otherwise you link back and verify
... the desire for supporting static sites
... So I would point my endpoints off-server
... in which case how do you know who has authority
... Are there other origin scoping tools?
... or do we just not want to permit that kind of static site thing

sandro: Doesn;t a link serve as delegation?

cwebber2: If the profile is on a static site, maybe we can trust what it points to, yes....
... adding comment on issue

eprodrom__: ap.io gets an UpdateOn dustyclould, and it knows how to do it. I don't see why we need to proscribe server behavior

cwebber2: If you get a message from me that there's something new, and my endpoints are on another server, should you trust them

eprodrom__: If I remember how pump.io does it, it checks to see the authentication of the actor

cwebber2: In APub you can have an update that's an update of a blog on another site. And you'd trust the author.
... Can you fake that you're someone else?

<melvster> IMHO there's nothing specific about the same origin that implies you can trust it, that's just a typical pattern used together with centralized services

cwebber2: Assuming you want to support static sites, you'd need something like this

sandro: same origin isn't relevant here. It's following trust-bearing links

tantek: CSP - content-security-policy can help if you want to do this offline

harry: So for example you could trust ... (something)

cwebber2: I think I understand how to handle this

<cwebber2> https://github.com/w3c-social/activitypub/issues/23

tantek: I'm happy to answer CSP questions, since I just implemented it for my site

<hhalpin> CSP is here Sandro

<hhalpin> https://www.w3.org/TR/CSP/

cwebber2: The main challenge for us is how to do discovery

<hhalpin> Typically, you want to use it when you are authorizing Javascript from outside the same origin.

<hhalpin> Would be useful if the endpoint has a feed that has some JS, and should be recommended to use.

<tantek> hhalpin: documentation of my experience with CSP: https://indiewebcamp.com/CSP

<hhalpin> CSP support works well in browsers now

<hhalpin> So any SOP exceptions, particuarly if they involve javascript, should use CSP

<KevinMarks_> if you separate the image upload from the post, and then use a URL, that implies you could use an external url for an image?

cwebber2: Is it useful to put on the user's profile page where I submit my photos

aaronpk: You see things like this on a multiuser system

tsyesika: Someone might want their media whereever they want it

cwebber2: It feels a bit silly to me

tsyesika: People might have multiple endpoints

eprodrom__: Discoverable endpoints for upload? Sounds great

<cwebber2> https://github.com/w3c-social/activitypub/issues/34

cwebber2: okay, sounds good
... This has come up a few times. It bothers me we still don't have this
... the main challenge that was blocking this is what happens when activities represent other activities that don't exist any more
... transient activities, like IM or strawberry-watering.
... one approach is to have activities with no id, and they get delivered through federation but other otherwise not interesting
... or give them a UUID

eprodrom__: We talked about the 'scope' property earlier today. Would that be a way to address this?

<tantek> Open issues for Webmention at 15:35

<Loqi> I added a countdown for 3/17 3:35pm (#5820)

eprodrom__: maybe I put a scope of 'game update'

<hhalpin> in general, you need an id or some kind for HTTP REST retrieval of ids from X to X1 in terms of polling, right?

<tantek> !cancel #5820

<Loqi> Ok, I cancelled it

<tantek> Open issues for Webmention at 15:35 EDT

<Loqi> I added a countdown for 3/17 12:35pm (#5821)

eprodrom__: One of the problems with client-defined-expiry is that client lie and cheat and are bad. They say keep this forever, it's important.
... Clients might have advisory info, but the server needs to decide.
... IRC updates from the F2F, scope might be F2F

cwebber2: mauybe that's a fed only concern

eprodrom__: Once again you're trying to dictate server behavior. Also this might not be that important. identica has a lot of updates, but it's not that big really

aaronpk: It sounds like you're kind of talking about a Notification, which is not an activity

cwebber2: Yes, but also a chat that you don't want to keep around

aaronpk: Off The Record messaging is a different thing, with its own set of considerations
... Call these notifications, and it makes sense.
... You probably don't want to casually throw OTR into the spec

cwebber2: Yeah, if we just put OTR in here, we'll probably get it wrong
... In this world, there's generally an expectation that people can retrieve things, so OTR wil be hard
... How would we show notifications?
... Some server-to-server notificaton, like your quota is reached

eprodrom__: Is that about too much data? I dunno what this is for.

dmitriz: This is misusing scope. James said it would be renamed to 'audience'. And access-control-like thing.

cwebber2: OpenFarmGame has its own type. So servers could garbage-collect them easily enough.
... In an earlier version of the spec, it seemed like servers had to keep things around forever
... that was also part of our motivation for tombstones

eprodrom__: That might be good to document. For example, twitter API only lets you go back 800 tweets, which is like a day.

<hhalpin> Re OTR end-to-end encrypted messaging, there is a new protocol called Axolotl that is used by Signal/WhatsApp/(interest from Mozilla/Wire: https://en.wikipedia.org/wiki/Axolotl_%28protocol%29

<hhalpin> That is a revision and fixes mpOTR issues

<hhalpin> However, I agree that OTR is out of scope.

dmitriz: Agreed clients lie, but the client setting an expiry on a stream is useful.

<hhalpin> However, happy to ask the nextleap folks (George and Karthik - https://nextleap.eu) to see if they can staple Axolotl on top of whatever comes out of ActivityPub, since folks are going to be working on that for the next 2.5 years

cwebber2: Could be via an extension

eprodrom__: Like 'earliest item in colleciton is X'
... Most social systems don't go back very far now, so we shouldn't ask that of folks.
... "This is everything in the inbox. Note some servers limit the number of pages you cna go back."

cwebber2: okay, resolved

<hhalpin> +1 finding earliest item in collection

<hhalpin> Do we have some normative way of getting id numbers per feed in AS2.0 and ActivityPub?

<hhalpin> [looking in spec]

"we won't support id-less notificaitons. Clarify that it's up to servers if they want to keep around objects as long as they want. If they want to delete objects, like maybe delete a bunch of game notifications, that's a-ok.

Perhaps a future extension will permit clarifying how long users might expect they can continue to access data."

<tsyesika> https://github.com/w3c-social/activitypub/issues/77

tsyesika: Can we specify indieauth for authentication?
... Or is that out-of-scope?

<hhalpin> +1 OAuth 2.0, with a nonn-normative recommendation for use of rel="me" w/i IndieWeb

hhalpin: indieauth is oauth2 so ...
... I feel like you should normatively require oath2 and suggest indieauth

<tantek> +1 to hhalpin

hhalpin: How do you do the REST call where you get X from Y

<hhalpin> Like without re-polling everything

<hhalpin> That is something Objective8 from D-CENT hit

<hhalpin> We can normatively refer to OAuth 2.0 - its an IETF rec

<hhalpin> In fact, OAuth 2.0 does more or less give interop

<hhalpin> OAuth 2.0 is Authorization

<tantek> agreed that interop is the goal

<tantek> reference something if it helps interop

sandro: oauth2 doesn't tell you what you need to make this work

<hhalpin> +1 OAuth 2.0 and Bearer Token spec

<tantek> +1 to that as well

<dmitriz> bearer tokens in a federated context is not that easy

<hhalpin> Authentication should be left out (WebAuth + password stuff)

aaronpk: Use oatuh2 and bearer-tokens, but that still leaves stuff underspecified

<dmitriz> (this is something we've been struggling with in Solid, as well)

<wilkie> identity in a federated context is not the easy

<hhalpin> Identity, well, it's tough. There's some takeup of OpenID Connect (OAuth 2.0 profile)

aaronpk: Identity is what's really useful here

<hhalpin> But it's not as universal in takeup as OAuth 2.0

aaronpk: So "just use oauth" doesn't sove the problems

eprodrom: So Use Auth2 with Bearer-Tokens, that's clear enough, but...

cwebber2: "This is a stub to be expanded"

<hhalpin> JSON Web Signatures is just a way to sign the bearer token if bearer token is JWT

cwebber2: This was left in there as a to-be-worked-on

eprodrom: We keep saying don't do this :-)

<hhalpin> I'm happy to take an action to review/edit that piece. We could make it non-normative but no guidance is kinda crazy

cwebber2: Is the right thing to do to say that Auth and Ident are left as an open question

sandro: Leave it out of the spec, and put a best practice in a Note

dmitriz: In Solid, we've been looking at this, and IndieAuth is one of the things we considered.
... but because of all the redirects, it's nice in a browser, but not so clear in an API
... Facebook and others solve that by giving an API token, but that's non-trivial
... So lets get something working, but yeah, leave it not in the spec for now

eprodrom: My feeling is, if you need to, Auth2+BearerTokens, but I can see lots of other ways to do this, unauth, basic auth, client certs, etc
... Telling me I have to use a certain kind of auth messes things up for me.

tsyesika: So we should say "folks SHOULD use OAuth2 + BT" ?

eprodrom: Pump.io isn't going to bother with indieauth. We'll stick with username and password.
... we'll just generate our own tokens
... so it's okay as a SHOULD or a best-practice. Don't require more than you can.

cwebber2: Implementations will probably do what the others do.

tantek: tsyesika said goal should be interop
... we can't normatively refer to indieauth, in part because of charter, but we can do an informative non-normative reference
... one way would be to ask if there are any implementations that have an intent

<cwebber2> aaronpk, is specification of indieauth as informative / non-normative currently the state in your standards?

<aaronpk> in micropub?

<cwebber2> aaronpk: yes

tantek: if no intends to implement both, then don't bother

<aaronpk> http://micropub.net/draft/#authentication-and-authorization

amy: my site uses indieauth, but it delegates the work to indieauth.com

aaronpk: The interesting part here is starting from your URL and ending up getting a bearer token

tantek: So you have an implementation to compare against ( rhiaro's )
... Just style it in a spec as NOTE

hhalpin: A total stub then that's not going to work because no-one is going to read it.
... So say O2 + BT and NOTE: try IndieAuth

<tantek> BT = bearer token

hhalpin: But obviously it's not going to be usef by everyone

<Loqi> Open issues for Webmention

<Loqi> Countdown set by tantek on 3/17/16 at 12:05pm

hhalpin: "SHOULD Oauth2 + Brearer-Token"
... Happy to have relevant experts look over this text

eprodrom: Does IndieAuth work in non-browser applications?

dmitriz: RIght, that's a problem

eprodrom: Also, not in server-to-server

<hhalpin> I would also keep authentication out of scope, server to server is OAuth

eprodrom: We should define server-to-server method

<hhalpin> in terms of authorization

<hhalpin> happy to review that text

aaronpk: So I just say use Bearer-Token

<aaronpk> http://micropub.net/draft/#authentication-and-authorization

aaronpk: MIcroPub has text like this

tantek: How do private webmentions work?

cwebber2: Let's aim for the same text between micropub and activitypub

cwebber2 reads micropub spec parts aloud

sandro: that wouldn't allow client-certs that evan wants

eprodrom: Ah yes, I wouldn't want MUST

aaronpk: I definetely want multiple ways to get the token, so I leave that open.
... I like the requirement of Bearer-Tokens, because it's what everyone does anyway.
... Separate out authentication from authorization
... Separate how you get the bearer token from how you use it.

eprodrom: Make the Bearer-Token a SHOULD

aaronpk: yep

<melvster> you have to separate THREE parts not TWO : 1. identity 2. authentication 3. authorization

aaronpk: SHOULD use bearer-token, SHOULD use oauth2 to get it

sandro: let's go for MAY use oauth2 to get it
... since there are other perfectly legit ways

<melvster> this is why oauth is not a good fit for the social web, it doesnt do identity (or doesnt do it very well at least)

cwebber2, probably down to about 22 issues, and several more we can deal with among the editors

<rhiaro> scribe: rhiaro

Webmention open issues

<Loqi> Tantekelik made 1 edit to Socialwg/2016-03-16 https://www.w3.org/wiki/index.php?diff=97783&oldid=97781

http://github.com/aaronpk/Webmention/issues/9

aaronpk: Source and target form parameters are not URIs, how can we convert them to URIs because it's important for some people
... My thoughts are it has not caused any issues with any implementations that these are not URIs, so unless anyone has a single sentence they can describe a solution right now we can do it, but if not I propose we close

sandro: prefix with http://.....#
... When people want to represent their data for archival or to pass to other systems they want to make unambiguous the notion of source and target
... These notions are things that reasonably could have URIs
... if they were in IANA we could use that, but they're not, so currently everyone has to make up their own uris for these
... It's a trivial problem to solve, and it's a problem some people have

tantek: an alternative is a registry for form encoded parameters, like rel values, which are not uris

sandro: there's no conjecture that people should use the same form encoded parameter

aaronpk: what is the easy solution?

eprodrom: the solution is, if you want this to be a URI, prefix them with http://w3c.org/ns/webmention#

tantek: isn't this an implementation detail?

sandro: not if you want interoperability with some protocol that isn't webmention
... people might in theory want to see where webmentions are

aaronpk: there's no definition of get on a webmention endpoint

sandro: you should get back webmentions you're allowed to see

tantek: if you were to publish an activity stream of webmentions, what would that look like

aaronpk: implementations currently just drop webmentions on the floor after they're processed

<sandro> say that webmention source is equivalent to 'http://www.w3.org/ns/webmention#source'

aaronpk: there is an idea of status urls, which can be GET to see status, so the webmention itself has url

<KevinMarks_> an activity stream of webmentions would look like http://mention-tech.appspot.com/

aaronpk: Implementations treat these as temporary and drop them. THere are so many that are spam that come in so they aren't kept
... but that's the resource
... but status is the description fo the webmention source and target and maybe what happened to it

tantek: if your implementation wishes to treat these terms as uris then it may use the following: http://www.w3.org/ns/webmention#
... anyone who wants to use that can
... anyone who doesn't can skip it

aaronpk: what section does that go in?

tantek: appendix?

aaronpk: it's own section?

tantek: anyone who wants a uri for this you can point them to that section, don't bury it

aaronpk: okay, I'll comment and close the issue when it's added

<sandro> "URIs for form-encoding properties"

<sandro> +1

http://github.com/aaronpk/Webmention/issues/20

aaronpk: I've summarised my position at the bottom
... This is a description of an attack where somebody can send a webmention to a system, and if the system can cause actions to happen on a GET request, I can cause that system to make another GET request somewhere which might have undesireable requests

eprodrom: so I could use it for probing security holes in wordpress servers?

aaronpk: except the attacker doesnt' actually get a response

tantek: you could cause a side effect, not get information

aaronpk: all you can do is make the webmention receiver make a get request
... which is unfortunately possible but also something that is bad practice no matter what you're doing
... so it's not really something for the webmention spec: don't make your system vulnterable to get requests

sandro: Never install webmention if you're behind a firewall? You are endangering everything esle behind the firewall

aaronpk: only if yoru system has access to both sides of the firewall

tantek: we should call this out in the security and privacy?

aaronpk: what am I calling out? dont' put insecure systems on the internet?
... what am I supposed to say?

<KevinMarks_> refer to https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html 9.1.1

sandro: this is putting a system that is perfectly secure in a .. behind a firewall which may seem reasonable because it can't do anythign except webmention, but people might not realise that a putting a blog tha timplements webmention behind a firewall in a way that it has access to the internet

aaronpk: it has to have server access to the internet in order to receive a webmention in the firs tplace
... you'd have to put an http server inside your firewall that also listens publicly

<KevinMarks_> "In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered "safe""

sandro: behind the firewall you have a simple blog and the blog does a post that happens to mention something else behind the firewall and does the webmention processing, dereferences the url that the user put in the post, and that thing out there says go to this url as my webmention endpoint, does that, that was behind the firewall..

aaronpk: oh okay

hhalpin: why is this not a problem for any system that lets you put arbitrary urls as input? not just webmention

aaronpk: sandro described the actual attack vector
... blog inside firewall does not listen on internet, has no public endpoint

<KevinMarks_> how is this different from a hyperlink in the browser that you click inside the firewall?

aaronpk: a person behind firewall writes a post with a linkt o the attacker
... blog makes request to attacker
... attacker can then cause the internal system to make a request to another internal system, if the webmention endpoint of the attacker is inside the firewall
... when I was addressing this it sounded like I was describing really basic security practices and didnt' want to sound condescending

cwebber2: would it be possible to post to localhost? cos that sounds like the biggest risk

aaronpk: it could make the software that is verifying the webmention post to itself

cwebber2: can't post to anythign else on a different port on localhost?

aaronpk: the attackers url can advertise a webmention endpoint, which can be anything including localhost, a port, 0.0.0.1...

cwebber2: there are definitely security things with servers that allow you to access..

aaronpk: it's only ever going to post source and target
... I would be willing to add an exception that says if it encounters localhost or 127.* then drop it
... I'd be happy to put that in security considerations
... Maybe not obvoius, definitely specific to webmention

eprodrom: and don't repeat failures?

<hhalpin> This seems to be a generic problem for any spec that has an 1) input and then 2) takes URLs from that input and GETs them.

eprodrom: could be DOS
... do exponential backoff if you need to

aaronpk: definitely will put in about not sending to localhost

<hhalpin> I mean, not sending webmention to localhost makes sense

sandro: I'm thinking of basically saying don't allow a webmention system to cross the firewall

eprodrom: firewall is a loose term

tantek: someone can publish an html document that has img src="localhost.../dosomething" you load that and it accesses your localhost
... or you can check the html spec and see what it says about image loading and how they treat that problem
... because cross domain images obviously work
... so that's one analogous example
... Also, rel=stylesheet
... well defined, interoperable, well hardened
... Those are two places you could look to see how they solve this and copy taht

<sandro> +1 tantek this is like the browser fetching an image or stylesheet

tantek: if it's good enough for a browser it's good enough for webmention

<ben_thatmustbeme> +1

aaronpk: okay

<Zakim> annbass, you wanted to ask same question that KevinMarks asked

<hhalpin> +1 (but worth further thinking about)

annbass: KM asked the same question - how is this different than a regular hyperlink going out through the firewall

aaronpk: a hyperlink a person has to click on

<hhalpin> The trick is that the link is automatically ran

<hhalpin> by the webmention spec

aaronpk: this is a side effect of writing a blog post that links to an attackers url, but the person doesn't have to click the link

<tantek> hhalpin, just like an image is automatically loaded

annbass: i see

<hhalpin> although lots of other possible apps outside webmention could do this

<tantek> image, iframes, scripts, stylesheets

<tantek> etc.

aaronpk: but similar to receiving a phishing email and having a person click the link
... The result then is I'm going to find that language and it should clear it up

<wilkie> even sandboxed iframes can do cross-domain GETs for stylesheets and scripts

http://github.com/aaronpk/Webmention/issues/21

scribe: bengo had suggestion of discovery steps addition of having a 4th step checking a .well-known to find the webmention endpoint
... which lets you delegate an entire domain to a webmention endopint without having to add it as a link header
... Question is, is this worth it or is a http link header enough to support whole domain delegation

<Loqi> Tantekelik made 1 edit to Socialwg/2016-03-16 https://www.w3.org/wiki/index.php?diff=97784&oldid=97783

scribe: One path forward is say: the http link header can be configured at the server level so that's enough to support server-wide delegation
... You're a large orgnaisation with many different subsystems, which is pretty common, wanting to have a single webmention endpoint across the whole thing
... the http link header can be configured at the server, not the software, so maybe that's enough
... Other option is to add this well-known and add it at-risk since ther eare no implementations right now
... See if anyone implements, and if not drop it

tantek: last time this came up we resolved to stick with follow your nose
... which this is not

aaronpk: I think bengos' arguement that this was new information is a use case that many different kinds of software installed that we hadn't considered when making that resolution
... My proposal to clos ethis with no action is justified by an http link header can be configured server wise

<rhiaro> DIdn't he also say something about not being able to configure the http header?

aaronpk: I think it's the same amount of work organisationally to add the .well-known path as it would to configure the link header

eprodrom: the link rel is registered and defined right? So since there is host-meta, the link is already there in http
... if someone wants to go sniffing around and wants to try some bottom of the barrel ways to try it, there are ways for them to do it already with the link-rel
... The worst would be to say if you still can't find it try other ways of turning a link-rel into an endpoint

aaronpk: I'd rather not recommend another way for senders to find endpoints, there are already 3 and they have to do ALL of them
... And if you add a 4th they'll have to do that also and it's a very different mechanism
... Now you're dealing with parsing link headers (already non trivial), parsing html, then you'd have to also parse xml, also parse json

hhalpin: what are the current ones?

aaronpk: http link header, html link tag and html a tag

hhalpin: not being able to modify the link header is common if you don't have full control
... but then the a tag should work

aaronpk: if you do have full control you're in the same position to add .well-known as to create link header

hhalpin: but if you can create directoreis and put files in you can't add a link header
... but then the a tag should be fine
... In the normal web development world, lots of people don't even know link headers exist
... but almost everyone knows how to parse html
... As long as there's a way of putting it in without link headers

aaronpk: totally

sandro: my question si do you ever want to be able to do webmention on a jpeg withotu a link header
... I think that's not worth worryign about, but I can see that someone might think it is

<hhalpin> I'm going to note that this came up with Objective8 and D-CENT

<hhalpin> I.e. problems with Link headers (i.e. their developers didn't know HTTP Link headers existed)

aaronpk: sounds like we're okay with slight limitations with current discovery
... Which support vast majority of use cases

<hhalpin> However, it was easy to get folks to add to the HTML

sandro: anything about how you have to parse html?

aaronpk: I think it just says to look for the rel

sandro: html5?

aaronpk: normatively references http link header 5988 and also says ... no doesn't reference html in discovery

sandro: so test suite should have corner cases about how it appears in html
... and how they differ in closing angle bracket missing etc

aaronpk: I have a ton of that test data already

http://github.com/aaronpk/Webmention/issues/29

scribe: waiting on IANA to accept
... paragraph added to spec

http://github.com/aaronpk/Webmention/issues/32

scribe: Just need to add, tried to do last night, didnt' get to it, but tantek threw some ideas my way so I should be able to do that now
... And done.

tantek: so you have all issues with a resolution, outstanding editing to do

aaronpk: these three require editing that we agreed to already that I need to do
... And then conformance requiremetns sectiion I don't have anything we can review right now but we're not going to cr so

tantek: add by when?

aaronpk: if we can agree to publish a new draft I can add it in that process

tantek: if you commit to adding one we can say publish it with the edits we've agreed to

aaronpk: yep

tantek: do you have a path forward on all issues?

aaronpk: yes

Resolutions to publish

tantek: we already resolved to publish new AS2 drafts with edits in the pipeline
... So any of the others things that editors want to publish new drafts of?

aaronpk: yes webmention
... I do have a change on micropub to register with iana, queued up, however not a lot of other changes, so I still would like to publish but it's not a huge change

eprodrom: activitypub?
... Does it make sense to make a resolution right now to publish with discussed edits?

tantek: do you want to give the group a chacne to review your changes before doing another resolution to publish, or are there enough changes the group already agreed to that you can publish once you make them
... Or do you want more time for those changes plus any others?

cwebber2: Okay we'll make those changes first that the group agreed to
... Then do more after that

tsyesika: we fix the bugs the group agreed to and publish

cwebber2: right, yes

tantek: one proposal?

PROPOSAL: Resolve to publish webmention, micropub and activitypub pending changes agreed by the wg this face-to-face

<ben_thatmustbeme> +1

<eprodrom> +1

+1

<aaronpk> +1

<tantek> +1

<cwebber2> ~1

<cwebber2> wait

<cwebber2> +1

<hhalpin> +1

<tsyesika> +1

<wilkie> +1

<sandro> +1

RESOLUTION: Resolve to publish webmention, micropub and activitypub pending changes agreed by the wg this face-to-face

<KevinMarks_> +1

any other business

eprodrom: we have spare time, so anything else for next 25 minutes?

sandro: hopefully quick..
... I thought more about github spec labels yesterday and cut down to 10
... from 16

<sandro> https://github.com/sandhawke/spec-labels-min

<sandro> https://github.com/sandhawke/spec-labels-min/labels?sort=name-asc

sandro: It has its own issues

<hhalpin> Quick notes, we have assembled a group of security/privacy experts to look at decentralization https://nextleap.eu

<hhalpin> And the W3C WebAuth group is likely to have one-factor cryptographic authentication in browsers end of this-year, early-next year

<hhalpin> https://www.w3.org/Webauthn/

<KevinMarks_> does the editor apply these or the commenter?

<hhalpin> No changes needed by specs, but just resources and new W3C work

sandro: Editor, or someone with write access to repo

eprodrom: is there an action we can take now?
... Review them and deicde if we're going to apply them to our spec repos?

tantek: first 6 seems self explanatory
... What's process communiyt?

sandro: Where someone says "I don't understand how this group works"
... Not for the editors, but they come up
... "Let me speak to your manager"

<Loqi> Tantekelik made 1 edit to Socialwg/2016-03-16 https://www.w3.org/wiki/index.php?diff=97785&oldid=97784

tantek: I think we might need something stronger
... Like 'needs chair input' or something

cwebber2: what if it's just like "I'm not sure if this has somethign to do with it" and the editor doesn't know either

tantek: this is for the editor to say "this is not about my spec, this is a group issue, sending to chairs"

sandro: I like this being able to used by groups that aren't w3c, that's why I said 'process community' not chair, to generalise

annbass: but... your example where you said there were issues that were people saying they were being ignored, I was takign that to mean there's been some discomfort of different technical positions proposed and feeling like they're blown off
... THat's in a different category than waiting for management approval

tantek: that's "commentors are unsatisfied by response", that's there
... The director will look at each one of these and see if the commetnor has merit

hhalpin: Do we need to note this unless there's a formal objection?

sandro: the director does like to knwo who is satisfied and who is unsatisfied

hhalpin: I've always just listed formal objections

sandro: talked to Philippe about this

eprodrom: are we comfortable with these labels?

tantek: "waiting for commentor" could mean two different things

sandro: ther'es not a lot o you can do until you hear back

tantek: could be differnet for open vs closed

sandro: if it's closed you might be waiting to see if they're satisfied or not

tantek: 'waiting for group input' -> 'needs group input'

<hhalpin> I think we should note that people were unhappy, but if someone (unsatisfied commenter) proposes a technical solution and it doesn't meet the group's requirements (i.e. its not implemented, has no interest from more than one implementer, or has known technical flaws) then the group can argue simply than the unsatisfied commenter did not satisfiy the groups requirement.

tantek: Do we really need the last one?

sandro: james used that tag sometimes
... on as2
... standard github one
... ('help')

tantek: is that pr requested?

aaronpk: 'happy to have this in there but I'm not gonna do it'

sandro: so, needs volunteer?

tantek: stronger than that

wilkie: point of entry for new people too

tantek: I like that
... If we can phrase it in a way that makes it welcoming for new folks

sandro: 'needs volunteer'

everyone: k

tantek: can we collapse the first two? commentor needs no response and satisfied by response

sandro: just 'commentor satsified'

bikeshedding about colours of labels*

<KevinMarks_> as opposed to Commenter Generally Unsatisified With Life?

tantek: do the editors understand these

aaronpk: what's the rule on timeout?

annbass: will there be a definition documented?

aaronpk: are there some I can't use without group consensus?

sandro: talk the group before doing a commentor timeout
... And expect that director will look at commentor satisifed and commentor not satisfied

aaronpk: and waiting for commentor?

sandro: before timeout, or waiting for more information before you can address the issue

<tsyesika> https://github.com/w3c-social/activitypub/labels :)

eprodrom: resolved that, 3 minutes left
... AOB?

ben_thatmustbeme: if anyone wants to help co-write jf2 who knows more about writing specs?

<KevinMarks_> I am happy to help

ben_thatmustbeme: Kevin had offered to help with it I think

<KevinMarks_> yes

<KevinMarks_> jolly good

PROPOSED: make KevinMarks a coeditor of jf2

RESOLVED (by chairs): make KevinMarks a coeditor of jf2

eprodrom: no telecon next tuesday
... Next telecon 29th March
... Next f2f in Portland
... Any plans to do something social this evening?