My position on ATProto, as a protocol, is that the Good Part is the PDS¹.

fluffy@plush.city

@trwnh @mcc This is one of the big goals of the IndieWeb initiative, and something I've been trying really hard to support for years now.

IndieAuth is a pretty good identity/auth spec. TicketAuth is at least in principle a good way of providing automation for feed readers (although nobody supports it as a consumer, and only a handful support it as a publisher). The lack of adoption outside of IndieWeb is frustrating to see.

fluffy@plush.city

@trwnh @mcc but like the short version of both IndieAuth and TicketAuth is granting authority to whoever has control over a particular URL, and lightweight mechanisms for proving that they have that control. Both are, in my experience, super easy to implement.

trwnh@mastodon.social

@fluffy @mcc i know i talked about how you could handle identity at the level of the http request (advertise an auth-scheme in your www-authenticate header, provide a valid authorization header using that auth-scheme)

but you could also just establish a local session on a site by proving you control some other id, which gets linked to the local id. it's exactly the indieauth idea, "me on github == me on site.example == me on your site" (if you use local accounts, it's basically a credential)

fluffy@plush.city

@trwnh @mcc Yeah that's more or less what IndieWeb calls RelMeAuth, although actually implementing that can lead to a lot more complexity because you have to then be able to verify the stated relationship, which usually means having to manage a bunch of OAuth client credentials.

Mastodon uses the weaker form of RelMeAuth (i.e. seeing that there's reciprocal rel="me" links between URLs) for the profile verification but that doesn't help with request-level security.

fluffy@plush.city

@trwnh @mcc Come to think of it, I wonder if something like LetsEncrypt's ACME protocol could be used for this use case.

mcc@mastodon.social

@fluffy @trwnh I mean also DNS is a brittle and extremely censorable system. A cryptographic key like plc uses would be better, if you had a way of looking it up other than kinda reproducing DNS circa 1995

trwnh@mastodon.social

@mcc @fluffy "keyservers except there is only one of them" sure is a model huh