My position on ATProto, as a protocol, is that the Good Part is the PDS¹.

@trwnh @mcc Come to think of it, I wonder if something like LetsEncrypt's ACME protocol could be used for this use case.

@trwnh @mcc Yeah that's more or less what IndieWeb calls RelMeAuth, although actually implementing that can lead to a lot more complexity because you have to then be able to verify the stated relationship, which usually means having to manage a bunch of OAuth client credentials.

Mastodon uses the weaker form of RelMeAuth (i.e. seeing that there's reciprocal rel="me" links between URLs) for the profile verification but that doesn't help with request-level security.

@trwnh @mcc but like the short version of both IndieAuth and TicketAuth is granting authority to whoever has control over a particular URL, and lightweight mechanisms for proving that they have that control. Both are, in my experience, super easy to implement.

@trwnh @mcc This is one of the big goals of the IndieWeb initiative, and something I've been trying really hard to support for years now.

IndieAuth is a pretty good identity/auth spec. TicketAuth is at least in principle a good way of providing automation for feed readers (although nobody supports it as a consumer, and only a handful support it as a publisher). The lack of adoption outside of IndieWeb is frustrating to see.