Conversation
Notices
-
Hallå Kitteh (clacke@social.heldscal.la)'s status on Tuesday, 09-May-2017 07:49:50 UTC 
Hallå Kitteh
@bob @deadsuperhero @maiyannah Where they doing this with TLS connections, using a rogue CA? The Wired article I found doesn't say very much.
If you can impersonate another https site, pretty much all bets are off. If you use signed notices, where would you get the public key? From a MITMable https site?-
Maiyannah Bishop (maiyannah@plateia.org)'s status on Monday, 08-May-2017 08:12:18 UTC 
Maiyannah Bishop
@deadsuperhero Looks like I could just take Friendica's code as long as I observe the license and adapt that into a plugin for postActiv, so it wouldn't be too hard at all - how well does Friendica federate with Diaspora though? Are there known issues? Hallå Kitteh likes this.Hallå Kitteh repeated this. -
Ocean Man 🌊 (deadsuperhero@social.nasqueron.org)'s status on Monday, 08-May-2017 08:33:07 UTC 
Ocean Man 🌊
@maiyannah @lain Managing one community is hard enough. Telling five of them to all work in a specific way with one another is an uphill battle.
Hallå Kitteh likes this.Hallå Kitteh repeated this. -
Hallå Kitteh (clacke@social.heldscal.la)'s status on Tuesday, 09-May-2017 05:40:57 UTC
Hallå Kitteh
@maiyannah @deadsuperhero @lain You are conflating the conversation_id in the database with the one in the atom feed, I think.
Which is fair, because from what I hear the software conflates them too, which is what @lain was talking about. -
Hallå Kitteh (clacke@social.heldscal.la)'s status on Tuesday, 09-May-2017 05:43:17 UTC
Hallå Kitteh
@maiyannah @deadsuperhero @lain It does. One server is always the first to set the ostatus:conversation, and that's the one where the first message in the conversation was published. Everyone else should just use that, and any internal numbering should be irrelevant to the API. -
Hallå Kitteh (clacke@social.heldscal.la)'s status on Tuesday, 09-May-2017 05:54:10 UTC
Hallå Kitteh
@deadsuperhero @maiyannah @lain Mike is being unfair to Salmon there. Salmon is unnecessary in a scenario where everybody (or at least someone on everybody's server) subscribes to everybody. But in real life, it's a coincidence (although a likely one) if a user receives your comment or subscription notice without a salmon.
When he says that salmons are discarded depending on message contents, that sounds like a bug, or maybe a Mastodon feature. -
Hallå Kitteh (clacke@social.heldscal.la)'s status on Tuesday, 09-May-2017 05:56:44 UTC
Hallå Kitteh
@deadsuperhero @maiyannah @lain Yes, in OStatus people don't follow conversations, they only follow people. That's why we have the ghost conversations occuring. Conversation catch-up, like what Friendica does when it does OStatus, patches that hole. But it can only catch up backwards, you're still missing branches of the conversation where you aren't following anyone. -
Hallå Kitteh (clacke@social.heldscal.la)'s status on Tuesday, 09-May-2017 05:58:46 UTC
Hallå Kitteh
@deadsuperhero @maiyannah @lain I thought ActivityPub was supposed to fix conversation distribution, but I don't see it mentioned in https://w3c.github.io/activitypub/ . :-( -
Hallå Kitteh (clacke@social.heldscal.la)'s status on Tuesday, 09-May-2017 06:39:14 UTC
Hallå Kitteh
@maiyannah @deadsuperhero Not 100% open. You can demand that receivers validate the message with the original server, which is what ActivityPub does, while adding that there should be a better way (signatures). -
Hallå Kitteh (clacke@social.heldscal.la)'s status on Tuesday, 09-May-2017 06:40:26 UTC
Hallå Kitteh
@maiyannah @deadsuperhero You mean an ID that is a content hash? Yes, that would solve many things at once. -
Hallå Kitteh (clacke@social.heldscal.la)'s status on Tuesday, 09-May-2017 06:42:11 UTC
Hallå Kitteh
@bob @deadsuperhero @maiyannah Something that would make AP better already is if you used a hash of the message as an ETag and could simply validate the message by asking the original server for the whole message unless the ETag already matches. Instead of asking for it unconditionally. -
Hallå Kitteh (clacke@social.heldscal.la)'s status on Tuesday, 09-May-2017 07:41:27 UTC
Hallå Kitteh
@bob @deadsuperhero @maiyannah It's better, but I was just thinking of the minimal patch to the protocol that would still be backwards-compatible and also trivially implementable with any existing implementations (we know of one!). -
Hallå Kitteh (clacke@social.heldscal.la)'s status on Tuesday, 09-May-2017 08:08:29 UTC
Hallå Kitteh
@bob @deadsuperhero @maiyannah You do have a point that hash checking makes an insertion opportunity each time, and wouldn't leave any traces, whereas MITMing the public key would required a more sustained effort, and the key changing might raise alarms, or in the TOFU case, changing it after the fact might be impossible. -
Christmas Personified as a Catgirl (moonman@shitposter.club)'s status on Tuesday, 09-May-2017 08:14:18 UTC 
Christmas Personified as a Catgirl
@clacke @bob @deadsuperhero @maiyannah I want the servers to gossip keys and act as observatories ala https everywhere so this can be detected, ala https everywhere. This is not a complete solution but like email I think we're going to end up layering defense mechanisms Hallå Kitteh likes this.Hallå Kitteh repeated this. -
Hallå Kitteh (clacke@social.heldscal.la)'s status on Tuesday, 09-May-2017 11:06:30 UTC
Hallå Kitteh
*might not be possible -
Hallå Kitteh (clacke@social.heldscal.la)'s status on Wednesday, 10-May-2017 05:00:59 UTC
Hallå Kitteh
@moonman @bob @deadsuperhero @maiyannah Me like. Might be a way to return to self-signed certs and cut out letsencrypt. Apart from the browser aspect. -
Christmas Personified as a Catgirl (moonman@shitposter.club)'s status on Wednesday, 10-May-2017 05:03:10 UTC
Christmas Personified as a Catgirl
@clacke @bob @deadsuperhero @maiyannah server to server doesn't need CAs at all, in fact I'd rather see this be a case for actually using monkeysphere, but that may be asking too much of the universe. Hallå Kitteh likes this.Hallå Kitteh repeated this.
-
All Chirp! content and data are available under the