fsebugoutzone.org:9999

       Post AoPIkIKHlh4MwPwAzI by fentiger@zotum.net
 (DIR) More posts by fentiger@zotum.net
 (DIR) Post #AoL0NsCSMJ1ISP6Cau by silverpill@mitra.social
       2024-11-23T15:00:37.514505Z
       
       0 likes, 0 repeats
       
       &quot;FEP-171b: Conversation Containers&quot; finally has been published:https://codeberg.org/fediverse/fep/src/branch/main/fep/171b/fep-171b.mdConversation Containers are conceptually very similar to FEP-1b12: activities are sent to a conversation owner, who manages the conversation and synchronizes it between participants. Differences are mostly superficial and may disappear in the future.#FEP #ConversationContainers #ActivityPub
       
 (DIR) Post #AoLZ312hmdFuCGKODQ by benpate@mastodon.social
       2024-11-23T21:12:33Z
       
       0 likes, 0 repeats
       
       @silverpill I’m super interested in all of these efforts to improve conversations and relies.This looks like it’s pulled from Streams, yes? Which means it’s not related to the Forums and Threaded Discussions Working Group, is that right?There are some cool ideas in here. Hopefully we can consolidate all of them to arrive at a single standard to implement.
       
 (DIR) Post #AoLZ32QqcMA4VQdBU8 by silverpill@mitra.social
       2024-11-23T21:28:46.649176Z
       
       0 likes, 0 repeats
       
       @benpate Yes, this is a description of what Streams does with some minor additions of my own. It is not officially produced by the Working Group but they are aware of this FEP and we are trying to figure out how to arrive on a single standard.Conversation Containers help bridge the gap between the &quot;threadiverse&quot; (which mostly uses FEP-1b12) and the micro-blogging space, where this mechanism can be used to implement reply controls and followers-only posts.
       
 (DIR) Post #AoN1W8FV3qMqorwcXg by mario@hub.somaton.com
       2024-11-24T08:30:07Z
       
       0 likes, 0 repeats
       
       @silverpill in regard to authentication: isn&#39;t it sufficient to trust the sender at last? In this case the context owner?Let&#39;s assume this situation: an actor is remotely authenticated at a server via OpenWebAuth and comments on a post there. No proof can be added and the object is not yet available at the actors origin server. In this case the message will be rejected allthough its authenticity is verified.
       
 (DIR) Post #AoN1W9dHuszR6w58G8 by silverpill@mitra.social
       2024-11-24T14:22:27.886001Z
       
       0 likes, 0 repeats
       
       @mario If conversation participants do not perform authentication procedure described in the FEP, the owner will be able to impersonate other participants (or anyone, if conversation is public) by sending an Add(Create(Note)) activity where Create(Note) is forged.The argument can be made that if you participate in a conversation, you necessarily trust the owner (Lemmy et al operate with this assumption), but I&#39;m not convinced that it is true.&gt;In this case the message will be rejected allthough its authenticity is verified.How other servers can verify messages made by remotely authenticated actor? I&#39;m not familiar with OpenWebAuth
       
 (DIR) Post #AoNElxk5BvDCGr80lE by mario@hub.somaton.com
       2024-11-24T15:51:38Z
       
       0 likes, 0 repeats
       
       @silverpillHow other servers can verify messages made by remotely authenticated actor? I&#39;m not familiar with OpenWebAuthBasically the visitor is authenticated by exchanging an encrypted token: #^https://codeberg.org/fediverse/fep/src/branch/main/fep/61cf/fep-61cf.md
       
 (DIR) Post #AoNElz669YPsTQR6iO by silverpill@mitra.social
       2024-11-24T16:50:32.703739Z
       
       1 likes, 0 repeats
       
       @mario 61cf explains how to log in to &quot;target&quot; instance using &quot;home&quot; credentials, but I can&#39;t follow the algorithm past this step:&gt;2. The /magic endpoint at the user&#39;s home instance first checks that the user is logged in.How does it check that the user is logged in? Does it present a login form?And then, after login, which instance generates activities?What URI is being put into actor field of activity, and what URI is being put into keyId parameter of HTTP signature?cc @fentiger
       
 (DIR) Post #AoPIkIKHlh4MwPwAzI by fentiger@zotum.net
       2024-11-25T09:55:55Z
       
       0 likes, 0 repeats
       
       @silverpillHow does it check that the user is logged in? Does it present a login form?It checks whether the user has a session cookie. Hubzilla doesn&#39;t show a login form here; it could, but that wouldn&#39;t work so well for eg image fetches.And then, after login, which instance generates activities?FEP-61cf only covers authenticating the user. It doesn&#39;t tackle the question of what happens when the now-authenticated user writes a post. How should that post federate outwards, in such a way that other instances can trust it? I don&#39;t know how Hubzilla approaches this; maybe @Mario Vavti can comment.
       
 (DIR) Post #AoPJGf6sats0s26JEW by mario@hub.somaton.com
       2024-11-24T17:42:30Z
       
       0 likes, 0 repeats
       
       @silverpillHow does it check that the user is logged in? Does it present a login form?The user has to be logged in at his home instance before starting an OWA attempt to another instance.What URI is being put into actor field of activity, and what URI is being put into keyId parameter of HTTP signature?Actor is the remotely via OWA logged in actor., the HTTP requesti is signed by the thread owner.
       
 (DIR) Post #AoPJGgFQMcIcOp6eBs by silverpill@mitra.social
       2024-11-25T16:50:50.611265Z
       
       0 likes, 0 repeats
       
       @mario&gt;Actor is the remotely via OWA logged in actor., the HTTP requesti is signed by the thread owner.This violates same origin policy, but I will mention in the FEP that implementations may accept such activities if conversation owner is trusted.
       
 (DIR) Post #AoPMTodOnFFo2NH7c8 by julian@community.nodebb.org
       2024-11-24T23:21:29.010Z
       
       0 likes, 0 repeats
       
       @silverpill@mitra.social said in &quot;FEP-171b: Conversation Containers&quot; finally has been published::The argument can be made that if you participate in a conversation, you necessarily trust the owner (Lemmy et al operate with this assumption), but I&#39;m not convinced that it is true.@mario@hub.somaton.com I wouldn&#39;t go as far as trusting the context owner either. I definitely subscribe to the principle of least privilege. I wouldn&#39;t trust any full object received unless actor === sender or a proof is supplied.
       
 (DIR) Post #AoPNy85H913j07Kh7I by scott@loves.tech
       2024-11-25T17:05:39Z
       
       0 likes, 0 repeats
       
       When a user is authenticated via OpenWebAuth, the remote server won&#39;t have the user&#39;s keys, yet Hubzilla still knows that it is the same person. That&#39;s because a hash is stored in the database identifying the user.Could some sort of token be used to verify a user&#39;s identity, instead of the keys themselves?For example, &quot;I am example.com and user@example.social just posted on my server. Here is their post. Here is a token than can be verified with example.social authenticating the user. Go ask example.social to verify its authenticity.&quot;Something like that, perhaps?
       
 (DIR) Post #AoPNy95fP2xy7cWWMi by silverpill@mitra.social
       2024-11-25T17:43:41.330907Z
       
       0 likes, 0 repeats
       
       @scott I think the remote server can ask user&#39;s home server to generate a FEP-8b32 integrity proof for every activity it publishes. That will add some overhead, but not too much (1 HTTP request per outbound activity).
       
 (DIR) Post #AoPP6rScQ4Do0KyknA by julian@community.nodebb.org
       2024-11-25T17:17:03.046Z
       
       0 likes, 0 repeats
       
       @silverpill@mitra.social Some thoughts:In this model conversations are managed by the actor that created the initial post of a conversation thread. Such conversations take place within a specific audience and may be moderated.Would you consider relaxing this to allow for situations (e.g. forums) where the conversation thread starter is not necessarily the manager of the container?In forums, topic participants (including OP) are equals, and the container would be managed by a separate actor (in my case, currently a 1b12 actor referred to in objects with audience).Collection SHOULD have collectionOf property with value Activity.I haven&#39;t seen collectionOf in the wild before, what purpose does it serve here?
       
 (DIR) Post #AoPP6suf1IFMVb6f8i by silverpill@mitra.social
       2024-11-25T17:55:53.864231Z
       
       0 likes, 0 repeats
       
       @julian @mario @jupiter_rowland @benpate @fentiger @scott&gt;Would you consider relaxing this to allow for situations (e.g. forums) where the conversation thread starter is not necessarily the manager of the container?As far as I know, in Streams OP and owner are identical, but you are right - they might as well be different. I&#39;ll mention this in the FEP.&gt;I haven&#39;t seen collectionOf in the wild before, what purpose does it serve here?Again, this is what Streams does, I&#39;m guessing this is because some context collections contain posts and not activities, and collectionOf tells you how to parse the collection without resorting to duck typing.I would prefer to use an outbox property for containers.