search

converspace / webmention

A modern alternative to Pingback.
webmention.org
173 stars 18 forks source link

Consider adding webkey support #36

Open sandeepshetty opened 9 years ago

sandeepshetty commented 9 years ago

See kentonv/ssjekyll#3

hmans commented 9 years ago

I know I'm new to the party, so questions like the following may be due to ignorance, but shouldn't any kind of access control (authentication/authorization) happen when the actual content (ie. the webmention's source) is accessed?

I understand webmentions as a simple notification by a potentially untrusted party -- "Hey, URL source mentions URL target, do with this what you will" -- with the more interesting bits (pulling and parsing source, deciding on what to do with the contained information) happening after the webmention.

As far as I see it -- and once again, I have a naive perspective -- being simple to the extreme is Webmention's greatest asset, and any additions (domain specific, to boot) work against it.

sandeepshetty commented 9 years ago

I created this issue to document the feature request (since it happened in another project) and kept it open as a reminder to read more about sandstorm, it's least-privilege security architecture (capabilities) and webkey. The issue title is just me being lazy. It did result in #37 though.

Webmentions are actually even more simpler (rather more specific) than "a simple notification by a potentially untrusted party". They are not meant for every type of notification. A webmention is a simple notification only about a backlink (incoming/inbound link). That's it. There isn't even a "potentially untrusted party" because webmentions are not about "who" is making the request (trusted/untrusted) but "where" the backlink exists.

Given the above, IMO, backlinks behind some sort of access control (in most cases these are private messages given a URL and not really backlinks) should not qualify for webmentions because receivers might leak private information if they do not implement the access control extension(s) (whatever that might be) let alone implement them correctly. Using webmention as a generic notification mechanism leads to all sorts of complications.

elf-pavlik commented 9 years ago

Given the above, IMO, backlinks behind some sort of access control (in most cases these are private messages given a URL and not really backlinks) should not qualify for webmentions because receivers might leak private information if they do not implement the access control extension(s) (whatever that might be) let alone implement them correctly. Using webmention as a generic notification mechanism leads to all sorts of complications.

how does it relate to #12?

sandeepshetty commented 9 years ago

I don't think #12 is a good idea anymore and my comment here is my latest opinion on it.