EstebanBorai
commented
1 month ago @erlend-sh I think being able to vaildate sources like this its shown here would be a good start?
Open erlend-sh opened 2 years ago
EstebanBorai
commented
1 month ago @erlend-sh I think being able to vaildate sources like this its shown here would be a good start?
erlend-sh
commented
1 month ago Yeah, we want rel=me links 👍
I’ll rewrite this issue to center on that first step.
EstebanBorai
commented
1 month ago Great @erlend-sh!
Hey @zicklag is this something you thought about already? I wonder if you had ideas on how you plan to implement this?
zicklag
commented
1 month ago Haven't thought much about this yet, but it seems like maybe doing it almost exactly like Mastodon does would make the most sense.
We should think about the possible implications of this, but I think all of the links on a profile page should have the rel="me" flag. Basically all profile links are meant to share something associated with your identity, not just like, "my favorite website". If we don't like that, we'll have to add like a checkmark or something that indicates whether or not you want the link to represent a part of your identity ( i.e. have the rel="me" setting ).
Whenever a profile is saved the server will go through each link and fetch it, searching for any rel="me" links that link back to that page. If it finds one, then that link is considered verified and the Weird server will store the link as a verified link, probably with the date that it was verified, and it will store it in the Weird server's own subspace, which indicates that it is the authority of the Weird server that indicates that verification succeeded, not the user self-claiming that it's their profile without us checking it.
EstebanBorai
commented
1 month ago Haven't thought much about this yet, but it seems like maybe doing it almost exactly like Mastodon does would make the most sense.
I agree, I noticed Mastodon has special logic based on the domain, for instance if you want to link you GitHub account then Mastodon checks for such GitHub Account to refer Mastodon's account back, so perhaps certain logic for these kind of scenarios should be considerated.
We should think about the possible implications of this, but I think all of the links on a profile page should have the
rel="me"flag. Basically all profile links are meant to share something associated with your identity, not just like, "my favorite website". If we don't like that, we'll have to add like a checkmark or something that indicates whether or not you want the link to represent a part of your identity ( i.e. have the rel="me" setting ).
I think that we could solve this checking on the URL domain portion?
Perhaps if the user is referring to a social network, then we could assume its the user's profile in such network?
Whenever a profile is saved the server will go through each link and fetch it, searching for any
rel="me"links that link back to that page. If it finds one, then that link is considered verified and the Weird server will store the link as a verified link, probably with the date that it was verified, and it will store it in the Weird server's own subspace, which indicates that it is the authority of the Weird server that indicates that verification succeeded, not the user self-claiming that it's their profile without us checking it.
Totally!
zicklag
commented
1 month ago for instance if you want to link you GitHub account then Mastodon checks for such GitHub Account to refer Mastodon's account back,
I think it has to work on any URL, though. For example, on my Mastodon profile I've validated my ownership of my blog site: zicklag.katharostech.group.
And that's completely custom and not a social network, etc.
EstebanBorai
commented
1 month ago I think it has to work on any URL, though. For example, on my Mastodon profile I've validated my ownership of my blog site: zicklag.katharostech.group.
And that's completely custom and not a social network, etc.
Exactly! But verification against GitHub might not be the same as for personal website or other platforms.
If you dont have access to the source code, or if the platform does not follows the <link rel="me" ... convention, then we might need to handle it differently.
In summary, some domains may have different verification methods.
zicklag
commented
1 month ago Ah, gotcha. GitHub does actually support the rel="me" links, and that is how mastodon verification works with it I think. I'm not sure how common that is across other social platforms, I just kind of assumed it was standard.
But yes, we can use the rel="me" check by default, and then use custom verification methods if we have to for specific domains. 👍️
EstebanBorai
commented
1 month ago Ah, gotcha. GitHub does actually support the
rel="me"links, and that is how mastodon verification works with it I think. I'm not sure how common that is across other social platforms, I just kind of assumed it was standard.But yes, we can use the
rel="me"check by default, and then use custom verification methods if we have to for specific domains. 👍️
Sounds good! Okay I think I could give this a shot! Feel free to assign this to me!
erlend-sh
commented
4 weeks ago Only tangentially related, but it’d be really cool if we could easily facilitate this for Mastodon users as well: https://philna.sh/blog/2022/11/23/alias-your-mastodon-username-to-your-own-domain-with-jekyll/
edit: another curiosity: https://bsky.app/profile/voxpelli.com/post/3lbev3niz2222
zicklag
commented
4 weeks ago I think we could do that easy and automatically for anybody who has a mastodon link. We just need to hook up the routing to host the webfinger JSON under the user subsite route.
As part of Weird’s ambitions as an identity consolidator, a natural first step is support for
rel=“me”links, a standard popularized by Mastodon:https://til.simonwillison.net/mastodon/verifying-github-on-mastodon