Re: Portability task force timeslot Nov 20 from Lisa Dusseault on 2024-11-20 (public-swicg@w3.org from November 2024)

From: Lisa Dusseault <lisa@dtinit.org>
Date: Wed, 20 Nov 2024 13:50:28 -0800
To: Social Web Incubator Community Group <public-swicg@w3.org>
Message-ID: <CAH212UOYyuLQhCWLgR6=F50R+2r_xU-iPD678UkkR3+ihqvN3Q@mail.gmail.com>
We just had a bit of a chat as it turned out, no decisions made naturally
but why not take notes...



# SocialCG Data Portability Task Force

20 Nov 2024

## Present

- Evan Prodromou <acct:evan@cosocial.ca>
- Lisa Dusseault
- A

## Agenda

LOLA status: encouraging implementors & feedback

1. LOLA test ideas

DTI prototyping a LOLA testbed server
  - we could do this within the swicg repo? good idea!
  - In part a reference implementation
  - In part an ad-hoc test bed of really having an account on another
server to port to and from
  - Evan pointed to https://fedify.dev/install as a recognized useful
building block for this kind of thing

2. https://codeberg.org/fediverse/fep/src/branch/main/fep/7952/fep-7952.md

A & Lisa discussed the proposals in this -- all things we'd like -- and
where these are likely to make progress.

Signed messages in particular...
 - We don't believe there's a signed-message task force?  The topic of
signed messages does kind of fit into portability. so does an export/import
format.

 - https://www.w3.org/TR/controller-document/ is really interesting.  What
if you take Actor documents and the Controller documents defined in this
and smush (technical term) them together?

 - Fediverse is using the old security vocabulary from 2018... since then
much work on verifiable credentials has been done.  defining extremely
generic verification approaches as well as specific ones like assertion
method keys, key exchange, delegation and so on.

 - we already use the public key property, new stuff would likely live
alongside that (so we can have multiple public keys not just one, and then
key rotation can work)

 - Does rotating a key mean resigning a lot of old content? We think so...
otherwise a key that was compromised would still live on, used for valid as
well as potentially invalid content.

 - Some work being done in TDW - Trusted DID WEb - to have a log of key
rotation events.  Ideally links would not break when key rotation is needed
 - Bluesky solves this with the PLC directory.
 - Signed messages are famously a hard problem.  One of the problems is
complication - many attempts historically have failed due to being a lot of
work and a lot of complexity. Another problem is they may not solve what
you think they solve.
 - At least having an Actor object helps with bidirectionality - the Actor
verifies the relationship of the key to the content.  But then one is back
to requiring a live online Actor for the system to work as desired.
 - Signed fetches: an HTTP signature on the request (in Mastodon) -- this
also works if you put up a dummy domain and another key on that, and refer
to that... which can mean the reason for asking for signed fetches is
circumvented.
 - Sometimes we still should attempt the complex signature solutions, but
with a good idea of how far we really trust the assertions made with those
solutions.

Strong relationships between Actor and Object in face of portability:

* We  discussed how the link between an Actor and some Objects is actually
weaker than we'd sometimes like.  We can't reliably decompose Object URLs
and confirm that they come from a given Actor.  The DID stuff points to a
service and relative ref to solve this kind of problem.  ActivityPub could
do something like this with standardization around things like parameter
ordering on URLs and base path requirements.

* We  discussed domain name changes.  If you have a transition period, you
can do something -- at a bare minimum, a permanent redirect between old
things and new things. Do domains need their own Actors? could you move
that in one go? Or is it better to move all the individual Actors
(especially if this is already a known operation)



On Wed, Nov 20, 2024 at 10:46 AM Lisa Dusseault <lisa@dtinit.org> wrote:

> This never did get on the official calendar, my bad!  I'll still be
> joining https://meet.jit.si/social-web-cg in 15 minutes, if anybody else
> is able to show we'll be able to discuss test plans, export formats, and of
> course take and share notes.
>
> Lisa
>
> On Thu, Nov 7, 2024 at 12:47 PM Evan Prodromou <evan@prodromou.name>
> wrote:
>
>> I'm in!
>>
>> On 2024-11-07 1:20 p.m., Lisa Dusseault wrote:
>> > Juan & I would like to have time to chat about portability.  We're
>> > both available
>> > 11am PT on Nov 20.  (As a backup time if folks clamour for it, we can
>> > also do 10am PT Nov 22 right after the regular triage meeting).
>> >
>> > I'll ask Dmitri to put this on the official calendar
>> > Thanks
>> > Lisa
>>
>
Received on Wednesday, 20 November 2024 21:50:43 UTC