silverpill
"FEP-171b: Conversation Containers" finally has been published:
https://codeberg.org/fediverse/fep/src/branch/main/fep/171b/fep-171b.md
Conversation Containers are conceptually very similar to FEP-1b12: activities are sent to a conversation owner, who manages the conversation and synchronizes it between participants. Differences are mostly superficial and may disappear in the future.
silverpill
@benpate Yes, this is a description of what Streams does with some minor additions of my own. It is not officially produced by the Working Group but they are aware of this FEP and we are trying to figure out how to arrive on a single standard.
Conversation Containers help bridge the gap between the "threadiverse" (which mostly uses FEP-1b12) and the micro-blogging space, where this mechanism can be used to implement reply controls and followers-only posts.
Ben Pate 🤘🏻
I’m super interested in all of these efforts to improve conversations and relies.
This looks like it’s pulled from Streams, yes? Which means it’s not related to the Forums and Threaded Discussions Working Group, is that right?
There are some cool ideas in here. Hopefully we can consolidate all of them to arrive at a single standard to implement.
silverpill
@mario If conversation participants do not perform authentication procedure described in the FEP, the owner will be able to impersonate other participants (or anyone, if conversation is public) by sending an Add(Create(Note)) activity where Create(Note) is forged.
The argument can be made that if you participate in a conversation, you necessarily trust the owner (Lemmy et al operate with this assumption), but I'm not convinced that it is true.
>In this case the message will be rejected allthough its authenticity is verified.
How other servers can verify messages made by remotely authenticated actor? I'm not familiar with OpenWebAuth
Mario Vavti
silverpill
@mario 61cf explains how to log in to "target" instance using "home" credentials, but I can't follow the algorithm past this step:
>2. The /magic endpoint at the user's home instance first checks that the user is logged in.
How does it check that the user is logged in? Does it present a login form?
And then, after login, which instance generates activities?
What URI is being put into actor field of activity, and what URI is being put into keyId parameter of HTTP signature?
cc @fentiger
Mario Vavti
silverpill
>It checks whether the user has a session cookie.
Ah, I see. Consider adding this information to the description of step 2.
FenTiger
silverpill
>Actor is the remotely via OWA logged in actor., the HTTP requesti is signed by the thread owner.
This violates same origin policy, but I will mention in the FEP that implementations may accept such activities if conversation owner is trusted.
Mario Vavti
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.