Conversation
Notices
-
Embed this notice
Hélène (helene@p.helene.moe)'s status on Sunday, 21-Aug-2022 22:34:07 JST 
Hélène
me too, mastodon, me too -
Embed this notice
nya-a1ba (a1ba@expired.mentality.rip)'s status on Sunday, 21-Aug-2022 22:34:55 JST 
nya-a1ba
@helene wtf is bearcaps? Hélène likes this. -
Embed this notice
Hélène (helene@p.helene.moe)'s status on Sunday, 21-Aug-2022 22:37:36 JST
Hélène
@a1ba authorization mechanism but on specific URIs (bearer capabilities URI,)
you attach a token to an URI, when dereferencing it you send that token
i’m guessing it’s used to be revoked in specific circumstances but i don’t really see the point considering how everything else works in AP
-
Embed this notice
tusooa :Cat_girls_Emoji_004: 西风 (tusooa@kazv.moe)'s status on Sunday, 21-Aug-2022 22:37:40 JST 
tusooa :Cat_girls_Emoji_004: 西风
@helene what's bearcap Hélène likes this. -
Embed this notice
i seethe and (cope@eeeeeeeee.eu)'s status on Sunday, 21-Aug-2022 22:38:27 JST 
i seethe and
@a1ba @helene something they invented by the looks of it
https://docs.joinmastodon.org/spec/bearcaps/#intro
being the only result of the termHélène likes this. -
Embed this notice
Hélène (helene@p.helene.moe)'s status on Sunday, 21-Aug-2022 22:39:17 JST
Hélène
@tusooa https://p.helene.moe/notice/AMkp28Q3tv6IoHQ9YW but it looks like a lightweight version of https://blog.dereferenced.org/what-is-ocap-and-why-should-i-care or https://gitlab.com/spritely/ocappub/blob/master/README.org
i don't see the point and it seems like they haven't found it yet either -
Embed this notice
Hélène (helene@p.helene.moe)'s status on Sunday, 21-Aug-2022 22:39:33 JST
Hélène
@tusooa i don't see the point in their current implementation as bearcaps, i mean. -
Embed this notice
tusooa :Cat_girls_Emoji_004: 西风 (tusooa@kazv.moe)'s status on Sunday, 21-Aug-2022 22:40:47 JST
tusooa :Cat_girls_Emoji_004: 西风
@helene uh i saw something called a "bearer address"... Hélène likes this. -
Embed this notice
Hélène (helene@p.helene.moe)'s status on Sunday, 21-Aug-2022 22:40:54 JST
Hélène
@tusooa what do you mean? -
Embed this notice
Hélène (helene@p.helene.moe)'s status on Sunday, 21-Aug-2022 22:46:07 JST
Hélène
@tusooa yeah, the acknowledgements make it pretty clear, i think this one you linked is a worse version -
Embed this notice
tusooa :Cat_girls_Emoji_004: 西风 (tusooa@kazv.moe)'s status on Sunday, 21-Aug-2022 22:46:08 JST
tusooa :Cat_girls_Emoji_004: 西风
@helene https://neilmadden.blog/2021/03/20/towards-a-standard-for-bearer-token-urls/
> bearer://fe9CBsDahU_e9w;UserOnly@api.somewhere.example/some/path?query=yes -
Embed this notice
infinite love ⴳ (trwnh@mastodon.social)'s status on Sunday, 21-Aug-2022 22:59:33 JST 
infinite love ⴳ
@helene @tusooa i was spitballing two weeks ago that it could be used for inbox-forwarding comments on a top-level post to a limited audience, as an alternative to LD signatures, basically being used as something between "transient activity, null id" and "publicly accessible, https id"
like, if you made a post to a circle/aspect, you would attach a custom `audience`, i would reply to your post with `context` and address it to you + the audience, and use a bearcap. you would forward the bearcap.
Hélène likes this. -
Embed this notice
Hélène (helene@p.helene.moe)'s status on Sunday, 21-Aug-2022 23:08:20 JST
Hélène
@trwnh @tusooa i'm pretty sure this is what it was intended for, actually
LD signatures are pretty bad for 99% of cases; for Deletes, though, I'd think they're good personally. but for such cases, indeed, much much preferable (though they can't have "null IDs", but I understand what you tried to say there)
the issue is that they're still leaky on "who requested it" (something LD signatures aren't), but they're revocable and can be "plausibly denied" (whatever that really means, but many people very much care to not have signatures in their activities, which is fine)
i don't think mastodon's implementation is useful/good, however, but the concept itself is interesting -
Embed this notice
infinite love ⴳ (trwnh@mastodon.social)'s status on Sunday, 21-Aug-2022 23:20:12 JST
infinite love ⴳ
@helene @tusooa you could have service actors act as a proxy for fetching but yeah you're never gonna get around requester leaking, and technically it's not deniable either if you can just fetch it and see the post (assuming the token leaks)
mitigations would be using a per-post token i guess?
Hélène likes this. -
Embed this notice
Fu (fuat2mb@theres.life)'s status on Monday, 22-Aug-2022 01:21:10 JST 
Fu
@helene
BEARS!Hélène likes this.
-
Embed this notice
All GNU social JP content and data are available under the