Would it be useful to do a broader privacy review of ActivityPub and Mastodon-federation?
/cc @cwebber @sandro
http://lists.w3.org/Archives/Public/public-privacy/2017JulSep/0018.html
@sandro @npd BTW one thing that has not really possible to get normatively in the spec is the authentication section of the spec; two non-normative paths were laid out: OAuth 2.0 w/ bearer tokens, or a Linked Data Signatures + HTTP Signatures route. Mastodon has gone the latter, which I suspect will bring the rest of the network in that direction.
@npd @cwebber Hi Nick, that sounds potentially useful, but I don't really know how that would work. Some kinda joint meeting of privacy experts and protocol experts? AP is so abstract, it seems a bit impossible. Privacy + Mastodon, a conversation with Mastodon folks would be much more concrete, but I'd expect the user base has already surfaced everything, probably.
@sandro @cwebber I suggested in that email that a conversation hosted on the Privacy Interest Group (PING) call next week would be one way to go.
I strongly suspect that Mastodon having many users has not meant that all privacy issues are surfaced and resolved. (Indeed, privacy concerns/confusions around the audience of federated toots are common.) But I agree that having an email/teleconference with Mastodon devs and not just ActivityPub could help make it concrete.
@sandro @cwebber we have this on the agenda for tomorrow's teleconference, which you're welcome to join:
https://lists.w3.org/Archives/Public/public-privacy/2017JulSep/0020.html
the agenda is a little packed, so I'm imagining that'll be a brief overview discussion and we can continue in email or subsequent meetings.
@npd @sandro Seems like a good idea. (We did raise AP to the w3c security list much earlier, almost exactly a year ago on Wed 28 Sep 2016, but we didn't get a response then.)