Aaron Parecki

Thursday, October 7, 2021

• 
• Kat Maddox https://twitter.com/ctrlshifti

  security engineer: we're going to start moving towards zero trust
  
  developer: oh cool. how does that work
  
  security engineer: [narrows eyes] why do you ask

  Portland, Oregon • 43°F

  Thu, Oct 7, 2021 5:03am +00:00 (liked on Thu, Oct 7, 2021 6:25am -07:00)
• WTF OAuth https://twitter.com/wtf_oauth

  If you're not using OAuth, you're not on the web.

  Portland, Oregon • 43°F

  Thu, Oct 7, 2021 6:05am +00:00 (liked on Thu, Oct 7, 2021 6:33am -07:00)
• Roberto Blake 🇺🇸🇵🇦🗽Creative Entrepreneur https://twitter.com/robertoblake   •   Oct 7

  For those who have renovated a basement for YouTube or streaming, about how much was the total project?
  

  I do not want to add it all up

  Portland, Oregon • 43°F

  6 likes

  Thu, Oct 7, 2021 6:34am -07:00
• WTF OAuth https://twitter.com/wtf_oauth

  OAuth isn't just a way to log into your favorite sites. It's a way to log into the internet itself.

  Portland, Oregon • 43°F

  Thu, Oct 7, 2021 1:48pm +00:00 (liked on Thu, Oct 7, 2021 6:49am -07:00)
• Vittorio 💯 https://twitter.com/vibronet

  Tonight I saw on StackOverflow a mention of the OAuth “explicit flow”, and that gave me pause 😝
  I’m afraid to look it up, should I turn the safe search on?

  Portland, Oregon • 43°F

  Thu, Oct 7, 2021 5:36am +00:00 (liked on Thu, Oct 7, 2021 6:51am -07:00)
• 🍍belle ananas🍍 https://twitter.com/annabellerings

  Authorization codes eXXXposed! Check out these naughty native apps going PKCE-free in public! https://tinyurl.com/4ht58kst

  Portland, Oregon • 43°F

  Thu, Oct 7, 2021 6:04am +00:00 (liked on Thu, Oct 7, 2021 6:51am -07:00)
• Alexandra S. Pumpkins-Erin https://twitter.com/AlexandraErin

  "But NFTs let you do it in a decentralized way."
  
  Every single unnecessary step of the pointlessly convoluted and wasteful blockchain process depends 100% on the existence of internet architecture that is controlled by those central authorities you're supposedly circumventing.

  Portland, Oregon • 44°F

  Thu, Oct 7, 2021 3:19pm +00:00 (liked on Thu, Oct 7, 2021 8:23am -07:00)
• Arthur Chu https://twitter.com/arthur_affect

  Or just having a *normal* URL that lets anyone else in the world view my YouTube video the normal way, for free (or for the negligible cost of doing a normal data transfer on the Web shared between their ISP and my hosting service)

  Portland, Oregon • 44°F

  Thu, Oct 7, 2021 3:02pm +00:00 (liked on Thu, Oct 7, 2021 8:45am -07:00)
• Arthur Chu https://twitter.com/arthur_affect

  And hilariously this is what every NFT seller ACTUALLY DOES - they ALL mint multiple NFTs for the same file for as much as what the market will bear and then try to price them according to the order they were minted in ("Congratulations, you're Owner #77!") like this is real

  Portland, Oregon • 44°F

  Thu, Oct 7, 2021 3:03pm +00:00 (liked on Thu, Oct 7, 2021 8:45am -07:00)
• Alexandra S. Pumpkins-Erin https://twitter.com/AlexandraErin

  This IS one of the most hilarious things about NFTs, because when the bubble began, the point that got hyped up the most was "guaranteed unique", leading to widespread confusion among the public when, for instance, everybody at a ceremony got "the same NFT" of Chadwick Boseman.

  Portland, Oregon • 44°F

  Thu, Oct 7, 2021 3:06pm +00:00 (liked on Thu, Oct 7, 2021 8:46am -07:00)
• Alexandra S. Pumpkins-Erin https://twitter.com/AlexandraErin

  "Imagine being mad about a game using NFTs for in-game assets that are just records on a server when existing games already have items that work that way."
  
  Yes, we know! You can do the useful part of the thing without NFTs! Thank you for admitting that!

  Portland, Oregon • 44°F

  Thu, Oct 7, 2021 3:14pm +00:00 (liked on Thu, Oct 7, 2021 8:46am -07:00)
• Tom Coates https://twitter.com/tomcoates

  The situation we find ourselves in is one where the policy and algorithmic decisions of one company determine what three billion people across the world see. That’s FAR too much power for any company to have.

  Portland, Oregon • 44°F

  Thu, Oct 7, 2021 3:54pm +00:00 (liked on Thu, Oct 7, 2021 8:56am -07:00)
• Tom Coates https://twitter.com/tomcoates

  This is and remains an antitrust problem, a monopolies problem, a problem with turning the public space into a privately owned monoculture. That’s the problem to fix.

  Portland, Oregon • 44°F

  Thu, Oct 7, 2021 3:55pm +00:00 (liked on Thu, Oct 7, 2021 8:56am -07:00)
• beyond tellerrand https://twitter.com/btconf

  Look who is back in the family: @aaronpk ! With a great talk about #OAuth. Say hello to Aaron and see the details about him and his talk here: https://beyondtellerrand.com/events/dusseldorf-2021/speakers/aaron-parecki

  

  Portland, Oregon • 44°F

  Thu, Oct 7, 2021 4:45pm +00:00 (liked on Thu, Oct 7, 2021 9:53am -07:00) #OAuth
• Emily Strickland https://twitter.com/emilyst

  The whole blockchain thing reminds me of the early fervor over NoSQL.
  
  Except with orders of magnitude more grifting, and the destruction of a forest each time a DB gets updated.

  Portland, Oregon • 49°F

  Thu, Oct 7, 2021 5:35pm +00:00 (liked on Thu, Oct 7, 2021 11:19am -07:00)
• 

  Contributions from: Germany, Israel, Russian Federation, Serbia, United Kingdom, United States

  Thu, Oct 7, 2021 12:16pm -07:00
• Customizing Boot Up Screen on Raspberry Pi (scribles.net)

  Thu, Oct 7, 2021 12:21pm -07:00 #raspi #raspberrypi
• Carole Cadwalladr https://twitter.com/carolecadwalla

  https://twitter.com/carolecadwalla/status/1446148022551908357?s=20

  

  Portland, Oregon • 57°F

  Thu, Oct 7, 2021 4:18pm +00:00 (liked on Thu, Oct 7, 2021 2:09pm -07:00) #facebook
• Vittorio 💯 https://twitter.com/vibronet

  The OAuth happy hour with @aaronpk starts in 4 minutes! Who knows, we might even get to chat about the Explicit Flow :P
  https://youtu.be/B3a3-JV-dl0

  Portland, Oregon • 59°F

  Thu, Oct 7, 2021 10:56pm +00:00 (liked on Thu, Oct 7, 2021 3:57pm -07:00)
• Chloe Condon https://twitter.com/ChloeCondon

  Always in awe of my ADHD's consistent ability to terrify me of tasks. Then, like clockwork, once I do finally complete the task I feel awful because of how easy it was to complete after all 🙃😭⚰️🪦💀

  Portland, Oregon • 52°F

  Fri, Oct 8, 2021 2:13am +00:00 (liked on Thu, Oct 7, 2021 7:22pm -07:00)
• @goto https://twitter.com/samuelgoto   •   Oct 7

  @aaronpk on a related note: does any part of IndieAuth break when browsers block third party cookies?
  

  No, none of it relies on third party cookies thankfully, it's closer to plain OAuth in that sense.

  Portland, Oregon • 48°F

  1 reply

  Thu, Oct 7, 2021 9:17pm -07:00
• @goto https://twitter.com/samuelgoto   •   Oct 7

  Ok, I did look into this more carefully and I remember running into this earlier.
  
  How does this relate to OIDC? Is it fair to characterize it as an alternative to it that operates on the same level/layer (e.g. both are extensions to oauth?)?
  

  There are definitely some similarities since they are both adding an identity layer on top of OAuth. IndieAuth is a much smaller surface area tho and does less stuff. Some more details here: https://indieweb.org/How_is_IndieAuth_different_from_OpenID_Connect

  Portland, Oregon • 48°F

  23 replies

  Thu, Oct 7, 2021 9:20pm -07:00
• @goto https://twitter.com/samuelgoto   •   Oct 8

  "Because these URLs rely on the public web and DNS, they are guaranteed to be globally unique." -- ugh, is this a feature or a bug? I feel like this isn't going to age well :(
  

  Do you mean when there's a viable replacement for DNS? We can cross that bridge when we come to it.

  Portland, Oregon • 47°F

  21 replies

  Thu, Oct 7, 2021 9:24pm -07:00
• @goto https://twitter.com/samuelgoto   •   Oct 8

  No, in the sense are these designed such that two different RPs get the same global identifier for the same user?
  

  Oh yeah, that's intentional. It'd be interesting to explore what it could look like otherwise tho.

  Portland, Oregon • 47°F

  1 like 19 replies

  Thu, Oct 7, 2021 9:27pm -07:00
• Aaron Parecki https://aaronparecki.com/   •   Oct 7

  Oh yeah, that's intentional. It'd be interesting to explore what it could look like otherwise tho.
  

  I'm actually really interested in this particular problem right now since Sign In with Apple is probably the biggest example of differing IDs per RP yet the first thing the RPs want to do is resolve that back to an identifiable user.

  Portland, Oregon • 47°F

  4 replies

  Thu, Oct 7, 2021 9:32pm -07:00
• tim cappalli https://twitter.com/timcappalli   •   Oct 8

  That was fast @aaronpk. Welcome :)
  

  I actually thought I had already joined, but I haven't yet actually joined a meeting. It's a lot to keep up on with all the other spec work I'm in the middle of 😅

  Portland, Oregon • 47°F

  1 like

  Thu, Oct 7, 2021 9:42pm -07:00
• @goto https://twitter.com/samuelgoto   •   Oct 8

  LMK if you run into a good formulation.
  
  FWIW email may be a good analogy and source of inspiration. In browser land, SHA256(user + RP)@idp.example does the trick.
  

  Relying on sha256 as the end of the story seems like a thing that also won't age well. It's only a matter of time until we see sha256 the way we see md5 today.

  Portland, Oregon • 47°F

  5 replies

  Thu, Oct 7, 2021 9:44pm -07:00
• @goto https://twitter.com/samuelgoto   •   Oct 8

  Sure. I'm sure one could find a hashing function that would age well (I'm making an assumption :) but a lot of stuff breaks if one doesn't :)).
  

  But there's a big difference in relying on a specific hash function for something that won't matter a day from now (validating an ID token) vs something that can be correlated years later (hashed identifiers in logs)

  Portland, Oregon • 47°F

  3 replies

  Thu, Oct 7, 2021 9:47pm -07:00
• @goto https://twitter.com/samuelgoto

  Ah that's indeed a reasonable distinction. Still seems like solvable? Like Signal that uses a master identifier and then ephemeral (yet stable) ones?

  Portland, Oregon • 46°F

  Fri, Oct 8, 2021 4:54am +00:00 (liked on Thu, Oct 7, 2021 10:03pm -07:00)
• @goto https://twitter.com/samuelgoto   •   Oct 8

  Ah that's indeed a reasonable distinction. Still seems like solvable? Like Signal that uses a master identifier and then ephemeral (yet stable) ones?
  

  Maybe, but at the end of the day I would assume any crypto will eventually be broken, so it's a game of picking good enough algorithms to avoid correlation in a timeframe that would be a problem.

  Portland, Oregon • 46°F

  1 reply

  Thu, Oct 7, 2021 10:10pm -07:00
• 

  10:17pm

  Asleep

  6:00am

  Awake

  7h 43m

  Slept

  13m

  Awake for

  

  Portland, Oregon

  Thu, Oct 7, 2021 11:00pm -07:00