As a Brit it’s really weird seeing courtroom footage from Pistorius’ trial. Cameras aren’t allowed in out courtrooms.

Busy at start trying to fundraise for our Ben Nevis walk this summer.

Next idea on the agenda is a car boot sale this Sunday. Not sure how much we’ll raise though. The upcoming quiz night should be good though.

I can smell @sophieryder cooking the chicken. It smells awesome!

At my girlfriend’s place. About to have a chicken roast meal for the second night in a row before driving home. Hopefully gonna get web mentions working on my site tonight.

A very intersting article by @Gruber: http://daringfireball.net/2014/02/working_backwards

Just compare the number of phones Apple make compared to Samsung for an example of focus.

Fixing Copyright

I was listening to the excellent Hello Internet podcast made by CGPGrey and Brady Haran, and in episode 3 they talked about copyright.

Copyright is about protecting investment, its about money.

So lets make it about money. I think copyright should be theoretically infinite. You should take the production budget of the work of art. Multiply this by some factor, and then if the art makes that much profit the copyright protection is removed. If a work of art isn't popular enough to make that much profit then it can stay under copyright protection indefinitely, until it does.

Yes, the obvious thing that will happen is that production companys will artificially infalte the production costs in order to maximise the profits they can make.

I still feel this is a better system than we currently have.

Looking forward to a Sunday roast made by Sophie. Roast pork plus crackling, roast potatoes, cauliflower cheese, roast sprouts with bacon, glazed carrots, and pork, sage and onion stuffing. Followed by jam rolly-polly. I don’t deserve a such a great girlfriend.

The micropub API and security

I’ve talked before about the IndieWeb. That it’s important to own your identity online. What is the point, however, if there is no social nature to all this? We need to interact with each other.

Webmentions to the rescue. These allow one website to “ping” another. A sort of notification system. This has been extended by snarfed to the major silos of social network with his excellent bridgy service. This is basically a shim that makes it look like the sites use mf2 + webmentions, and very nicely done to. I still need to implement this on my own site. I’m working on it.

What people are also working on is something called the micropub API. This would allow one site or service to post to another. You could log into my site, and post a note to your site. This obviously involves authentication, which is a well discussed problem. The indieweb community, and Aaron in particular, have developed a service called IndieAuth. This allows you to authenticate as yourself with your own domain, by linking bijectively with various silos.

To summarise the process, when you log into my site with your domain, I go to your domain and look for an authorisation endpoint, either in an HTTP Link header, or in a <link> element in the HTML. This endpoint is usually https://indieauth.com/auth. You authorise and get redirected back to my site, along with an auth code being sent over as well. I then look for a token endpoint, again on your site, and make a request for a token and send the auth code I received. Your site verifies this code with the authorisation endpoint and then generates its own OAuth token which is sent back to my site. I can then use this token when making API requests to your micropub endpoint.

Security is a concern here. The most important step I take is to store your token in an encrypted cookie. By not storing the token in my webapp, if my site becomes compromised, then your token isnt’t automatically compromised as well. The other talking point regarding security is the revocation of tokens. This isn’t an issue for micropub clients. This is an issue for our own sites, the micropub endpoints. We need a way of managing the OAuth tokens we have generated, so we can see and control which micropub clients we’ve authorised.

I wonder if this is something that can be incorporated into IndieAuth? Once authorisation has occured, the endpoint could request that IndieAuth generates an OAuth token, and that token gets sent back to the client. Then when the micropub client makes an API request, the endpoint checks the OAuth token with IndieAuth. Then we could see all our “active” tokens on IndieAuth and revoke those we no longer wish to be active. Further consideration would be needed as to how to implement this. Particularly details like which roles a token is valid for, or whether it has an expiration date. How would this information be associated with a token? It could be simply encoded into the token itself, this would probably be the easiest solution to initially implement. It’s how I generate the tokens on my site at the moment.

Maybe Aaron could chime in.

Wow it’s windy tonight!

My name is Jonny Barnes, and jonnybarnes.uk is my site. I’m from Manchester, UK .

I am active to varying degrees on several silos:

My usual online nickname is normally jonnybarnes for other services. I also syndicate my content to the IndieWeb friendly site micro.blog. Here’s a profile pic. I also have a PGP key, with fingerprint. You can email me at jonny at my domain, or message me on XMPP.