List Info

Thread: Identity in the Ping or Feed?
Identity in the Ping or Feed?
user name
 2006-04-06 16:30:17 
> Are you saying that A sends a ping to B with content
from C, and B
> ignores A ("anyone could have forwarded")
and instead only looks
> whether the content indeed was signed by C?

More or less. The corollary to this idea is that the source
of the ping
doesn't matter. The source of record is always the feed.
Because what
are you really trusting? Are you trusting the source of the
ping, or
validity of the data being referenced. My belief is that you
ultimately
trust the latter of the two.

But again, this is not about trust. Its just about where the
identity
lives. I would layer on top of this a system that trusts
specific data
sources. And hopefully someone will step in a provide a
service that can
help us all to query for trusted sites/data sources, etc.

> Or are you saying that the ping itself would not
contain any digital
> signatures, only when you went back to the feed, you
would get them?
> If so, how does this look from the perspective of a
spammer?

Very little difference actually. Again, a signature
regardless of where
it lives (in the feed or ping) does little to help me
determine whether
the ping is trustworthy or not. It only serves as an
identity that I can
build a rules engine on top of. 

If I were a spammer looking to game the system, here are
some things I
might try:

Sign my feed to give the semblance of security and trust in
a hope that
software will do little to verify the signature. Given that
once the
world figures out my feed is bogus, perhaps called a
"spleed" (ok, bad
name), and the world starts t distrust my signature, then I
would
regenerate my signature frequently to keep people guessing.
However,
doing so doesn't help me much because most SANE rules
engines is going
to moderate unknown feeds. Or they should IMHO.

One thing that would be cool for an MT plugin for example,
would be for
the plugin to periodically check signatures associated with
previously
published pings - that way if a ping was not determined to
be spam at
post time, but was later determined to be spam, it could
easily be
cleaned up.



> On Apr 6, 2006, at 8:34, Byrne Reese wrote:
> 
> > TrackBack mailing list has been pretty quiet as of
late, so I
thought
> > I would spur some friendly debate by sharing an
interesting
> > conversation David and I had with Hans from
Versign yesterday. We
> > discussed "signed pings" and I would
say one of the biggest take
> aways
> > was the concept that perhaps trying to embed
identity within the
ping
> > itself is overkill. Perhaps, just perhaps, it
makes more sense for
> the
> > feed to include this information. Its almost as if
the source of the
> > ping doesn't matter. In the end, its about
"do you trust the source
> of
> > the data?" as opposed to the sender of the
ping.
> >
> > So the idea that evolved was a ping is sent from A
to B. B then
> > inspects the feed found at A looking for a
signature or some other
> > verifiable identity, and then makes decisions
about moderation or
> > publishing based upon the identity found there.
> >
> > That is not to say that packaging an indentity
within a ping is a
bad
> > idea... but just thinking about the numerous ways
to solve the
> > problem.
> >
> > One of the things I like about this is that its
impacts to existing
> > pinging protocols are minimal. Plus it pushes
complexity to the
feed,
> > which is already relatively complex. Plus the feed
(Atom I presume)
> is
> > already extensible and could accommodate this
extra meta data
easily.
> >
> > Byrne Reese
> > Manager, Platform Technology
> > http://www.sixapart.c
om/pronet/
> > Email: byrnesixapart.com
> > AIM: byrnereese
> >
> >
> >
> >
> > _______________________________________________
> > Trackback-protocol mailing list
> > Trackback-protocolsixapart.com
> > http://www.sixapart.com/mailman/listinfo/trackback-pr
otocol
> 
> Johannes Ernst
> NetMesh Inc.


_______________________________________________
Trackback-protocol mailing list
Trackback-protocolsixapart.com
http://www.sixapart.com/mailman/listinfo/trackback-pr
otocol
Identity in the Ping or Feed?
user name
 2006-04-06 22:17:35 
Where this all seems to come together is at the remix
feed/ping.  
Let's say we have feeds C1, C2, C3 and so forth, maintained
by  
different people on organizationally entirely different
locations.

A could be somebody like Technorati who publishes a single
feed A  
with C1, C2, C3 etc. content that, by only selecting posts
that with  
a certain keyword in it or whatever algorithm.

If content in feeds C1, C2, C3 was signed on an
individual-post  
level, then A could preserve the signatures during remixing,
and B --  
the receiver of the feed -- can rest assured that the posts
in feed A  
indeed came from C1, C2, C3 without going back to the
source.  
(Assuming that B has the public key, which he can easily get
using  
Yadis/LID/etc.)

Adding pings to the equation, our receiver B will receive
pings about  
new content at C1, C2, C3 either by receiving pings directly
from  
them, or through the remixer A who can remix the pings the
exact same  
way that they can remix feeds.

I think what you are saying -- and if so, I fully agree! --
that A  
does not need, or maybe even should not sign the pings about
C1, C2,  
C3 content that went to B. Instead, A should be able to
"forward"  
pings to B.

Of course, there is nothing in this that says C2, say, must
be the  
original source of the content; it might just as well be an 

aggregator or remixer themselves like A is. A in turn is not
 
necessarily obligated to preserve digital signatures either,
although  
I'd consider it bad form if they didn't.

That I think makes it fairly clear where the digital
identity URL  
resides.

> One thing that would be cool for an MT plugin for
example, would be  
> for
> the plugin to periodically check signatures associated
with previously
> published pings - that way if a ping was not determined
to be spam at
> post time, but was later determined to be spam, it
could easily be
> cleaned up.

This is an interesting one, and a role most naturally played
by an  
aggregator / remixer such as Technorati -- or Six Apart, for
that  
matter! You could send out "anti-pings" (as in
"ping plus anti-ping  
makes matter go away") in this case.

Lots of interesting stuff that can be done ...

Cheers,



Johannes.


Johannes Ernst
NetMesh Inc.

  http://netmesh.info/jernst





_______________________________________________
Trackback-protocol mailing list
Trackback-protocolsixapart.com
http://www.sixapart.com/mailman/listinfo/trackback-pr
otocol
[1-2]

about | contact  Other archives ( Real Estate discussion Medical topics )