I've said it before and I'll say it again, AP is really just a crossgrade from OStatus in terms of real security

the addressing is nice but side effects from using the addressing are underspecified

when it comes to security, underspecification is the devil's workshop

@kaniini what should we do about it? many of these underspecifications were intentional, such as in anticipation of usage over non-http protocols, which leaves me wondering what we as devs are supposed to do about the practical hindrances they cause.

@garbados well I suggest returning to the present and then if we have other protocols to use later, talk about it then


> return to the present

like, flesh out the spec for http environments, worry about non-http later? sounds great. i guess that punts the issue back to the spec authors.

@garbados that's basically what litepub is about ;)

@kaniini hehe

good to hear more good things about litepub :)


but unfortunately, to provide the security guarantees people want, AP needs radical overhaul anyway. everything needs to become OCAP for example. everything needs to be properly authenticated.


and *real* signature proof schemes need to be implemented instead of crap like LDSigs (whose signatures will stay with you even until you're 90 and in a home)


(yes, blind key rotation is a partial solution for the LDSigs problem, but it’s only a partial solution)

@kaniini OCAP like ?

some of this is going over my head but i cherish your efforts and expertise in these matters, and i look forward to what it will mean for things like litepub


Object CAPabilities.

@kaniini oh, i see! reading up on it now