Private Posts / Groups

Private Posts / Groups was a session at IndieWeb Summit 2019.

Video: ▶️50:01s

Notes archived from https://etherpad.indieweb.org/shareprivately

IndieWeb Summit 2019
Session: Private Posts and Groups
When: 2019-06-29 16:10

Participants

• Jonathan LaCour
• David Bryant
• Jack Jamieson
• fluffy
• Greg McVerry
• Marty McGuire
• Katie
• nuggit.nu
• Johannes Ernst
• Sam Menza

Notes

Useful prior art:

• private posts

Aaron Parecki has this feature in his CMS, and he implements it by having a post be flagged as private to specified domain names, which represent IndieWeb identities that can see the post if they IndieAuth. Problems with this approach:

• How to handle feeds?
• How to get the original URL of the private post?
• It requires the consumer to use IndieAuth, which they may not be able to
• Sebastiaan Andeweg supports this as well https://seblog.nl/2019/06/28/8/surf-the-web-at-lightning-speed with a very similar feature set.

Groups are another topic of interest, rather than having to specify a list of domains, you could theoretically create a group that could be reused, like “Family” or “Friends.”

How to share access to the content? Links could be emailed that allow access directly. A site could offer usernames and passwords for folks that cannot (currently) use IndieAuth.

Notifications are a big challenge as well. How do you notify someone that content has been shared to them? fluffy views this as the biggest challenge.

• https://indieweb.org/private-webmention describes a method for notifying a site that there's a post that mentions them, and how to authenticate to get access to it site-to-site.

Marty McGuire: Seems to be all of these features are very tied to any given CMS, other than perhaps the concepts of a "Person" (with possible methods to automatically notify them of new posts they can see), and allowlists (for a given post to determine who can see it).

Jonathan LaCour Related: https://indieweb.org/AutoAuth

Jack Jamieson: Important to note what the attack vectors are that could compromise a private system - designing without those in mind likely to lead to problems

Jonathan LaCour: For non-IndieWeb identities, email with magic links might be the best option. (Or other notification mechanisms such as Twitter DMs or whatever.)

• fluffy: This still doesn't handle the use case of backfilling/archived content, though, or handling the follow vs subscribe dichotomy - post

Ryan Barrett suggested “secret” links as an option as well. Not totally secure, but much simpler than alternatives.

See Also

• 2019/Schedule