Targeting Spec - Last Call
James M Snell
stable. There are implementations available. I think it's time to put
a bow on it and call it done officially.
Evan Prodromou
starting to deal with limited distribution of activity streams data
over PubSubHubbub for OStatus.
1) Typical semantics of "mentioning" someone on a social network are
that the posted object is distributed to the person mentioned as well
as the author's followers. So, a Twitter post like "@jsnell hello"
would go to user @jsnell as well as all followers.
Does this secondary audience need to be made explicit? If so, how? If
not explicit, I think it would be coded like...
{"to": [{objectType: "person", id: "acct:jsn...@example.com"}]}
If explicit, maybe something like:
{"to": [{objectType: "person", id: "acct:jsn...@example.com"}],
"cc": [{objectType: "group", id: "followers-of-evan"}]
}
? Some networks also make a "public" stream for the site available, so
something like:
{"to": [{objectType: "person", id: "acct:jsn...@example.com"}],
"cc": [{objectType: "group", id: "followers-of-evan"},
{objectType: "group", id: "everyone-on-this-site"}]
}
... or even:
{"to": [{objectType: "person", id: "acct:jsn...@example.com"}],
"cc": [{objectType: "group", id: "followers-of-evan"},
{objectType: "group", id: "everyone-on-this-site"}],
{objectType: "group", id: "everyone-in-the-world"}]
}
Another option is to explicitly list all followers, which might be
tractable for small numbers of followers but falls down with 1M+
follower accounts on some popular systems.
2) If audiences are explicit, there's an implicit ACL in the targeting
-- by analogy with email, where it's unusual to allow a user to view a
message that was not addressed to them. (Auditing and administration
being the main exception here -- email list archives being a secondary
one.)
It would be useful to either call this out ("Processors SHOULD NOT
show activities to people who aren't in the audience"), or explicitly
disclaim it ("Audience != ACL").
3) It's not clear what to do with an activity that has no audience
specification. It could mean either a) this isn't targeted to anyone
b) it's targeted to some system default (followers, the whole site,
the public), or c) the processor doesn't support targeting.
It may be useful to call out a default secondary audience when no
targeting is specified, e.g. "my followers".
Thanks,
-Evan
James M Snell
> Oh, cool. So, I'm particularly interested in this issue as we're
> starting to deal with limited distribution of activity streams data
> over PubSubHubbub for OStatus.
>
> 1) Typical semantics of "mentioning" someone on a social network are
> that the posted object is distributed to the person mentioned as well
> as the author's followers. So, a Twitter post like "@jsnell hello"
> would go to user @jsnell as well as all followers.
>
> Does this secondary audience need to be made explicit? If so, how? If
> not explicit, I think it would be coded like...
>
> {"to": [{objectType: "person", id: "acct:jsn...@example.com"}]}
>
> If explicit, maybe something like:
>
> {"to": [{objectType: "person", id: "acct:jsn...@example.com"}],
> "cc": [{objectType: "group", id: "followers-of-evan"}]
> }
>
In this case, I think targeting the secondary audience would be
optional but yes, that's how it would be done.
> ? Some networks also make a "public" stream for the site available, so
> something like:
>
> {"to": [{objectType: "person", id: "acct:jsn...@example.com"}],
> "cc": [{objectType: "group", id: "followers-of-evan"},
> {objectType: "group", id: "everyone-on-this-site"}]
> }
>
> ... or even:
>
> {"to": [{objectType: "person", id: "acct:jsn...@example.com"}],
> "cc": [{objectType: "group", id: "followers-of-evan"},
> {objectType: "group", id: "everyone-on-this-site"}],
> {objectType: "group", id: "everyone-in-the-world"}]
> }
Yes. I would recommend using the "alias" extension property instead of
id tho. The "alias" is something that was discussed on list a couple
of months ago. I just remembered this morning that I needed to add it
to the spec... I've done so now.. It would look like...
{"to": [{objectType: "person", id: "acct:jsn...@example.com"}],
"cc": [{objectType: "group", id: "followers-of-evan"},
{objectType: "group", alias: "@all"}],
{objectType: "group", alias: "@world"}]
}
Or something along those lines.. the value of the alias is some fairly
system specific alias for the object in lieu of using an explicit ID.
>
> Another option is to explicitly list all followers, which might be
> tractable for small numbers of followers but falls down with 1M+
> follower accounts on some popular systems.
Using groups would be ideal, yes.
>
> 2) If audiences are explicit, there's an implicit ACL in the targeting
> -- by analogy with email, where it's unusual to allow a user to view a
> message that was not addressed to them. (Auditing and administration
> being the main exception here -- email list archives being a secondary
> one.)
>
> It would be useful to either call this out ("Processors SHOULD NOT
> show activities to people who aren't in the audience"), or explicitly
> disclaim it ("Audience != ACL").
Disclaiming it would be good. The targeting information is meant to
express the intent of the sender not necessarily control what the
recipient does with it (with clear exception of bto and bcc handling).
>
> 3) It's not clear what to do with an activity that has no audience
> specification. It could mean either a) this isn't targeted to anyone
> b) it's targeted to some system default (followers, the whole site,
> the public), or c) the processor doesn't support targeting.
>
> It may be useful to call out a default secondary audience when no
> targeting is specified, e.g. "my followers".
I would rather leave this up to the implementation. Like I said, the
targeting information is meant only to express the intent of the
sender. It's up to the implementation to figure out how to actually
handle the activity, including selection of the default audience.
>
> Thanks,
>
> -Evan
>
> --
> You received this message because you are subscribed to the Google Groups "Activity Streams" group.
> To post to this group, send email to activity...@googlegroups.com.
> To unsubscribe from this group, send email to activity-strea...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/activity-streams?hl=en.
>
Bob Wyman
Martin Atkins
> If the intent is to submit this draft to the IETF, then I would suggest
> that Section 4 (The "Alias Object") needs additional work. My concern is
> that IETF documents are supposed to facilitate inter-working between
> systems, yet, as drafted, the "alias" feature seems inherently
> single-system in its definition and thus no useful interworking is possible.
I suppose it depends on what you mean by "system".
The intent as I understood it was to define a syntax for referring to
"well-known" objects, but leave the definition to be defined by other
specifications.
So, to take an example, OStatus (a protocol that builds upon Activity
Streams) can define a set of well-known objects that are defined for all
systems implementing OStatus. It is the Targeting Spec that defines the
syntax but the OStatus spec that defines the meaning.
Since Activity Streams is merely a serialization format and not a
messaging or notification protocol I think this is the right separation
of concerns.
Laurent-Walter Goix
target referring to? The actor's alias? Or the one where the activity
is posted (eg in opensocial posting on someone else's stream). In the
case the group of followers for example may be different. But maybe
this has already been addressed at that time: James could you point to
that thread?
What would be the semantic difference between using this alias into a
single "target" or into a "to"? I understand there may be multiple to
whilst there may be at most one target. Is this difference related to
some default behaviour like evan was mentioning? Eg target only goes
there, whilst the 'to' is more like a mention than an exclusive/
restricted set of recipients?
Also, my apologies if I missed it but is there any atom counterpart of
this extension? (eg for pubsub or salmon)
Walter
On 5 mar, 18:07, James M Snell <jasn...@gmail.com> wrote:
Bob Wyman
- Readers might concluded that a tag URI that only specifies year is sufficient when identifying individuals... This would be unfortunate. Would you consider wasting a few bytes to expand the temporal specificity of the tag URIs to at least provide "day of year" resolution? For instance, instead of "tag:example.org,2011:bob" use "tag:example.org,2011/08/18:bob".
- It would be useful to show something other than a tag URI as an identifier. Consider, for example, a web-finger id such as acct:b...@example.com or an email identifier such as mailto:b...@example.com
James M Snell
> On 03/05/2012 10:58 AM, Bob Wyman wrote:
>>
>> If the intent is to submit this draft to the IETF, then I would suggest
Not IETF... published on activitystrea.ms website... under OWFa terms...
>> that Section 4 (The "Alias Object") needs additional work. My concern is
>> that IETF documents are supposed to facilitate inter-working between
>> systems, yet, as drafted, the "alias" feature seems inherently
>> single-system in its definition and thus no useful interworking is
>> possible.
The alias is necessarily system-specific. Martin's response is right
on, the alias is to allow references to semantically well-known
objects, e.g. "a group of friends", "a group of followers", "everyone
in the world", etc. Specifications such as OStatus or OpenSocial can
define the specific alias values or they can be defined by specific
systems. As far as the syntax is concerned, the specific meaning and
use is not important.
>
>
> I suppose it depends on what you mean by "system".
>
> The intent as I understood it was to define a syntax for referring to
> "well-known" objects, but leave the definition to be defined by other
> specifications.
>
> So, to take an example, OStatus (a protocol that builds upon Activity
> Streams) can define a set of well-known objects that are defined for all
> systems implementing OStatus. It is the Targeting Spec that defines the
> syntax but the OStatus spec that defines the meaning.
>
> Since Activity Streams is merely a serialization format and not a messaging
> or notification protocol I think this is the right separation of concerns.
>
>
James M Snell
processing the activity is responsible for interpreting the value of
the alias based on whatever context information it has available and
the specific definition it assigns to the alias. For instance, if I
said:
POST /foo HTTP/1.1
Host: example.org
Authentication: bearer 213123123
{
"to" : [ {"alias":"@friends"} ],
"actor" : [ {"alias":"@me"} ],
"object" : {"objectType":"note","content":"foo"},
"verb" : "post",
"target" : {"objectType":"wall","id":"http://example.org/wall/foo"}
}
The system receiving this has to make a determination about whether it
understands what "alias":"@friends" means within the context of this
request. It's up to the system to figure that out but in general, the
reasonable interpretation of this post is that the @friends will be
interpreted as my group of friends as known to the system. If the
system is unable to determine the meaning of "@friends" it can choose
to reject the POST.
Use of alias is necessarily system specific because it will be up to
the system to interpret the alias and link that back to a concrete
object.
- James
James M Snell
Bob Wyman
Martin Atkins
> James,
> I have been assuming, perhaps incorrectly, that Activity Streams can be
> aggregated. By this I mean that we should be able to construct the
> equivalent of the synthetic feeds familiar to RSS and Atom users. These
> feeds would combine together the content of many streams into one or
> more synthetic streams. But, when reading your comments and those of
> others, I can't help thinking that when you say things like "it can
> choose to reject the POST" that you are only interested in
> point-to-point data exchange (i.e. the sort of stuff that is modeled by
> a single POST) rather than the potentially multi-hop distribution of
> data that we work with in the world of syndicated feeds.
I think it's valid to say that the "alias" feature is a point-to-point
one: it relies on some shared context between the sender and the recipient.
The use-cases around aliases are largely about eliding some data that is
already known to both sender and recipient as a form of data
compression. I'd expect that if that data were then re-published it
would either have the alias objects expanded into the underlying
fully-qualified object or there would be a different set of aliases that
is meaningful for that second hop.
> Am I wrong in thinking that I should be able to aggregate and syndicate
> Activity Streams? The reason I ask is that if I can, in fact, aggregate
> them, then I also assume that I can aggregate or syndicate the
> aggregations. The result will be that the processor of any particular
> activity may not have much information about the system that actually
> generated any particular activity and thus not have enough context to be
> able to determine the scope of an identifier.
In the general yes, it is possible to aggregate activity streams.
For aliases I expect that the aliases would be resolved and replaced
with the underlying object before re-publishing, unless the publisher
knows (based on a contract established by a higher-layer protocol) that
the recipient will be able to understand the aliases.
Bob Wyman
On 03/05/2012 12:32 PM, Bob Wyman wrote:I think it's valid to say that the "alias" feature is a point-to-point one: it relies on some shared context between the sender and the recipient.
James,
I have been assuming, perhaps incorrectly, that Activity Streams can be
aggregated. By this I mean that we should be able to construct the
equivalent of the synthetic feeds familiar to RSS and Atom users. These
feeds would combine together the content of many streams into one or
more synthetic streams. But, when reading your comments and those of
others, I can't help thinking that when you say things like "it can
choose to reject the POST" that you are only interested in
point-to-point data exchange (i.e. the sort of stuff that is modeled by
a single POST) rather than the potentially multi-hop distribution of
data that we work with in the world of syndicated feeds.
The use-cases around aliases are largely about eliding some data that is already known to both sender and recipient as a form of data compression. I'd expect that if that data were then re-published it would either have the alias objects expanded into the underlying fully-qualified object
or there would be a different set of aliases that is meaningful for that second hop.In the general yes, it is possible to aggregate activity streams.
Am I wrong in thinking that I should be able to aggregate and syndicate
Activity Streams? The reason I ask is that if I can, in fact, aggregate
them, then I also assume that I can aggregate or syndicate the
aggregations. The result will be that the processor of any particular
activity may not have much information about the system that actually
generated any particular activity and thus not have enough context to be
able to determine the scope of an identifier.
For aliases I expect that the aliases would be resolved and replaced with the underlying object before re-publishing, unless the publisher knows (based on a contract established by a higher-layer protocol) that the recipient will be able to understand the aliases.
--
You received this message because you are subscribed to the Google Groups "Activity Streams" group.
To post to this group, send email to activity-streams@googlegroups.com.
To unsubscribe from this group, send email to activity-streams+unsubscribe@googlegroups.com.
James M Snell
Bob,
Perhaps if alias were defined as either a path segment or fully qualified uri? Would that address the concern? The single path segment would allow for the simplified "@whatever" pattern that is resolved relative to some system specific context and the full uri option would allow for scoping as you suggest.
To post to this group, send email to activity...@googlegroups.com.
To unsubscribe from this group, send email to activity-strea...@googlegroups.com.
Bob Wyman
James M Snell
Note that, in the targeting spec, the to, cc, bcc and bto properties
are defined in terms of an array of Objects... meaning any type of AS
Object, not just people or groups. Imagine, for instance, we someone
were to define a "Filter" objectType that did precisely the kind of
thing you're suggesting... e.g.
{
"to": [
{"objectType":"filter",
"objectTypes":["person"],
"filters":[
{"objectType":"place",
"position":"+12.123+123.123",
"radius":"10",
"radius-unit":"miles"}
]
],
...
}
This would be a perfectly valid use of the audience targeting
extensions and makes the mechanism extremely flexible long term. Of
course, standardization of the objectTypes would be most desirable but
that's a separate issue from the syntax.
- James
Bob Wyman
Bob,
Note that, in the targeting spec, the to, cc, bcc and bto properties
are defined in terms of an array of Objects... meaning any type of AS
Object, not just people or groups. Imagine, for instance, we someone
were to define a "Filter" objectType that did precisely the kind of
thing you're suggesting... e.g.
{
"to": [
{"objectType":"filter",
"objectTypes":["person"],
"filters":[
{"objectType":"place",
"position":"+12.123+123.123",
"radius":"10",
"radius-unit":"miles"}
]
],
...
}
This would be a perfectly valid use of the audience targeting
extensions and makes the mechanism extremely flexible long term. Of
course, standardization of the objectTypes would be most desirable but
that's a separate issue from the syntax.
James M Snell
Yes.. Yes it would.
James M Snell
http://activitystrea.ms/specs/json/targeting/1.0/
Specific updates:
- Language that clarifies that any objectType can be used.
- Define "alias" as either a single path segment or fully qualified IRI
- Language that warns that the use of single path segment aliases are
ambiguous and are recommended only when the communicating parties
share a common understanding of their meaning.
- Language clarifying that there is no spec-defined default primary or
second audience in the absence of targeting properties.
- James
Laurent-Walter Goix
the fully-qualified iri as group "alias" resolves the ambiguity issue
so that it becomes clear whose "friends" (or other) i am talking
about, also in a distributed context. As a side question in this case
would it make sense to reuse the standard "id" property and keep alias
only for this "non uri"/ambiguous value?
if i understood the new wording properly:
- the case of Evan's related to "mentions" is covered by using the
"to" property to draw attention
- the other case related to "restricted distribution" of content is
covered using the "bto" (or "bcc") property that would automatically
make the specific activity accessible *only* to that audience. in this
case it would be essential that recipients (eg servers) of activities
containing this extension do support it indeed, in order to avoid
privacy issues when storing/forwarding that activity and make it
available to others
am i right?
thank you again
walter
On Mar 6, 1:26 am, James M Snell <jasn...@gmail.com> wrote:
> Ok... Updated draft based on the feedback given here..
>
> http://activitystrea.ms/specs/json/targeting/1.0/
>
> Specific updates:
>
> - Language that clarifies that any objectType can be used.
> - Define "alias" as either a single path segment or fully qualified IRI
> - Language that warns that the use of single path segment aliases are
> ambiguous and are recommended only when the communicating parties
> share a common understanding of their meaning.
> - Language clarifying that there is no spec-defined default primary or
> second audience in the absence of targeting properties.
>
> - James
>
>
>
>
>
>
>
>
> > Yes.. Yes it would.
>
> > On Mar 5, 2012 4:17 PM, "Bob Wyman" <b...@wyman.us> wrote:
>
Daniel E. Renfer
message with ACL rules for that same message. Adding recipient
information to an activity should indicate that that message should be
delivered to those recipients (in addition to normal routing rules) and
that that post should have a slightly higher visibility than the normal
post.
If I @-reply a user, they automatically are pushed a copy, and depending
on the system, are sent an email notification, have a pop-up message
displayed, or have that message routed to special purpose streams. (A
user's "mentioned" feed)
So you would only cc the "public" stream if you wish that message to be
brought to the attention of all the subscribers of that stream.
Assuming I see an alias in an activity, how would I discover more
information about that group? This may be out of scope, but would there
be something similar to webfinger lookup that would allow me to get the
meaning of the alias? Enumerating the users in that group can be
problematic for the reasons Evan stated. (Good luck listing all the
followers of identi.ca's public stream.)
James M Snell
<laurentwa...@gmail.com> wrote:
> thank you james for the update that greatly improves the spec.
>
> the fully-qualified iri as group "alias" resolves the ambiguity issue
> so that it becomes clear whose "friends" (or other) i am talking
> about, also in a distributed context. As a side question in this case
> would it make sense to reuse the standard "id" property and keep alias
> only for this "non uri"/ambiguous value?
>
The "id" property would be used to express a specific globally unique
id for a particular item, while the "alias" is intended to express a
well-known "common" label that may necessarily be unique in it's own
right. For instance, within the OpenSocial standard, there's a notion
of using the @me and @friends labels within a URI... Imagine the
following case:
{
"to": [
{
"objectType":"group",
"id":"http://example.org/api/groups/abc123xyz456",
"alias":"http://example.org/api/people/@me/@friends"
}
]
}
This example is a bit contrived as there generally wouldn't be much of
a need to specify both the id and alias in a single object like this
within the "to" property, but it illustrates the point. The @me in the
URI is dependent entirely on the authentication context. The group
represented by the alias "http://example.org/api/people/@me/@friends"
has a distinct globally unique id
"http://example.org/api/groups/abc123xyz456". Given a different
authenticated user, the same alias could map to a different globally
unique id.
James M Snell
> I think it's best not to conflate targeting a user as a recipient of a
> message with ACL rules for that same message. Adding recipient
> information to an activity should indicate that that message should be
> delivered to those recipients (in addition to normal routing rules) and
> that that post should have a slightly higher visibility than the normal
> post.
>
> If I @-reply a user, they automatically are pushed a copy, and depending
> on the system, are sent an email notification, have a pop-up message
> displayed, or have that message routed to special purpose streams. (A
> user's "mentioned" feed)
>
> So you would only cc the "public" stream if you wish that message to be
> brought to the attention of all the subscribers of that stream.
>
+1 to all this...
> Assuming I see an alias in an activity, how would I discover more
> information about that group? This may be out of scope, but would there
> be something similar to webfinger lookup that would allow me to get the
> meaning of the alias? Enumerating the users in that group can be
> problematic for the reasons Evan stated. (Good luck listing all the
> followers of identi.ca's public stream.)
This is out of scope for this particular spec. Other specifications
that define aliases (e.g. OpenSocial with it's notions of @friends,
@all, etc) can provide means of resolving those aliases back to their
specific aliased objects. E.g. hypothetically, if I'm using OpenSocial
(just for example) and I have an "alias":
"http://example.org/api/people/@me/@friends".. then I would know to
use whatever mechanism OpenSocial provides for resolving information
about that particular alias.
- James
Laurent-Walter Goix
On Mar 6, 4:50 pm, James M Snell <jasn...@gmail.com> wrote:
>
> The "id" property would be used to express a specific globally unique
> id for a particular item, while the "alias" is intended to express a
> well-known "common" label that may necessarily be unique in it's own
> right. For instance, within the OpenSocial standard, there's a notion
> of using the @me and @friends labels within a URI... Imagine the
> following case:
>
> {
> "to": [
> {
> "objectType":"group",
> "id":"http://example.org/api/groups/abc123xyz456",
> "alias":"http://example.org/api/people/@me/@friends"
> }
> ]
>
> }
>
Laurent-Walter Goix
On Mar 6, 4:53 pm, James M Snell <jasn...@gmail.com> wrote:
>
> > I think it's best not to conflate targeting a user as a recipient of a
> > message with ACL rules for that same message. Adding recipient
> > information to an activity should indicate that that message should be
> > delivered to those recipients (in addition to normal routing rules) and
> > that that post should have a slightly higher visibility than the normal
> > post.
>
> > If I @-reply a user, they automatically are pushed a copy, and depending
> > on the system, are sent an email notification, have a pop-up message
> > displayed, or have that message routed to special purpose streams. (A
> > user's "mentioned" feed)
>
> > So you would only cc the "public" stream if you wish that message to be
> > brought to the attention of all the subscribers of that stream.
>
> +1 to all this...
addition to normal routing/distribution/audience), and "to" (or "bto")
for exclusive distribution (the only difference being that in one case
those recipients will see each other names, in the second not).
otherwise how can i address this "restricted" targeting (in lieu of
the normal routing etc)?
walter
James M Snell
Primary Audience and "cc" identifies the Secondary Audience. The
differences can be subtle... it can also be somewhat system
specific...
If I mention you in a note posted to my wall, I would consider you to
be part of the primary audience. All of my followers are the secondary
audience... e.g.
{
"to": [ {"displayName":"Laurent-Walter Goix"} ],
"cc": [ {"alias":"@followers"} ],
"verb" : "post",
"actor": { "alias":"@me" },
"object" : { "objectType":"note","content":"..." }
"target" : { "objectType":"wall", "id":"..." }
}
If, however, I mention you in a private note I'm sending to someone
else, the intending recipient is the primary audience and you are the
secondary (like cc'ing you on an email)
{
"cc": [ {"displayName":"Laurent-Walter Goix"} ],
"verb" : "send",
"actor": { "alias":"@me" },
"object" : { "objectType":"note","content":"..." }
"target" : {"displayName":"Bob Smith"}
}
(Note that in this example, the to can be omitted since the primary
audience is implicit in the target)
In either case, you're being mentioned, but the specific way you're
targeted (to or cc) is different.
For your "restricted targeting".. I'm not quite sure I understand what
you're aiming at, but for each activity, you need to identify the
Primary and Secondary Audiences and go from there.
- James
Bob Wyman
- Does the Targeting spec provide all of what Activity Streams may need for Access Control? It seems to me that a more fully worked ACL specification might provide, for instance, for a variety of roles in addition to that of "primary" and "secondary" audience. One might, for instance, wish to define a "redistributor" role (Authorizing redistribution of the activity), etc.
- The spec doesn't actually explicitly say whether or not a targeted message MAY be delivered to someone not identified as a target... Does this indicate that its ACL-like functions are limited to handling of BTO and BCC cases? (i.e. The only explicit "Access Control" required in the spec concerns access to the contents of the BTO or BCC lists which "MUST" be removed.)
- Would a system that either intentionally or accidentally violated the rule that it "MUST remove addresses" be considered to have violated some "licensing" specification and thus create a legal cause of action for the publisher of the mishandled activity? (Note: See recent discussion on Google+ concerning James Snell's Link Relation types.) Does the Targeting spec tread the dangerous ground of suggesting to some that enforceable licensing semantics have been added to ActivityStreams?
- Similarly, would a system that allowed a non-targeted reader to access a targeted activity (even if BTOs and BCCs are removed) be considered to have violated some license?
Ok, the Targeting Spec [1] has been out there for a while and is
stable. There are implementations available. I think it's time to put
a bow on it and call it done officially.
[1] http://activitystrea.ms/specs/json/targeting/1.0/
James M Snell
> Address/Targeting lists (composed of To:, CC:, etc.) are, of course, simply
> the push-based doppelgangers of the Access Control Lists that we often find
> in pull-based environments. The two concepts are semantically identical at
> their core: Roles are specified and processors are directed to vary message
> access based on role... The difference is largely found in the context of
> use and language used to describe the concepts -- but these are not
> essential differences. And, of course, whenever we have rules controlling
> distribution or access rights, we often have questions concerning legal
> rights and causes of action. This leads to at least a few questions:
>
> Does the Targeting spec provide all of what Activity Streams may need for
> Access Control? It seems to me that a more fully worked ACL specification
I would say definitely not...
> might provide, for instance, for a variety of roles in addition to that of
> "primary" and "secondary" audience. One might, for instance, wish to define
> a "redistributor" role (Authorizing redistribution of the activity), etc.
> The spec doesn't actually explicitly say whether or not a targeted message
> MAY be delivered to someone not identified as a target... Does this indicate
> that its ACL-like functions are limited to handling of BTO and BCC cases?
> (i.e. The only explicit "Access Control" required in the spec concerns
> access to the contents of the BTO or BCC lists which "MUST" be removed.)
> Would a system that either intentionally or accidentally violated the rule
> that it "MUST remove addresses" be considered to have violated some
> "licensing" specification and thus create a legal cause of action for the
Given that the targeting properties are optional extensions it stands
to reason that there will be plenty of Activity Streams
implementations that do not "properly" handle the bto and bcc
requirements (as is acknowledged in the Security Considerations in the
draft). Entities that are producing and sending activities with
explicit targeting information, especially using bto/bcc, need to be
aware of where they're sending those things and how they're likely to
be handled by the recipient.
The inclusion of targeting properties is not a restriction as to who
can see the activity. It's metadata that helps software figure out how
to intelligently route and handle the activity (e.g. who to notify,
how to notify, etc). If I POST a targeted activity to a public,
world-readable stream that does not support the targeting properties,
then I need to expect that everyone in the world is going to be able
to see it...
> publisher of the mishandled activity? (Note: See recent discussion on
> Google+ concerning James Snell's Link Relation types.) Does the Targeting
> spec tread the dangerous ground of suggesting to some that enforceable
> licensing semantics have been added to ActivityStreams?
> Similarly, would a system that allowed a non-targeted reader to access a
> targeted activity (even if BTOs and BCCs are removed) be considered to have
> violated some license?
No. Absolutely not.
James M Snell
---
Implementations are free to use what they know about an activity's
Primary and Secondary audiences to determine access, change and
redistribution controls for the activity (e.g. limiting who is able to
see the activity). However, the mere presence of targeting properties
does not imply that distribution of the activity is limited to only
explicitly targeted entities. Audience targeting information included
within an Activity using these mechanisms is intended only to express
the intent of the entity creating the activity. With clear exception
given to the appropriate handling of "bto" and "bcc", this
specification leaves it up to individual implementations to determine
how the audience targeting information is to be utilized. Further, in
the absence of any targeting information within an Activity, this
specification does not define any default primary or secondary
audience. The selection of default primary or secondary audiences is
solely at the discretion of the implementation.
---
Basically, this leaves access control entirely up to the
implementation. The targeting properties express the original intent
of the creator, but they don't restrict distribution.
- James
On Tue, Mar 6, 2012 at 9:05 AM, Bob Wyman <b...@wyman.us> wrote:
Bob Wyman
Laurent-Walter Goix
As i need to identify private activities, iwouldrather use target
alias @me than any of the targeted audience properties in that case...
Walter
Laurent-Walter Goix
> alias @me than any of the targeted audience properties in that case...
about acl...
i do want to define the privacy level of the content i post. using the
"target" is no good idea as i could post to an album (target) but
still would like to have some way to indicate that this picture is
restricted to my best friends only, my family, etc and not to all my
followers (or even public to the world)
it seems that neither AS, nor OpenSocial spec has the solution at this
stage: in AS he closest i can get is if the "to" is used as exclusive
audience (not "in addition to the default", unless the default is
"private" :) ). in OS it may be POSTing to other than @self, but this
is limited too...
any hint on how to solve this?
thanks
walter
PS: since the to/bto/cc/bcc is quite distinct from the "alias"
concept, would it make sense to split the spec in 2? or make the alias
part of a new version of the core spec?