I'm looking for more community input. I'm trying to work on the
problems associated with accessing protected social networking
resources in an open/Diso fashion across social-network boundaries.
For example, how could I use my Facebook account to ask a user on
Twitter for permission to view his/her private feed? (Note, this is
somewhat of a continuation of this discussion from last year:
http://groups.google.com/group/diso-project/browse_thread/thread/d1db43fb1151e2f3/fddc0936571e0b44)
More specifically--what specifications/protocols would be involved?
How does the initial invitation occur in a cross-social network
environment? How does access actually get "granted"? Rescinded?
What is granted as part of that access? How would I actually go about
accessing the protected resource?
From a pragmatic perspective, some follow-on questions would be:
should this be standardized in a single place? Or is the answer just,
"go use existing protocols"? If so, which ones? Would a best-
practices document make sense here? Is there a single "best way" to
access a person's private photos in an open-protocol fashion, for
example? What about a private micro-blog?
Currently I'm working to specify the "invitation" part of this whole
process (http://oinvite.net). But that's just one piece, and OInvite
might not even be the best way to accomplish the initial invitation.
So, I'd like to get some broader perspsective and ideas, and possibly
start a discussion surrounding private resource access (my feeling is
this is going to be a crucial piece in any open/distributed social
networking model).
Thanks for chiming in!
David
######################################
[One Way to do Private Resouce Access]
######################################
[The Protected Resource]: Beth's Private Micro-Blog Feed (or picture
stream, etc)
[The Flow]
1.) jo...@example.com sends be...@microblog.net a request to view her
protected resource (I view this as an invitation to begin
"communicating" in a more general sense). The resouce is
http://twitterplusplus.com/beth.
2.) Beth's server responds with an acceptance to John that contains
some OAuth keys.
3.) John's server accesses beth's protected feed on behalf of John.
4.) John reads the protected feed in his aggregator or directly or
however.
[This flow is pretty simplistic, but it touches lots of different
protocols]
Somebody claiming to be sappenin wrote:
> I'm looking for more community input. I'm trying to work on the
> problems associated with accessing protected social networking
> resources in an open/Diso fashion across social-network boundaries.
> For example, how could I use my Facebook account to ask a user on
> Twitter for permission to view his/her private feed? (Note, this is
> somewhat of a continuation of this discussion from last year:
> http://groups.google.com/group/diso-project/browse_thread/thread/d1db43fb1151e2f3/fddc0936571e0b44)
This is basically the use case that OAuth was set up to solve.
> Currently I'm working to specify the "invitation" part of this whole
> process (http://oinvite.net). But that's just one piece, and OInvite
> might not even be the best way to accomplish the initial invitation.
I IM you / email you / contact you in whatever way you prefer and say "hey,
add me to the list of people allowed to see X"
I auth to your site (or, if reading via feed/API, OAuth) and poof!
This is the sort of model I built the DiSo Permissions plugin around.
In practise, it's hard to test, because I have very little data that I care
to share on the web which I want to be private :)
- --
Stephen Paul Weber, @singpolyma
Please see <http://singpolyma.net> for how I prefer to be contacted.
edition right joseph
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQIcBAEBCAAGBQJLrRXmAAoJENEcKRHOUZze0ygQANCxr/sOwWrEWE8Ew7Mvy4i0
IkAJb+n2rJMQwbXTDTP4lR+SVAZlbEQ4dSMyMxxWOZHjuJsifJfrr0ZxgyGWTxf4
NQYDvvyAZXrJpwYH3TIPBhjyiK6ENQ4dfDr5H3eXA1cgZAl3szNWMMopQF1tT3ui
sWofBhF9ScKsfgDcFbSazYk1JlwI81NXph3tMN0cU6h8G5chCGM5VeP1gXXIfWCc
60ZYWUA9bNSLkI+tXedJXEpdNyCmU8lu94UxGjDA0pbNat3OXCo8o1MxayT3aExI
b/Fr0nRaepXOCGZJwe7HsxSVVsgsr/EHp9Y1qqiFZtdIECTC4KZgtrXesAtFYJb3
5SoqPn23/2ZyOIYPrkj13xWBkkPVSiP2Ii9U7LKX02VBhstQ/IGTjtJoXidY7+Aa
Jt0npdMdF0Abm54b3B1rLWeiNt+C/U4hFn7s9Qx3+ohu9yOXIlnEcgvD+4QPqB3O
Cq/R8mkyKA/XVbKNR6hwtbUwXm8zfIkJFD1FJpphx4Q5Hea0WEd8hn8kkaeMZjik
Mf4kE2l4xZRxQlW+InyrWP5AqjRkm7tEQYq2H5HVFUXCPZXRbbPSeUKZKLKwWQpI
dYer08mVEJ9t3SOJ0hzbWMbiRHHxUP3k8RRtoP9utZ9jCHQKuKE9AappyVhmbncl
NfnjggCs2UviUGGUsgWd
=qWI5
-----END PGP SIGNATURE-----
--
You received this message because you are subscribed to the Google Groups "Diso Project" group.
To post to this group, send email to diso-p...@googlegroups.com.
To unsubscribe from this group, send email to diso-project...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/diso-project?hl=en.
Somebody claiming to be sappenin wrote:This is basically the use case that OAuth was set up to solve.
> I'm looking for more community input. I'm trying to work on the
> problems associated with accessing protected social networking
> resources in an open/Diso fashion across social-network boundaries.
> For example, how could I use my Facebook account to ask a user on
> Twitter for permission to view his/her private feed? (Note, this is
> somewhat of a continuation of this discussion from last year:
> http://groups.google.com/group/diso-project/browse_thread/thread/d1db43fb1151e2f3/fddc0936571e0b44)
> Currently I'm working to specify the "invitation" part of this wholeI IM you / email you / contact you in whatever way you prefer and say "hey,
> process (http://oinvite.net). But that's just one piece, and OInvite
> might not even be the best way to accomplish the initial invitation.
add me to the list of people allowed to see X"
I auth to your site (or, if reading via feed/API, OAuth) and poof!
Your twitter page is contact info that can go on the whitelist :-)
Sent from my Android phone. Topposted :-(
On Mar 27, 2010 3:34 PM, "David Fuelling" <sapp...@gmail.com> wrote:
2010/3/26 Stephen Paul Weber <singp...@singpolyma.net>
> > Somebody claiming to be sappenin wrote: > > I'm looking for more community input. I'm trying t...
Great points! In the spirit of lively discussion, allow me to push back a bit.OAuth works great when you control access to the 2 OAuth touch-points: your app and the service your app is accessing. However, in my example above, there are two people controlling two different touch points, so there is an additional actor in the mix (and a slightly different access route). To make my example work with OAuth, there needs to be a way to get "my" OAuth tokens to my "friend" so my friend can access the resource. That's one of the problems OInvite is meant to help solve.Of course, to your points below, one way to do all this is via a whitelist. But this is problematic for two other reasons:First, what if I don't have any contact info for you except your Twitter page saying, "push this button to request access to this private feed"? (Assume maybe we were college roommates and haven't talked for a while, but that you would likely grant me access). I may not be able to easily contact you in any great way except, in my Twitter example, by signing up to Twitter and then clicking that button (which goes against what I'm trying to enable via this thread).Second, if I do have your contact information (e.g., your email address), there will be issues for "regular people" (read: My mom or Grandma) who aren't savvy enough to truly know the difference between their various identifiers. For example, my mom may email me from "m...@gmail.com", and ask me to whitelist her on my Twitter feed. However, when she logs into Facebook using her userid "mom" and password, and then tries to access my Twitter feed, it won't work because she doesn't realize there are actually two different OpenIDs in the mix (one from Facebook and one from Gmail).In my opinion, it would be much better to have a standardized way to exchange either the identity that I want whitelisted, or else the authorization tokens that will give me access, or both in a standard way from within whatever app I'm using (again, that's OInvite).
> > > Currently I'm working to specify the "invitation" part of this whole > > process (http://oinv...
Per my comments above, this will work, but not well in all situations.
-- You received this message because you are subscribed to the Google Groups "Diso Project" group. ...
Oh, I see... well, when you contact your friend you'll have to give him some id for you, even if the contact msg is sent as a programatic "Invite"
Sent from my Android phone. Topposted :-(
-- You received this message because you are subscribed to the Google Groups "Diso Project" group.
To post to this group, send email to diso-p...@googlegroups.com. To unsubscribe from this group, ...
To post to this group, send email to diso-p...@googlegroups.com.
To unsubscribe from this group, send email to diso-project...@googlegroups.com.
What specifications/protocols would be involved?
OpenID and Oauth.
How does the initial invitation occur in a cross-social network
environment?
The requestor clicks "follow me" on the target's Twitter page. Twitter
then provides an authorization UI that allows OpenID or Facebook
Connect. The requestor signs in with Facebook Connect and Twitter
follows it's normal process.
The target would get the request and allow/disallow it. Twitter would
send a message to Facebook with the response. Facebook would have to
accept it and do something that then allows the requestor to see the
Twitter feed in Facebook.
How does access actually get "granted"?
Twitter and Facebook would have to implement an access UI for each
person to select permissions requrested/granted and integrate the data
into showing/providing the Twitter feed.
Rescinded?
Same as above.
What is granted as part of that access?
Per the OAuth spec./implementation.
How would I actually go about accessing the protected resource?
From within a Facebook UI that shows Twitter feeds.
Should this be standardized in a single place? Or is the answer just,
"go use existing protocols"? If so, which ones?
Yes. This should be standardized following the model used for email/
SMTP.
Would a best-practices document make sense here?
Yes in the form of a .org website promoting/marketing the idea.
Is there a single "best way" to access a person's private photos in an
open-protocol fashion, for example?
Is there ever a single best way for anything?
What about a private micro-blog?
This is my preference since I'm developing one (http://get6d.com) but
ultimately, I want to help create the next version of Email, so to
speak.
We've built an address book just like with Email where you enter the
target's 6d url. When you click on the "follow" button, a POST request
is sent to the target's 6d site with the person's url. The target's 6d
site then displays the request in the target's address book under the
Friend Request group. The target can approve the follow request, which
his site will then send a POST request to the requestor's site with a
generated key. The requestor's site saves that key and uses it to
identify messages coming from the target's site. The relationship is
now established.
Eventually, that key will be used to encrypt and decrpyt the messages
going back and forth for further lock down.
Now that the relationship has been established, the requestor and
target can add a post to their site, choosing or not to send it to the
other via their address book, just like Email. The post shows up in
the person's posts view when their logged into their own site. Right
now, it's a copy of the data (html) that's stored in the person's
database. Images, however, are linked from the target's site so if the
image is deleted, it's no longer accessible unless it was copied by
the requestor. What I'm leaning towards now though is just sending a
notification and having the data and resources requested from the
target's site so the target can then have more control over the
access. I think that will allow for disallowing someone to view that
data or resource.
I know this doesn't answer the question about sharing data across
existing social networks. I really think the urgent question to be
answered is how to get Twitter, Facebook, Google, Yahoo!, Microsoft,
and others to implement sharing facilities within their system because
ultimately, I really believe that's what has to happen. And after
saying that, they could probably just follow the SMTP model and add an
additional "request to follow" notification via HTTP and be headed in
a GREAT direction. I'm going to go take a look at the SMTP protocol.
Perhaps we just need to extend that over HTTP?
On Mar 27, 9:52 pm, Chris Messina <chris.mess...@gmail.com> wrote:
> It's true that solving this problem generally is one of the necessary
> achievements that'll need to be in place for true, private,
> distributed social networking to be possible.
>
> However, the solution is neither obvious nor trivial -- especially if
> you expect that people won't need to learn anything new.
>
> We can start by solving the cross-networking messaging problem, but
> ultimately there's very little that can be done to secure the
> transmission of such messages (that are usable and universal).
>
> I think Facebook is out in front of this -- in some ways by pushing
> for less secrecy in the network.
>
> Hard to say how it'll go, but it does seem like something's going to
> have to give to make headway.
>
> Sorry to not have a better solution! :1
>
> Chris
>
> Sent from my iPhone 2G
>
> On Mar 27, 2010, at 1:55 PM, David Fuelling <sappe...@gmail.com> wrote:
>
>
>
> > True, but this is my whole point. If the invite was programmatic,
> > then I could at least contact my friend from the social network I
> > happened to be on.
>
> > 2010/3/27 Stephen Paul Weber <singpol...@singpolyma.net>
> > Oh, I see... well, when you contact your friend you'll have to give
> > him some id for you, even if the contact msg is sent as a
> > programatic "Invite"
>
> > Sent from my Android phone. Topposted :-(
>
> >> On Mar 27, 2010 3:39 PM, "David Fuelling" <sappe...@gmail.com> wrote:
>
> >> Not if I don't have a Twitter account.
>
> >> 2010/3/27 Stephen Paul Weber <singpol...@singpolyma.net>
How could I use my Facebook account to ask a user on Twitter forThis question needs more details. For instance, do you want to access
permission to view his/her private feed?
the Twitter feed from within Facebook?
If so, that would require a
Facebook application in which case, that application would have the
facility to request a persons Twitter feed. Which would also require
that the requestor have a Twitter account. Alas, THIS is the real
problem. Having to have a Twitter account when you already have a
Facebook account. Twitter would have to build the functionality to
treat Facebook users as Twitter users without having a Twitter
account. With current solutions, they'd probably implement OpenID and
OAuth for authorizing and granting access. But again, that involves
Twitter having to do some work which may or may not be inline with
their business goals.
How does the initial invitation occur in a cross-social networkenvironment?The requestor clicks "follow me" on the target's Twitter page. Twitter
then provides an authorization UI that allows OpenID or Facebook
Connect. The requestor signs in with Facebook Connect and Twitter
follows it's normal process.
The target would get the request and allow/disallow it. Twitter would
send a message to Facebook with the response. Facebook would have to
accept it and do something that then allows the requestor to see the
Twitter feed in Facebook.
How does access actually get "granted"?Twitter and Facebook would have to implement an access UI for each
person to select permissions requrested/granted and integrate the data
into showing/providing the Twitter feed.
Should this be standardized in a single place? Or is the answer just,"go use existing protocols"? If so, which ones?Yes. This should be standardized following the model used for email/
SMTP.
Would a best-practices document make sense here?Yes in the form of a .org website promoting/marketing the idea.
Is there a single "best way" to access a person's private photos in anIs there ever a single best way for anything?
open-protocol fashion, for example?
What about a private micro-blog?This is my preference since I'm developing one (http://get6d.com) but
ultimately, I want to help create the next version of Email, so to
speak.
I wanted to add how we've implemented this in 6d. I'm not trying to
plug the implementation. I just think it will contribute positively to
this thread.
We've built an address book just like with Email where you enter the
target's 6d url. When you click on the "follow" button, a POST request
is sent to the target's 6d site with the person's url. The target's 6d
site then displays the request in the target's address book under the
Friend Request group. The target can approve the follow request, which
his site will then send a POST request to the requestor's site with a
generated key. The requestor's site saves that key and uses it to
identify messages coming from the target's site. The relationship is
now established.
Eventually, that key will be used to encrypt and decrpyt the messages
going back and forth for further lock down.
Now that the relationship has been established, the requestor and
target can add a post to their site, choosing or not to send it to the
other via their address book, just like Email. The post shows up in
the person's posts view when their logged into their own site. Right
now, it's a copy of the data (html) that's stored in the person's
database. Images, however, are linked from the target's site so if the
image is deleted, it's no longer accessible unless it was copied by
the requestor. What I'm leaning towards now though is just sending a
notification and having the data and resources requested from the
target's site so the target can then have more control over the
access. I think that will allow for disallowing someone to view that
data or resource.
I know this doesn't answer the question about sharing data across
existing social networks. I really think the urgent question to be
answered is how to get Twitter, Facebook, Google, Yahoo!, Microsoft,
and others to implement sharing facilities within their system because
ultimately, I really believe that's what has to happen.
And after
saying that, they could probably just follow the SMTP model and add an
additional "request to follow" notification via HTTP and be headed in
a GREAT direction. I'm going to go take a look at the SMTP protocol.
Perhaps we just need to extend that over HTTP?
On Mar 30, 8:59 am, David Fuelling <sappe...@gmail.com> wrote:
> I've written a fair amount on this topic here:http://softwareblog.sappenin.com/2009/06/case-for-open-friend-request...
>
> <http://softwareblog.sappenin.com/2009/06/case-for-open-friend-request...>Basically,
Somebody claiming to be David Fuelling wrote:
> In any event, whether we're reinventing email or trying to make
> social-network resource access something truly open (in the way email is
> today) then we need to start with some protocols to specify some of these
> interactions. The protocols should be restricted to server-to-server
> interactions, with the rest being left up to UI designers.
I'm still not sure how this is different from a message to the user (using
any of the myriad of existing communications tech) saying "please add me to
your whitelist". If you want magic, you could give some reccomendations for
extra MIME stuff / microformats in email / extra XMPP components / etc for
the different techs to have a button in the email/IM/SMS that does the
requested action. A wholly new protocol seems worse than overkill.
- --
Stephen Paul Weber, @singpolyma
Please see <http://singpolyma.net> for how I prefer to be contacted.
edition right joseph
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQIcBAEBCAAGBQJLs6flAAoJENEcKRHOUZzefAwQAJgiae084/Xozl/5uTAcqr4L
necdDYFyJ+xY/OgjPIpAhScVKLSJsAvfxHGQeMBNiUOL6HZuy+xonLU1widsWcTD
w9RYFUliFefiM3NfNudZE7LPuna5SQqwDjgBFaJiujbPEWZLDNe/o7fykTH7Crwt
Dpub8QeVMN1WX7QGhOpw3NM1J5w4NlMiS7UqsdOa4zDjvJe6xrwOM630cn1erDpI
23uPyV0QZe508MIpgitO38hCAM8XIULnPhaN3M7nrIXubFgQ3mTk7jnMLokMQRvq
zforCDNRUBf+Kh7SIvTlQ+X1Zvr64S0gyXKX5VrGaYb2KLlOnRKPU9VBZaThhi3t
UT8E5S3z1nTgHuo/SMhcu5AMWicsLWO+vgkn09NNbXVLDmX9PSbw1GfvbWu08UJv
UhAo0FGI41b6lFc3sib2PdRbPlBgbmCFi198l2n6sjMs8gVCxrLYcEz/viLvxxeX
QMiwKudLlP6wBKEDVDkBOzDPRYGNkqncR/CSiH80NC3U4Km1ESuZz/ehXU6KMVDu
3eXx4PdwLIwSmGMPjzsvuJgA/GiQ9nrbtVvYbhbkeNQFdtRS9vG/JWAuYbj580lc
ooji6G1i9K8QmwkZxMcVq2S+EPMuQby4z4eh5LIc/rDsfHqrVi/JOqAESjcHr/i0
4WLuc7POk9zN4Y6JiO/M
=zS59
-----END PGP SIGNATURE-----