The other time I wrote about ActivityPub + ocaps was in a proposal to, yes, Twitter's Bluesky process in 2020 with Jay Graber titled... "ActivityPub + OCaps"! https://gitlab.com/-/snippets/2535398
I think that document laid out all the right ideas for the fediverse (not saying bsky, the fediverse)
Now I want to be clear here that I *don't* think that proposal was necessarily the right one for Bluesky, and I do think Jay Graber was the right person to lead Bluesky
What I wanted to do required a lot more research, and we have done that over at @spritely@social.coop instead
Anyway, if you know anything about me, you know I am a big fan of capability security (ocaps) and that's the foundation of our work over at @spritely@social.coop
But we will come back to ocaps in a second because it turns out OCapPub is not the only time I proposed AP + ocaps!
The other time I wrote about ActivityPub + ocaps was in a proposal to, yes, Twitter's Bluesky process in 2020 with Jay Graber titled... "ActivityPub + OCaps"! https://gitlab.com/-/snippets/2535398
I think that document laid out all the right ideas for the fediverse (not saying bsky, the fediverse)
ActivityPub left giant holes in the spec around two things which sound the same but which are not the same: Authentication and Authorization
Trying to mix these two, you accidentally get ACLs, and then you get confused deputies and ambient authority, plagues of the security world
Anyway, if you know anything about me, you know I am a big fan of capability security (ocaps) and that's the foundation of our work over at @spritely@social.coop
But we will come back to ocaps in a second because it turns out OCapPub is not the only time I proposed AP + ocaps!
This isn't the only time I left a critique of ActivityPub-as-Deployed as opposed to ActivityPub-as-it-could-be: see also OCapPub, which critiques the anti-abuse tools of AP as inadequate and leading to "the nation-state'ification of the fediverse" https://gitlab.com/spritely/ocappub/blob/master/README.org
Oh, and ocaps!!!
ActivityPub left giant holes in the spec around two things which sound the same but which are not the same: Authentication and Authorization
Trying to mix these two, you accidentally get ACLs, and then you get confused deputies and ambient authority, plagues of the security world
Actually with this and several other things I am going to bring up, I actually made sure there was space to do things right: there was a push to make ActivityPub "https-only"
I pushed back on that, I didn't want that requirement, and it was exactly for this reason: enabling content addressing
This isn't the only time I left a critique of ActivityPub-as-Deployed as opposed to ActivityPub-as-it-could-be: see also OCapPub, which critiques the anti-abuse tools of AP as inadequate and leading to "the nation-state'ification of the fediverse" https://gitlab.com/spritely/ocappub/blob/master/README.org
Oh, and ocaps!!!
Content addressing is important. It should not matter where content "lives". It should be able to live anywhere.
A server should be able to go down, and content should survive.
Go content addressing!
Actually with this and several other things I am going to bring up, I actually made sure there was space to do things right: there was a push to make ActivityPub "https-only"
I pushed back on that, I didn't want that requirement, and it was exactly for this reason: enabling content addressing
One thing we have already discussed so, before I will say anything else, I will repeat: content addressing is really good, and I'd like to see it happen in ActivityPub, and it's possible to do, I even wrote a demo of it https://gitlab.com/spritely/golem/blob/master/README.org
Bluesky does the right thing here, AP should too
Content addressing is important. It should not matter where content "lives". It should be able to live anywhere.
A server should be able to go down, and content should survive.
Go content addressing!
Actually something that is funny about ActivityPub is that there's "ActivityPub the spec", which I think is pretty solid for the most part, and "ActivityPub-as-deployed"
Many of the critiques I'm about to lay out we left holes in the spec for which I hoped would be filled with the right answers
One thing we have already discussed so, before I will say anything else, I will repeat: content addressing is really good, and I'd like to see it happen in ActivityPub, and it's possible to do, I even wrote a demo of it https://gitlab.com/spritely/golem/blob/master/README.org
Bluesky does the right thing here, AP should too
I have actually critiqued ActivityPub and the fediverse a lot! I have kind of never stopped critiquing it, ever since the spec was released. There's a lot that can be improved!
I have even gotten criticism from AT LEAST ONE ActivityPub spec author for critiquing AP-as-deployed but I do anyway
Actually something that is funny about ActivityPub is that there's "ActivityPub the spec", which I think is pretty solid for the most part, and "ActivityPub-as-deployed"
Many of the critiques I'm about to lay out we left holes in the spec for which I hoped would be filled with the right answers
Alright you've heard enough critiques of Bluesky for a bit and I SAID I was gonna critique the fediverse and I am a WOMAN OF MY WORD
So let's get into it!
I have actually critiqued ActivityPub and the fediverse a lot! I have kind of never stopped critiquing it, ever since the spec was released. There's a lot that can be improved!
I have even gotten criticism from AT LEAST ONE ActivityPub spec author for critiquing AP-as-deployed but I do anyway
Christine Lemmer-Webber