Recent & UpcomingResources |
Vouch(Redirected from vouch)
This article is a stub. You can help the IndieWebCamp wiki by expanding it.
Summary
By doing so, A is telling B:
WhyYou should implement receiving Webmention with Vouch in order to automatically block all automated spam. You should send webmentions with vouches to increase the chance that your webmention comments will be accepted. As more and more sites implement Webmention with Vouch, plain webmentions may be blocked more frequently. How ToFor how to implement receiving Webmention with Vouch, see the #Flow_Chart and summary description underneath it. Flow Chart
Summary description of Webmention with vouch flowchart from 2014-285 IndieWebCamp Cambridge. Webmention support only:
ProtocolVouch protocol description. How a webmention with vouch is sent, received, processed, accepted, rejected.
If any checks fail, B returns 400. IndieWeb ExamplesIndieWeb Examples of receiving and sending Webmention with Vouch, in order of implementation. Aaron Parecki
Ben RobertsBen Roberts uses Postly on ben.thatmustbe.me to support sending and receiving Webmention with Vouch as of 2014-10-17. E.g.:
gRegor Morrill
Design ConsiderationsEasy For Receiver ImplementationIn general a key goal with "vouch" is something that is easy for the receiver to process, and instead put more burden on the sender. Shift Burden To SenderTypical protocols susceptible to (abused by, made nearly useless by) spam (e.g. SMTP, Pingback, Trackback) make it very easy for the sender to send, and thus put all the burden of dealing with filtering undesired senders on the receiver. Vouch pushes the (potentially cognitively challenging) work of 2nd degree discovery onto the sender of the webmention, and instead makes it easy for the receiver to implement. Zero moderationAnother key goal is to build a system with zero moderation tax, at least to deal with automated spam systems. FAQ(in progress) Is vouch saying you know me fromQ: Is a vouch saying "you may know me from…" ? A: Not quite. No assertion of "may" nor "know". Just a "here's someone's {C} (perma)link, you {B} have linked to {some URL at C's personal domain}, where {C} links to me {some URL at A's personal domain}" Do I vouch for my friendsQ: Do I vouch for my friends? A: No, no assertion of friendship is implied or used by vouch. What is HTTP 449Q: What is the HTTP 449 status code? A: HTTP 449 is a status code used by Microsoft to mean "Retry With"[1] Why not HTTP 401Q: Why not use the HTTP 401 status code? A: HTTP 401 requires that the response include a "WWW-Authenticate" header, and says that the client can retry the request with authentication. Since Vouch does not involve authentication of any kind, this is not an appropriate response code to use. Why not HTTP 403Q: Why not use the HTTP 403 status code? A: While there may be future uses of 403 in Vouch, currently the meanings of 403 do not map to anything in vouch. From https://en.wikipedia.org/wiki/HTTP_403 A 403 response generally indicates one of two conditions: Vouch is not about authentication, thus the first makes no sense. Nor would vouch be indicating that an operation is forbidden to all users, thus the second does not apply either.
From http://tools.ietf.org/html/rfc7231#section-6.5.3 The 403 (Forbidden) status code indicates that the server understood the request but refuses to authorize it. A server that wishes to make public why the request has been forbidden can describe that reason in the response payload (if any). If authentication credentials were provided in the request, the server considers them insufficient to grant access. The client SHOULD NOT automatically repeat the request with the same credentials. The client MAY repeat the request with new or different credentials. However, a request might be forbidden for reasons unrelated to the credentials.
How can a sender find a vouch linkQ: How can the sender find such a vouch link? A: How do people in general explain how they know each other? We can push this question off to arbitrary social sidebands of choice, the way people share links informally in all sorts of ways. In addition, since such social questions are of interest beyond commenting (as evidence by Facebook and other silos showing how many friends in common you have and who they are), there's likely to be one or more aggregators that surface this information in some queryable way. If A is already a reader of B's content (which A should be, since A is sending them a comment on one of B's permalinks), then A should already be somewhat familiar with who B links to (or can quickly check B's home page or recent posts for people). A should also be relatively familiar with who links to A (hint: A's recent incoming webmentions, or recent HTTP referers [sic]). Thus with a quick look at B's home page (or recent posts) A should be able to trivially recognize oh hey there's someone (C) that sent A webmention recently, and go pull that out of A's queue/history of recent webmentions, and use that as a vouch URL. Someone might also setup a service like say socialsearchme.com where you can put in your personal site, and see who has linked to you (most recently, most frequently), who you've linked to, the overlap, as well as how many and who you have in common. In which case, as a user (A), after commenting (and presumably having their "normal" webmention rejected), they could check a hypothetical service like socialsearchme.com for themselves, see that they'd linked to B, and then see how many (if any) people they have in common, especially, if there are any people that B has linked to that link to A, and if so, presto, that's a "vouch" URL. This manual human step of checking, i.e. "Hey how do we know each other" adds to the strength of the social tie between the commenter and the post author. How do I verify a vouchQ: How do I know if the vouch I received is legit. i.e. do I have to verify that there is a link between sender and voucher? A: As the receiver, you have to do two (relatively) simple checks. First, regarding: "don't I have to verify that there is a link between sender and voucher" - in one direction only, that vouch URL links to sender's personal domain. That's the easy check. The second, potentially more challenging check, is you have to verify that you approve the vouch's site/domain (e.g. perhaps a link from your blogroll, or a whitelist, or your Twitter followings, nicknames cache, outbound link cache (i.e. a cache of every domain you've linked to), etc. take your pick). Must I trust voucher knows sourceQ: But can anyone can send me a webmention with voucher = someone that I've linked to, should I just trust that they know the source? A: No notion of "trust" needed. Just links. You MUST verify that the vouch (presumably a permalink at the vouch's site) links to the source's site. Continued: "or do I go fishing in your friendslist to verify it?" No. There is no need to crawl anywhere from the vouch URL. Why does Twitter not worryQ: Why don't people worry about this for Twitter?" A: They do. :) See Twitter silo mentions of my Twitter profile: https://twitter.com/search?f=realtime&q=%40t&src=typd with plenty of spam. Must I always send a vouchQ: If I want to send a webmention to a colleague for the first time, I have to somehow... A: Not necessarily. The Vouch protocol is a backwards compatible extension to Webmention. E.g.:
Q: Can a vouch can apply to a shared membership too? E.g. irc-people or next-hwc, or XOXO? A: A vouch URL could be for example User:Kevinmarks.com, which obviously links to the domain(s) (known.)kevinmarks.com, and thus vouches for any permalinks at those domains. Then the receiver of the webmention has to decide, do I approve of indiewebcamp.com (e.g. have linked to it before, likely yes), ok I'll accept that site as a vouch, and the specific vouch URL, and thus the webmention. Is the vouch a sponsorQ: Is the vouch is a sponsor? A: No, the vouch is not a "sponsor" or any other new term. The vouch (C) is just a (perma)link, which directly links to A's domain, and which B is likely to approve (e.g. has linked to C's domain previously). Does vouch make all webmentions manualQ: Does vouch make the whole webmention sending manual? No auto-sending webmentions? A: It does not. For example it is likely your code can programmatically itself test http://indiewebcamp.com/irc-people and use it as a default vouch. From there, you can decide how much intermediate UI you want to show, "The comment you sent is awaiting some form of vouching that they link to that links to you" with a URL field to enter. Plenty of opportunity to crawl, cache, innovate there. Does vouch make it too hard to send webmentionsQ: Does this make it too much work to send webmentions? A: Maybe. We won't know until we attempt to implement Webmention with Vouch and see what roadblocks we run into. In ProgressVouch was braindumped into IRC: http://indiewebcamp.com/irc/2014-09-28 (and following days). This page is in progress documentation of that IRC braindump, with follow-ups.
Issues
Old NotesIf Aaron's blog supports receiving vouch webmentions, and Barnaby's blog supports sending vouch webmentions, then this is how they interact: Presuppose that Aaron's blog has a friends page, or some public XFN list (following) Presuppose that Barnaby already has a private list of sites that link back to his own site (including URLs to prove that the link back) Vouch Selection
Sending
Receiving
to doTo be written up here in this wiki page from that braindump
To be drawn and posted:
See Also |
Thank you to our sponsors of IndieWebCamp events!
