Distributed "friending" - Blog Key

[ravan]

This originally was a comment on mdlbear's journal, but I feel it needs a wider audience, and expansion.

The problem with LJ is that the most useful factors - friends and communities, and granularity thereof - are not available on standard "plain" blogging software. Ordinary blogs are either/or - invite only, or all public. LJ has the granularity of access, but is controlled by a single corporation that is susceptible to economic and political pressure. What is needed is a way to build the community and friends lists (and access restrictions) that is platform and provider independent.

Enter "Blog Key". This software doesn't exist yet, it's only a concept. This concept involves a plugin. Each type of blogging software would have the plugin(s) ported to it, but is otherwise platform agnostic.

Plugin: "Blog Keys" - This plugin:
A) generates a public/private key pair, and integrates it into the viewing setting for your blog. No accepted key, no blog see.
B) provides easy distribution of public keys.
C) authenticates against given public key(s) that you've accepted, allowing the key generator(s) to read a protected entry.
D) provide an authentication layer by which you would be able to read the blogs of others who had accepted your key, and enabled you to read that entry.
E) provides rss feeds of blogs that you have keys to read (a "friends page")

If I want to be be involved in a blog key group, I enable access to my public key.

A blogger who want to let me read and comment on their blog transfers my public key to their plugin "Add my key!" type button. Thenthey add me to their general reader group, and additionally any subgroups that they wish. They would not, however, be able to read *my* entries, until I added their key to my plugin.

Essentially, the plugin becomes a keychain. I can read any journals that have accepted my key, and enabled my authenticated viewing of the particular entry.

Both commercial (6A) and open source blogging software could implement this. It would still allow public (no key required) posting, could be set up to require key authentication to comment, or be "friends only". All you'd need to participate would be a blogging platform that had the plugin available.

I can't program this, but I'm sure that an open project like WordPress would be glad to have it.

Comments

[tamino.livejournal.com]

I don't use RSS because I can't stomach the fact that it's XML underneath. That's why, with all the plethora of "blog aggregator" software out there, I still just go to the "friends page" on LJ (plus visit the LJs of a few people I want to read who I don't explicitly have friended).

I also feel more comfortable, privacy-wise, hitting LJ (with lynx, so no images get loaded) than hitting someone else's web server where they can see the logs.

For better or for worse, LJ has implemented something that doesn't suck, and it's hard for me to contemplate switching elsewhere.

(S2 does suck, horribly. Argh. But other than that.)

[raindrops.livejournal.com]

That's brilliant. It goes way beyond OpenID.

With the rss feature, you wouldn't need to have a presence on every blog site that your friends do (in theory, of course). Potentially, there could be a sister browser plugin that allows you to aggregate your friends on whatever blog site(s) they use (would also be nice in rss readers).

Just throwing out some ideas during a lull at work.

[mdlbear]

There are several ways to implement groups and access-control lists using public keys; look up SPKI.

The most versatile thing is to give every post its own symmetric "session" key (its MD5 hash works fine), then have a copy of it encrypted with the public key of each friend or group that you want to have access to it.

[mdlbear]

Of course, the other way to do it is to give people accounts. This is something that all web servers and browsers support -- no need for a plugin, and most blog packages support it because they need it for comments.

The only missing piece is distributed identity management, and that's where the public key stuff definitely comes in.

[raindrops.livejournal.com]

Mind if I add you?

My initial thoughts on a browser plugin that works with the server-side component were based upon the idea of a single public/private key pair that travels wherever you want to go in the cloud, carrying with it your specific grouping and access control settings.

[mdlbear]

Go ahead. I'll add you back.

Relying on a single key per person could work, but it would mean you'd have to register it everywhere you go. Groups require a little more work, but allow you to tell your server that you trust any member of a group.

[raindrops.livejournal.com]

I was thinking that with a strong key-pair core, a framework could be developed around that to make it portable on both the client and server sides, without having to register at every turn. Kinda defeats the purpose, doesn't it, if you have to register separately at each site?

There has to be a way to tackle both trust and identity issues in a single framework that accomplishes the stated purposes.

[ravan.livejournal.com]

You wouldn't. The only place you'd register was your *own* site, and then use the plugin to manage the interface with other instances of plugin. A person who wanted to let you read their locked down posts would need to go to your site, and grab your public key to load into their "accepted" readers group.

[mdlbear]

Microsoft, Sun, and others are already hard at work on an identity framework. And then there's OpenID, which doesn't rely on a plugin, just some fairly simple server-side stuff that allows some other server that knows you to vouch for you. The plug-in, then, would just be your own blog server's OpenID server. No need for anything on your browser, which is a darned good thing because some people blog from cell phones and other devices that don't support user-installed software.

There's a bit of overhead, but it's probably no more than you'd have with the current "friend me and I'll add you back" stuff. Probably less, because you could make it into a browser plug-in that would work everywhere, not just on one blogging site.

[ravan.livejournal.com]

The plugin was never intended be a *browser* plugin (client-side), it would be a *blog software* plugin (server-side). The fact that the same term is used for both client-side and server-side software add-ons is a bit irksome.

If a server-side blog plugin was written to use OpenID as the engine, and then add reader/commenter access importation/assignment, tracking, and granularity engine for entries as a user-friendly wrapper for blogs, that would work.

Then blog friending, communities (which could be a blog set up for OpenID verified posting/comment access) would become peer-to-peer, not dependent on the goodwill of a single corporation.

[mdlbear]

Sorry; I misremembered the original post. A lot of blogging packages are using OpenID already; that may be sufficient for the moment.

Another good thing to come out of this might be finally separating the two currently-conflated uses of the "friends" list as a reading list and an access-control list.

[ravan.livejournal.com]

I love it when geek friends get together.

[ragnar21583.livejournal.com]

Sounds like basic Key Infastructures being applied to blogging. It works across the internet on a crapload of other fields, I don't see why we don't do it here. It would just lend itself to another level of confidentiality, integrity, and authentication.

Of course, reading further, seems like mdlbear already hit this nail. Ok, turning my geekdom off. :)

[weofodthignen]

OK chaps, you are beyond my ability to comprehend. If somebody makes it, I will likely try it. Trouble is, there is a metric fuckload of participation here on LJ--colossal inertia, new non-nerds like me still being drawn in each month. Any new service would not have that. And I'd miss it. Blogs on other sites may look cooler, but they are not going to get read by anywhere near the number of "I don't understand this internet thing" people, and I want to reach as many of the heathen ones in that sector as I can. For one thing, they are me as I was . . . 8 years ago? 7?

M

[incidentist.livejournal.com]

I've been thinking about this problem for a few days, but using a PGP-style infrastructure didn't occur to me. I think OpenID can take care of most of the issues -- you keep a list of OpenID URLs as your friends, and you've got an OpenID URL that auths you to read other folks' friendslocked blogs.

There's gonna be a WordPress BarCamp next month in San Francisco. I'm thinking of going and bringing up this idea.