New GPG key! Fingerprint: 1C00 430B 19C6 B426 922F E534 BEF8 CE58 118A D524
Released php-mf2 v0.2.9 with GPG signed tags and verification guide (blogpost coming soon), hProduct backcompat support. packagist.org/packages/mf2/mf2#v0.2.9 github.com/indieweb/php-mf2#v029
Posting a new note having just logged into my site using GPG via indieauth.com!
Update: here’s a short screencast documenting the creation of this note:
My GPG key fingerprint: CBC7 7876 BF7C 9637 B6AE 77BA 7D49 834B 0416 CFA3
Prepping an old machine for demoing crypto tech at the cryptoparty tonight, windows being a complete pain. I have a feeling I’m going to be spending most of the evening apologising for other people’s bad UI decisions.
↪
Micah N Gorrell:
@BarnabyWalters Those would work as well but would limit it's use to an actual browser. What is wrong with an HTTP header for this?
Micah N Gorrell:
@BarnabyWalters Those would work as well but would limit it's use to an actual browser. What is wrong with an HTTP header for this?
@_minego links with the rel semantic can be used both in human-visible markup for improved back-compatibility and quick error-spotting (as well as layering on top of existing solution) and also in HTTP headers for machine-only use
↪
Micah N Gorrell:
@BarnabyWalters It should be an HTTP header, so that existing clients aren't broken by the change.
Micah N Gorrell:
@BarnabyWalters It should be an HTTP header, so that existing clients aren't broken by the change.
@_minego which existing clients would be broken by adding a classname or rel value to the HTML page someone downloads something from, or a Link header to the download itself?
↪
Barnaby Walters:
#idea: a microformat for download signatures/checksums, allowing browsers to automatically verify files without people having to go into the terminal and use shasum or gpg --verify
Barnaby Walters:
#idea: a microformat for download signatures/checksums, allowing browsers to automatically verify files without people having to go into the terminal and use shasum or gpg --verify
Of course the more significant thing is UI considerations: how to offer this info to the downloader, how to explain what the various possible outcomes mean and what action the user should take as a result of them
↪
Justin Cormack:
@janl @BarnabyWalters sure, it needs extending but I think http headers are the right place for this.
Justin Cormack:
@janl @BarnabyWalters sure, it needs extending but I think http headers are the right place for this.
@justincormack @janl possibly, human-visible links/keys less likely to go out of date, also better BC as easier for people with dumb browsers to manually verify than invisible header info
#idea: a microformat for download signatures/checksums, allowing browsers to automatically verify files without people having to go into the terminal and use shasum or gpg --verify