Comment by apitman

Comment by apitman 18 hours ago

3 replies

View on Hacker News

I might be misunderstanding what you're saying here. How is ActivityPub more authenticated than Webmention? WM requires the poster to host their content on a website. This is exactly what the AP spec says to do. Now, since the spec was published, most AP implementations also support HTTP signatures[0], but this doesn't provide additional guarantees that you can't get with WM. The authentication is still tied to a URL.

As far as spamming goes, I don't see how WM is any worse than AP. In both protocols your only options are passlists and/or blocklists.

[0]: And an old version that doesn't have an official spec. ActivityPub's issues with spec stagnation and de facto standards is a whole other thing.

johnmaguire 17 hours ago

I haven't dug into these, so apologies for the naive question, but for a multi-tenant service like WordPress.com, can you effectively limit which WordPress blogs can WebMention you? If the allowlist is formed on the domain, this seems limiting.

Perhaps more advanced URL regex can achieve more fine-grained control but I do still see advantages in pubkey auth (especially if people want to move their content.)

Still, I do find myself wishing for a lighterweight-than-ActivityPub middleground.

Reply View 2 replies
  • apitman 17 hours ago

    You're right, in default configurations ActivityPub definitely has an advantage here, since HTTPsigs are tied to users, not instances, which gives finer grained blocking. I'm not aware of anything like this for Webmention.

    I suspect this is because WM is used far less than AP. It also grew out of a community (IndieWeb) where having your own domain is a core tenet.

    I think something like Mastodon could work with WM though, since all URLs hang off of user URLs, so you could block by URL prefix, ie "block https://example.com/user1/*".

    Reply View 0 replies
  • freosam 11 hours ago

    Webmention receivers can filter on whatever parts of a URL they want to. Maybe a WordPress implementation limits this to the domain? But as far as the spec goes, the receiver just gets a `source` parameter that's a URL. They can then decide to allow that (based on the domain, or any other characteristic they want) and at that point they check that URL to see if the document there contains the link that it's supposed to.

    Reply View 0 replies