Last Updated

Map
Decided to finally dispose of my MSI Wind U100 netbook. I bought it on March 19, 2009 for $299, and immediately added an extra GB of RAM and an extra battery and installed Linux. I haven’t used it in years, and it is time to retire it.
neverforgetI’ve been watching reruns of Quincy M.E. on local TV and tuned in to an episode from 1982 called Stolen Tears, where Martin Balsam plays a Holocaust survivor fighting a Holocaust denier, played by Norman Lloyd. Somewhat ironically, Norman Lloyd(born Norman Perlmutter) is also Jewish. I was a fan of his work on St. Elsewhere.

It put me in mind of the 1991 TV movie, Never Forget, starring the late Leonard Nimoy as Mel Mermelstein, and directed by the late Joseph Sargent. Sargent, also director of the original Taking of Pelham One Two Three(which starred Martin Balsam), died a year ago tomorrow. So I bought a copy of the movie on Amazon’s video streaming service, which I haven’t seen since the 90s, and watched it.

In the movie, based on the actual story, Mel Mermelstein is a Holocaust survivor who has a small exhibit at his place of business, and goes to schools and other groups to talk about his experiences. He attracts attention from a Holocaust denying organization and feels the need to challenge them, despite  the fact that most Jewish organizations tell him to simply ignore it and not give the hate group any further ammunition. There are people who consider Nimoy’s portrayal of Mermelstein to be one of, if not his best dramatic performances.

After declaring my intention to help iterate on the Ticket extension to IndieAuth, I built an experimental ticket endpoint, which is available on my test site. I was able to test it using Martijn van Der Ven’s test form for requesting a ticket., after some troubleshooting on both sides. Still have some tweaks to make and questions to answer for expansion, but it turned out that adding support for receiving and redeeming a ticket was relatively easy.

Thinking about Ticket Auth

During this month’s Pop-Up event, as part of the overall topic of sensitive data we were discussing the continual challenges in getting a method of having private posts on one’s site. As a community, nothing has gained enough traction for adoption.

Last summer, a conversation on the most promising at the time, AutoAuth, prompted a new contender Ticket Auth. Ticket Auth turns the relationship in the other direction.

Let’s use our favorite two example people, Alice and Bob. Alice has a post on her site which she doesn’t want to be public. For most sites, the default is public. Alice wants to share her post only with Bob.

AutoAuth doesn’t get into the idea of how Bob, or the client Bob is using, decides he wants to get access to Alice’s post. Ticket Auth, by comparison, puts the onus on Alice. Alice, when she decides on her audience, sends a ticket to those she wants to have access. Bob has to have a ticket endpoint…the place he received tickets.

The ticket is a code that is available for a limited time, that can be exchanged for a longer term token to access the information. It is, essentially, an invitation you are free to accept or ignore.

In trying to develop more, this is a good place to start. Once we start sending and receiving tickets, we can iterate on this and figure out the next questions.

  • Can you ask for a ticket and how?
  • How can you give the ticket or the token you redeem to your reader or other client?

But first things first. Let’s build something.

 

 

Working on expiring tokens for the WordPress IndieAuth endpoint. This would be a breaking change, as currently, tokens issued by the endpoint never expire. This is a security concern, if you keep issuing tokens without ever expiring them. With the new system, you can renew a token, or even disable expiry in the admin if you need a long-lived token. There is a way to have the client get new tokens regularly that I could implement, but currently no client supports it.