Archive for October, 2010

Archive for October, 2010

Comments about Awards API

Posted on

@codenamebowser has written up a minimal Awards API spec similar in nature to what I proposed recently. @wolever has already made some comments. My comments are below.

OAuth: yes. Be aware that OAuth (and really any other system) cannot securely identify non-web apps. This is because auth keys stored in an app in the possesion of a user can be got by that user. Many people (including myself and the IETF OAuth spec editor, Eran Hammer-Lahav) feel that desktop/mobile apps should not use consumer tokens at all, but should use empty or “anonymous” tokens so the app can say to the user “an application claiming to be…”

User Accounts: whaaa? I guess you’re trying to let sites use the system if their users don’t, but you really probably want to be publishing to an actual usr account, not an invented thing. Make a way for new users to seamlessly get an account. You could start OAuth from the client and when they come if they have an account, log them in and associate. Otherwise get some ID from them (email address or web address) and use that to authenticate them (using email verification and/or openid and/or relmeauth).

I agree with @wolever that if you’re going to have limits, you should make them early on. Most things shouldn’t need limits, though.

I would make sure all properties are accessed as though they are just keys in the allswed kvp. That way the whole API is simpler and feels the same as itself. Some keys are just predefined with meaning and some aren’t.

Threshold seems like overkill for v1. The client probably knows that anyway.

If you want likits for IDs, look up the limits on the HTML ID attribute.

As @wolever says, don’t count on one user = one email.

This draft doesn’t say how the kvps are going up to the server. form encoded post? While a bit more complex, I would look into POSTing activity streams ATOM, since that will allow distributedness and resyndication to work very well.

Before I got to publishing this a new version of the API spec came out. More comments below.

Authentication: what? I’m reading this, and you have exactly re-invented OAuth. As always when re-inventing a security technology, you have done it poorly (md5? are you on crack?) Use OAuth… it’s the same basic tech you’re suggesting, but is actually good.

Must have for icon is PNG. I think size restrictions would be bad at an API level, though for your implementation you may want to institude a MB limit to prevent abuse.

140 characters is a nice arbitrary limit for SMS, but saying it makes things fit on one line in web designs is just not fair.

In the KvP, are values 8-bit safe? Can I use a 255-byte blob? 8-bit safety is *good*. Make your limits in bytes, not in characters.

users/create_and_retrieve seems like the only one that’s really useful (except maybe retrieve). What’s the use case for users/create? Of course, as above, I think it would be useful to handle user accounts somewhat differently.

Your XML seems like a good candidate for ATOM, as I suggested:

	<author><email></email></author> <!-- this could be activity-actor as well/instead -->
	<title>Test achievement</title>
	<content>Got this for being a guinnea pig.</content> <!-- could use summary for this instead -->
	<link rel="logo" type="image/png" href="data:..." />

This format (or something similar) has resyndication benefits, and also means that one could pass awards around easily using Salmon or Ostatus.

Generic Achievement System

Posted on

I’ve been thinking a bit recently about generic achievement systems. Basically what I want, is a web service where I’ve got a profile showing off the achievements I’ve unlocked in different ways. This could have some scraping of well-known social web achievements (StackOverflow, FourSquare), but that doesn’t really scale so I’d want an API that any service or application could tie into to publish unlocked achievements to my profile. I’d also want read APIs so I can put achievements I really want to show off on my actual profile page at Achievements should be able to take any image+text form, from high scores to badges.

If social web sites can publish achievements to the site and read them back out, that’s great, but there are already a couple of services that sort of serve that purpose (though I’m not sure either serves their own local profile pages). The real benefit here is that applications (especially including games) could easily tie into this as well.

Of course, now that I’ve described it you can see I don’t necessarily want a web service at all. I want an API specification and a reference implementation. Web apps and games should be configurable with my actual “achievement host” (or discover it over LRDD/Webfinger) so that I can just host my own list and not sharecrop on someone else.

Now, on top of all this, I want the same protocol (or something very close to it) to work with a local on-my-machine service that serves a similar purpose: storing scores and achievements for local users. One could then build nice local scoreboard/achievements unlocked display dashboards, which could be very useful in a gaming-heavy environment like the games at (some games already do shared local highscores, this is just one up on that).

The right way to build something like this, probably, is to use Activity Streams concepts and publish the content over HTTP as an “achieved” or “scored” event.

Thinking About Aggregators

Posted on

So, I’ve been thinking for awhile about the aggregator experience I want to have for reading my blogs and microblogs. As I’ve increasingly been moving to my own infrastructure for both, my subscription experience has been evolving as well. Right now I have a rather hacky script polling the Twitter and APIs every 2 minutes, putting the content into my WordPress database, and exposing that information over a partial implementation of the Twitter API. I then use a ruby script that polls said Twitter API and sends the messages to me over XMPP (as well as allowing me to post to my self-hosted microblog). I read other feeds using newsbeuter.

This entire setup is a bit suboptimal. Why, for example, is my server polling and then storing content I am subscribed to? Isn’t that normally my aggregator’s job? I’ve realised, that the reason the model has evolved this way elsewhere (such as at is that in many microblogging services, the service acts as both publisher and aggregator, but this is sort of artificial. My server has no good reason to act as an aggregator, that function is not related to publishing my content.

I thus intend to build a better aggregator infrastructure. My current thought is to build some sort of modular system with data sources and sinks. The primary sources (to start) will be RSS/ATOM feeds and maybe Twitter compatible APIs. On top of this can be built a nice web-feed-reader infrastructure (like Bloglines was), which should support PubSubHubBub for its subscriptions (since it lives on a server asnyway), or an XMPP feed-delivery system (which just connects, delivers the content, and disconnects), or an ncurses or other GUI system for local use.

The system also needs to support replies (via Salmon or Trackback/Pingback) and also cross-posting of said replies (using Twitter-compatible or WordPress-compatible APIs). The public key that goes with the private key the aggregator is using to sign the Salmon slaps needs to be publicly discoverable somewhere (likely at your publishing point), but otherwise the aggregator doesn’t need any kind of public or always-on presence.

Free HTTPS from StartSSL

Posted on

Apparently, some people are still unaware that the can get a TLS/SSL certificate for free from StartCom. StartCom has been providing Class 1 certificates for free for some time now, but they’re certificates were not always widely supported. Having used one of these certificates for my personal site for some time now, I can say with confidence that there are well supported by major browsers and Operating Systems.

Head over to StartSSL Login/Signup and click the “Express Lane” option. The wizard will guide you through creating a new StartSSL account and creating a webserver certificate. You will be asked to give a significant amount of personal information, then asked to verify one of the email addresses associated with your domain name, and finally you will be given the opportunity to have them sign a certificate you have generated (the way to get a CSR is different depending on what webserver you are using or what host you are with, there is good information in the StartSSL FAQ or try Google).

As part of the account creation process a client-side TLS certificate will be generated and stored in your browser or OS keychain. Do not lose this certificate. It is the only way to log into your StartSSL account.

One little gotcha in the way StartCom has chosen to implement their Class 1 CA is that you will not be able to list your main domain as the primary name on the certificate, but will have to list a subdomain. You may list more than one name, and your main domain may be on the certificate, just not as the primary name. I, for example, have as the main name on my certificate, and then have as a secondary. This is a bit strange, but works fine with most clients (a notable exception being wget).

And that’s about it! Unless you’re on a shared host without a unique IP or host-based TLS support there is no reason for you not to have HTTPS enabled on your personal site.

On Selecting a Spouse

Posted on

I thought I should blog this while the discussion I recently had with Christopher Vollick about the matter.

First, a small disclaimer. I may use words like “spouse” and “marriage” in this post. These words are used for simplicity only and are not intended to indicate a particular legal or religious connotation. You could substitute “life-long helpmate” or “mate” or any word that fits your worldview.

There are a great deal of different models used in the pursuit of spousal selection. I cannot possibly deal with them all, and may not even know about them all, so I will deal here primarily with three idealized models taken from Western Culture.

Modern Common

This is what I choose to call the spousal selection model commonly portrayed in recent Hollywood movies. It is also, unsurprisingly, the most common model in common use in the Western world.

This model consists of selecting a potentially interested party, proposing that said party engage in some sort of social activity, after which the couple quickly becomes formally declared and usually exclusive (“boyfriend/girlfriend”). This process often happens so quickly that, if both parties are more or less interested from the outset, there may be no intervening social activity at all. In all cases the couple transitions very quickly from casual friends (or even total strangers) to a formal romantic relationship.

The couple then engage, at least for some time, in a significant amount of private or semi-private social activity as the primary avenue for relationship building and evaluation.

This model tends to result in people who go through a series of formal, semi-committed, but ultimately disastrous relationships. It also tends towards viewing the relationship as an avenue for two people to evaluate each other, instead of as an avenue for two groups of people (friends and family on both sides) to be slowly evaluated and integrated. This results in weddings where one side may meet close friends or relatives of the other very shortly before the event.

Modern Courting

This model may be unfamiliar to some as it is mostly common among the far right. It claims to be an incarnation of a much older model (discussed next), but is in fact something new and much closer to Modern Common.

This modal is far more formal and legalistic than Modern Common. Instead of having an optional period of socializing between “friend” and “girl/boy friend” this model chooses to force everything to be formally declared up front. Guardians are often consulted, goals set, and rules agreed to. Like much that comes out of the far right this model tends to pride itself on what it does not do. Modern Courting couples often spend little to no time alone, and limit their interactions to a plan.

Modern Courting does emphasize family evaluation more than Modern Common, but only in terms of the context in which it operates. The individuals themselves quite often still do not see this as a primary component of their relationship.

Austin/Dickens Era

This model is the obvious ancestor to Modern Common, but has some very distinct differences. The couple still engage in social activity together in order to evaluate compatibility. The relationship still eventually becomes formalised, and usually exclusive. The couple even, contrary to popular belief, may spend a significant amount of private or semi-private time in relationship building.

The primary differences, are transition and context.

In this model, the transition from casual friend to a formal romantic relationship takes at least as long as the normal transition from stranger to friend. Nothing formal has to happen until the couple is nearing the engagement stage. Before that, the couple is interacting as increasingly good friends in whatever context would be natural for good friends to interact, given their other cultural baggage. This means that, naturally, friends and family who are likely to become a major part of the couple’s future are interacted with and evaluated as part of the social group the relationship is using for context.

This model also gives significantly more wiggle room to pursuit, since a party has not overcommited before an evaluation has taken place, and can exit from the non-relationship gracefully without anyone else being aware of what said party was thinking. Of course, eventually each party’s intentions become easy to discern, but things are not dealt with formally from the outset.

On Arrangement Models

Decently-run “arranged marriage”-based models can work very well. Possibly better than anything else. They cannot, however, be mixed in a society with another prevalent model. If they are, those under the arrangement find the arrangement to be arbitrary as compared with the “freedom” of those around them.