From IndieWeb

Indie Access Control was a session at IndieWeb Summit 2018.

Notes archived from: https://etherpad.indieweb.org/indie-access-control

Video: ▶️40:05s

IndieWeb Summit 2018
Session: Indie Access Control
When: 2018-06-26 16:45



  1. Interests?
  2. Demo
  3. Indie Technologies
    • Browser's role
    • Identity
    • Revoking access



  • Equity/democracy of access control. Who defines control?
  • What is access?
  • William: How we facilitate people sharing data in a private/controlled way
  • Use case: My mom has digitized all our family photos back to the 60s! How to share and collaborate?
  • Tennille Christensen: Privacy, Identity Theft, because I have a unique name
  • Post sharing. If I have a note for people, I want to scope it for them. How do I share to the person adjacent to me?
  • It seems you can do this with an auth model. But if you want a shared URL then it seems difficult.
  • Applying indieweb principles to back-end content management systems.
    • Different identifiers. Someone made an indieweb CMS with transparent back-end to front-end.
  • (Authentication) Too many passwords, lost all my bitcoin keys.
    • How do you deal with key loss?
  • Distributed applications, many nodes— is there a central participant who can revoke access to others?
    • Is there any way we can revoke access that has already been consumed?
  • GDPR laws require access control

herbalist: traditionally persucuted; example of community that needs to make sure that information shared between parties is indeed only between those partieis how website operators and larger web application operators maintain tracking data: who has access to that kind of data, why, and also massive consent issues --> GDPR Backend systems --> privacy, access control, standardization, who has control of data structures data schemas and data definition systems have data privacy and access control implications why is data shared, when, by whom and what revocation; token systems and their role in access control system -->


  • IndieAuth can be used to authenticate
  • Authentication seems to be the only part that matters for indieweb protocols?
  • A scraper could log in before scraping, to get only stuff it allows
  • Or information could be represented on the page encrypted
  • Read vs. Write access
  • You might want to scope access to someone's Identity, Affiliation, Groups, and Location
  • And the entities hosting this information might need to be trusted
    • Big problem: Key exchange, who and how and when --> Michaels share public key over https (if this_domain_name_public_key then := )
    • Is there implicit notification(s) with the post, do or how to push notification -> in M's system, in the post, they are rep'd in the to: list rather than the cc: list -> implications of (*lists)
    • location vs content keys: problem inherent as result of encryption to every recipient --> thus multiple keys, m said master URL, say "who are you" then give them different version, --> response: everyone goes to same URL, then based on their identity
    • how does a
  • fork and then rebase : "reversible operations": CRDT
  • https://github.com/ipfs/research-CRDT/issues

See Also