From IndieWeb
Jump to: navigation, search

Private Posts / Groups

Private Posts / Groups was a session at IndieWeb Summit 2019.

Video: ▶️50:01s

Notes archived from https://etherpad.indieweb.org/shareprivately

IndieWeb Summit 2019
Session: Private Posts and Groups
When: 2019-06-29 16:10



Useful prior art:

Aaron Parecki has this feature in his CMS, and he implements it by having a post be flagged as private to specified domain names, which represent IndieWeb identities that can see the post if they IndieAuth. Problems with this approach:

Groups are another topic of interest, rather than having to specify a list of domains, you could theoretically create a group that could be reused, like “Family” or “Friends.”

How to share access to the content? Links could be emailed that allow access directly. A site could offer usernames and passwords for folks that cannot (currently) use IndieAuth.

Notifications are a big challenge as well. How do you notify someone that content has been shared to them? fluffy views this as the biggest challenge.

Marty McGuire: Seems to be all of these features are very tied to any given CMS, other than perhaps the concepts of a "Person" (with possible methods to automatically notify them of new posts they can see), and allowlists (for a given post to determine who can see it).

Jonathan LaCour Related: https://indieweb.org/AutoAuth

Jack Jamieson: Important to note what the attack vectors are that could compromise a private system - designing without those in mind likely to lead to problems

Jonathan LaCour: For non-IndieWeb identities, email with magic links might be the best option. (Or other notification mechanisms such as Twitter DMs or whatever.)

  • fluffy: This still doesn't handle the use case of backfilling/archived content, though, or handling the follow vs subscribe dichotomy - post

Ryan Barrett suggested “secret” links as an option as well. Not totally secure, but much simpler than alternatives.

See Also