The hot topic with me is to devise a protocol for smearing LiveJournal's authenticated commenting across the blogosphere. We already have parts of their friends list feature with RSS and blogrolls. Not that I dislike LiveJournal--quite the opposite, or I wouldn't be trying to replicate part of it. It sounds like a neat gadget, it's a missing piece of current weblog tech (I know I'm not the first to ponder this!), and the seams of LiveJournal's centralized architecture have especially shown lately.
So, posit a system for posting comments to weblogs. Such a system would need to support:
- Authentication. No one should be able to fake a comment as yours without causing a warning.
- Ownership of comments. The original poster should be able to prove e's the original poster, to the point the server could allow em to edit or delete eir comments.
- Distributed architecture. No third party besides the comment poster and the weblog software taking the comment should be necessary. (Either way could be provided as a third-party service, but it should not be necessary.)
- Ease of use. Posting a comment should be at least as easy as posting an entry with a TrackBack ping (autodiscovery notwithstanding, I'm afraid).
It's possible with a combination of these technologies:
- An author description standard. This buys one URL to get an author's data. The URL also uniquely identifies the author; mine might be
http://markpasc.org/weblog/dac.xml. I was thinking FOAF, but I wouldn't be surprised if vCard is adequate. No reason to go with the big buzzword if something more tried works (but then, looking at vCard in the Jabber context hurt my head when I tried a few years ago). Public key authentication. The author description has a link to (or serialization of) the author's public key. If someone tries to post a comment using your author description URL, they'll also have to be able to sign it with your key; if the signature is bad, the comment is rejected (and any other countermeasures the server would like to take can be taken--attempting to post with someone else's author URL wouldn't be very unintentional). Probably OpenPGP compatible, because as far as I know it's still the de facto standard for public key crypto.
You'd probably generate a key specifically for doing this, so you don't get your encrypted email cracked if you lose this key. It's more likely you would lose this key, because you may have it on your web host, such as if you're running your distributed authenticated comments software alongside your install of Movable Type. If you used a third-party service, well, you're implicitly trusting them with your key as it is. (Such a service should definitely generate its own keys for users.)
How does key revocation fit in? All your old comments may have to be invalidated: there's no way to distinguish your preexisting comments from the one someone presumably posted with your cracked key. That won't really do. If you could provide a list or some way to query your server to ask if a particular comment is valid, you might only lose the ability to edit the old comments... but then, that's how you lost the key, right, not having total control on the server? Gah.
TrackBack. There are a lot of other systems like Pingback that sound interesting, but TrackBack is the most widely implemented as well as being a good fit for the job. It has the plus of being REST-like if not fully REST, not that I have anything against XML RPC protocols per se.
TrackBack's character limit is, as far as I can see, an implementation-based restriction that doesn't really have bearing on the protocol itself (other than discouraging posting of 5 KB posts like this to every last link rece) However, TrackBack would have to become more like MetaWeblog API etc, as I write below; with the addition of POST and PUT methods.
Weblogs. If TrackBacks are comments, then comments are weblog posts. The same interfaces for entering posts for your weblog can be used to enter posts to another weblog.
This also includes programmatic APIs like MetaWeblog: part of the reason for authenticated comments is so posters can "own" their comments, meaning can edit and delete them. These APIs (currently MetaWeblog and the unimplemented Blogger API mk II) are how we edit and delete remote posts.
The implementation problem is that these APIs tend to be XML RPC protocols (with actual XML-RPC, even), whereas TrackBack... isn't. So, if the system were designed to be RESTful, we would have to do a REST version of, eg, MetaWeblog API. (Are there any already? It sounds tailormade for HTTP PUT, but the oxygen gets a little thin for me on the rest-discuss list, so I may have heretical ideas about it.)
The products of this design process should be:
- A protocol specification.
- A independent server implementation, suitable for using with weblog hosting such as PyCS, as a third-party service for others, or alongside your non-Movable Type weblog.
- A drop-in implementation for Movable Type. It might replace
mt-tb.cgiormt-comments.cgi.
Comments
comment
Paul Bausch’s Onfocus is the weblog with PGP comments.
comment
Good