Add support for write.as profiles #47

Open
opened 2 years ago by yarmo · 2 comments
yarmo commented 2 years ago
Owner

Description

Proposal to add support for write.as profiles.

This is possible using their public api: https://developers.write.as/docs/api/#retrieve-a-post

Proofs will be published in the form of a single post and the the ID of that post will somehow have to be included in the proof verification URL.

Issues to be solved

The API returns no data whatsoever about the user that published the post. We'll most likely have to include either the userId in the API URL or, preferentially, include the postId in the profile page URL.

Will work on soon.

**Description** Proposal to add support for write.as profiles. This is possible using their public api: https://developers.write.as/docs/api/#retrieve-a-post Proofs will be published in the form of a single post and the the ID of that post will somehow have to be included in the proof verification URL. **Issues to be solved** The API returns no data whatsoever about the user that published the post. We'll most likely have to include either the userId in the API URL or, preferentially, include the postId in the profile page URL. Will work on soon.
yarmo added the
enhancement
label 2 years ago

Will work on soon

No pressure but what's the status of this?

>Will work on soon No pressure but what's the status of this?
Poster
Owner

I have not worked on it :/

So, taking a fresh look at it again. I have made a test post:
https://write.as/yarmo/verifying-my-cryptographic-identity

Problem: The API call needed is https://developers.write.as/docs/api/#retrieve-a-post, but the API call wants data that is not here, namely the post's ID (for the test post above: ktcwhjgy2zb8kleb).

Solution (hack #1): People would have to include the post ID in their identity claim, which is not great.

So the identity claim would become: https://write.as/yarmo?postId=ktcwhjgy2zb8kleb

Now, the DOIP library can properly make the API call: https://write.as/api/posts/ktcwhjgy2zb8kleb

Problem: the API call's response contains no data about the user. This means that impersonation is as easy as taking someone else's postId and append it to your username (for example, https://write.as/imposter?postId=ktcwhjgy2zb8kleb would show as verified!)

Solution (hack #2): the post also needs to contain the username against which we can test the username in the claim.

I'll be honest, as much as I want to be able to verify WriteFreely accounts, this specific verification process would require two hacks, both of which are easy to do wrong and have potential bad consequences.

Hopefully someone sees a better solution that I don't

I have not worked on it :/ So, taking a fresh look at it again. I have made a test post: https://write.as/yarmo/verifying-my-cryptographic-identity Problem: The API call needed is https://developers.write.as/docs/api/#retrieve-a-post, but the API call wants data that is not here, namely the post's ID (for the test post above: ktcwhjgy2zb8kleb). Solution (hack #1): People would have to include the post ID in their identity claim, which is not great. So the identity claim would become: https://write.as/yarmo?postId=ktcwhjgy2zb8kleb Now, the DOIP library can properly make the API call: https://write.as/api/posts/ktcwhjgy2zb8kleb Problem: the API call's response contains no data about the user. This means that impersonation is as easy as taking someone else's postId and append it to your username (for example, https://write.as/imposter?postId=ktcwhjgy2zb8kleb would show as verified!) Solution (hack #2): the post also needs to contain the username against which we can test the username in the claim. I'll be honest, as much as I want to be able to verify WriteFreely accounts, this specific verification process would require two hacks, both of which are easy to do wrong and have potential bad consequences. Hopefully someone sees a better solution that I don't
Sign in to join this conversation.
No Milestone
No project
No Assignees
2 Participants
Notifications
Due Date

No due date set.

Dependencies

This issue currently doesn't have any dependencies.

Loading…
There is no content yet.