Liveblogging the inauguration

Jan. 20th, 2009 10:49 am
jducoeur: (Default)
[personal profile] jducoeur
Since I have the TV on while I work today, I'm going to do a bit of liveblogging of my impressions of the inauguration over on CommYou. If you've got the time and inclination, I encourage y'all to join in...
Tags:
Flat | Top-Level Comments Only

(no subject)

Date: 2009-01-20 05:57 pm (UTC)
From: [identity profile] cvirtue.livejournal.com
Is hitting reload the expected method to get new comments in the thread? I looked around a bit but I didn't find any other clues.

(no subject)

Date: 2009-01-21 02:12 am (UTC)
jducoeur: (Default)
From: [personal profile] jducoeur
For future reference: this is why, at the moment, the IM integration is important. The Web interface is good for catching up on back messages, but IM is really the way to follow along with the conversation as it's running. Setting that up isn't completely trivial, but it's not hard if you already have an XMPP-based IM account. (Which you do, since LJ provides one automatically.)

The next major release will pull these together: it'll have a Flash-based client running in the browser that talks to a customized XMPP protocol back to the server. So you'll be able to simply log in, and it'll Just Work: new conversations and new messages will show up as they happen, in a tabbed interface, with no setup required. That should make the system really hum nicely, combining the strengths of the Web and IM interfaces, but I've got a lot of code to write first...

(no subject)

Date: 2009-01-21 02:33 am (UTC)
cellio: (avatar-face)
From: [personal profile] cellio
Thanks for posting that. I couldn't comment because LJ (and thus LJ OpenID authentication) is blocked at work, but I enjoyed watching. (So far they apparently don't know about CommYou, so it's not blocked yet.)

(no subject)

Date: 2009-01-21 04:11 am (UTC)
jducoeur: (Default)
From: [personal profile] jducoeur
Hmm. Yet another argument for me to add a concept of "native identity" to CommYou, as a possible supplement. This was initially brought up when LJ had its daylong outage for the move: there's some weakness to relying so completely on them for identity. So I may add an optional ability to grab a CommYou login that is associated with your other identities. (Probably going to be useful for native CommYou clients anyway...)

(no subject)

Date: 2009-01-21 04:56 am (UTC)
cellio: (avatar-face)
From: [personal profile] cellio
I won't object, but it's probably not a common-enough problem to be a priority (guessing).

I am not sufficiently wise in the ways of browser tech. It seems that if I can authenticate via LJ and transmit that knowledge to CommYou, and if (assumption here) CommYou can keep track of that for some period of time so I don't have to log in with every comment, then it must be the case that a credential is being stored, presumably in the browser rather than at your server. (A cookie, I presume?) So, given that, is there a way for me to acquiret that credential on one machine, carry it to another, and somehow install it in the second browser? Or does the cookie (or whatever) encode an IP address?

(It's not just you; there are other sites, including professionally-justifiable ones, that use OpenID for commenting, and I can't use them either because of this.)

(no subject)

Date: 2009-01-21 04:22 pm (UTC)
jducoeur: (Default)
From: [personal profile] jducoeur
I won't object, but it's probably not a common-enough problem to be a priority (guessing).

I'd say that it's not common enough to be a first-rank priority, but it *is* common enough to be a significant medium-term concern. You're certainly not the only person who has had an issue of this sort.

It seems that if I can authenticate via LJ and transmit that knowledge to CommYou, and if (assumption here) CommYou can keep track of that for some period of time so I don't have to log in with every comment, then it must be the case that a credential is being stored, presumably in the browser rather than at your server. (A cookie, I presume?) So, given that, is there a way for me to acquiret that credential on one machine, carry it to another, and somehow install it in the second browser? Or does the cookie (or whatever) encode an IP address?

Pretty much correct -- yes, it's using a cookie, and no, the cookie doesn't currently include an IP. And indeed, I do exactly what you're describing for some of my short-term development and tests: it's not unusual for me to start out by hard-coding the cookie until I have all the plumbing right. I'm not sure if the browsers have any good way to "install" a cookie, but if they do, what you describe is entirely feasible currently.

That said, I don't know if this will work in the long run. What you're describing is essentially identical to a replay attack, and I'm going to have to deal with those in due course. So odds are that it *will* encode an IP address eventually, and possibly timeouts and other security measures designed to foil replays. So I suspect it's not a long-term solution.

(It's not just you; there are other sites, including professionally-justifiable ones, that use OpenID for commenting, and I can't use them either because of this.)

Sure -- this is a general weakness of the OpenID approach. It's part of why I'm thinking of identity, in the medium term, as an additive operation: you'll be able to combine identities in CommYou, and use *any* of them (potentially including a "native" CommYou ID) for authentication. That should make things rather more robust...
Flat | Top-Level Comments Only

Profile

jducoeur: (Default)
jducoeur
Querki

July 2025

S M T W T F S
  12345
6789101112
13141516171819
20212223242526
27 28293031  

Most Popular Tags

Page Summary

Active Entries

Style Credit

Expand Cut Tags

No cut tags
Top of page