Fedi

Implementing and exposing the protocol makes you a participant. That is the web. It is email. Also fediverse.

What is not involved? API keys. OAuth2 flows. We are back to the simple web of dumb transports. You need to serve HTTP and have a domain in DNS. HTTPS is required but available for free today.

Email has had to add anti-abuse measures, DMARC, DKIM and SPF, and the Activitypub protocol of the Fediverse has similar measures. Activitypub uses HTTP Signing to verify the origin of actions. Looking up the key and tying it back to an origin requires HTTPS and a domain name. We rely on DNS again. For the web, for email and for the fediverse. The fundament.

Fediverse starts at a stronger point in the security curve compared to what HTTP and email did. This is the big initial hurdle when implementing the protocol. Public key signing, hashing and reconstructing payloads to verify signatures. Cryptic stuff that might have stopped me ten years ago.

The second hurdle is mostly understanding and largerly disregarding the specifications. This is the time to realize that it gets worse before it gets better. You have a lot of HTTP and JSON to do.

On the other hand. You have a lot of HTTP and JSON to do. If the last decade has taught us anything it should be HTTP and JSON. As involved as the details get we are dealing with something that was aiming for simplicity.

Similarly to the Indie Web movement but with more fringestream drive and attention. They are both built on the durable concepts of the web. It is satisfying to work with something that is so open. It is not trying to keep you out.

I have a lot of fun experimenting with implementing Activitypub in Elixir. Have you dipped your toe? Are you on one of the fediverse services? Which one or why not? You can reply to this email or poke me on the fedi @lawik@fosstodon.org, I enjoy hearing your thoughts.

Thanks for reading. I appreciate it.