Mailing List Archive

Request for Comment: protocol extension design
Hi all,
So for much of last year I've been working on the Python
bindings for GPGME (now in maintenance mode) and though that occupied
much of my time, it didn't occupy all of it. At least not all of the
time spent on matters of interest to this list.

I've also been spending a fair bit of time, mostly in April last year
and then again in November and December, as well as a little over the
last week, working on something else for OpenPGP in general. That
being an extension or adaptation of the W3C's ActiveStreams 2.0 and
ActivityPub protocols to integrate with OpenPGP in order to provide
features for both signed and/or encrypted activities or objects for
those two protocols.

For those unfamiliar with ActivityStreams and ActivityPub, they're
microblogging protocols which provide functionality similar to
Twitter, except via a federated model rather than a centralised one.
Most users of these protocols know it by the more familiar names of
the software implementing them: Mastodon and Pleroma. The various
server instances of these being collectively known as the fediverse.

My introduction to the fediverse came early last year, not long after
starting the Python bindings HOWTO and my reading up on the underlying
protocols at that time made one thing very clear to me. That those
protocols were inherently something very familiar to everyone here:
they were a transport protocol. They were, however, a transport
protocol with no integrated means by which end users could guarantee
the fidelity of their posts or content, nor could they guarantee
end-to-end encrypted private communications save by somewhat ad-hoc
means.

My proposal seeks to change that and now the second draft is ready for
public review, comment and critique.

It is pretty much essential to read and be familiar with Activity
Streams 2.0 and ActivityPub first. Both standards are available via
the W3C:

https://www.w3.org/TR/activitystreams-core/
https://www.w3.org/TR/activitypub/

Then move on to my work at the following URL. The zipfile after that
contains all the public and private key data used in the examples.

Active Cryptography: OpenPGP over Activity Streams 2.0
http://files.de.adversary.org/crypto/ac/index.html

Active Cryptography: supplemental files
http://files.de.adversary.org/crypto/ac/supplemental.zip

Both of these latter URLs are hosted on AWS S3 servers; so you can
access them via HTTPS, but it will trigger an SSL certificate mismatch
alert. It's up to you.

These documents and files are being published principally in Germany
for political reasons and just in case. I may mirror them in the USA
later on, but I haven't decided on what the best course for Australian
publication is just yet.


Regards,
Ben