bmann.ca
+19
_notes/ATProto and MCP both picking OAuth.md
+19
_notes/ATProto and MCP both picking OAuth.md
···+In both scenarios, the need is for a wide set of distributed participants that need to authorize, who can't do pre-registration of all the different endpoints that are available.+This is made possible by [[OAuth]] advancements like RFC 7591 [Dynamic Client Registration](https://oauth.net/2/dynamic-client-registration/):+> The OAuth 2.0 Dynamic Client Registration extension provides a mechanism for dynamically or programmatically registering clients. This spec was derived from the OpenID Connect Dynamic Client Registration spec and is still compatible with OpenID Connect servers.+And increased security with RFC 9449 [Demonstrating Proof-of-Possession (DPoP)](https://oauth.net/2/dpop/):+> [DPoP](https://datatracker.ietf.org/doc/html/rfc9449), or Demonstrating Proof of Possession, is an extension that describes a technique to cryptographically bind access tokens to a particular client when they are issued. This is one of many attempts at improving the security of [Bearer Tokens](https://oauth.net/2/bearer-tokens/) by requiring the application using the token to prove possession of the same private key that was used to obtain the token.+[[Aaron Parecki]] who works on the OAuth spec has also written [[Let's fix OAuth in MCP]] which goes into more details.+[[UCAN]] as a way to delegate capabilities also plays in this space. I am actively looking for high value use cases where these OAuth approaches do not solve the problem.
+17
_notes/Aaron Parecki.md
+17
_notes/Aaron Parecki.md
···+> Aaron Parecki is Director of Identity Standards at Okta. He is the author of [OAuth 2.0 Simplified](https://oauth2simplified.com/), and maintains [oauth.net](https://oauth.net/). He regularly writes and gives talks about OAuth and online security. He is a member of the [OAuth working group](https://aaronparecki.com/oauth/), and is the co-founder of [IndieWebCamp](https://indieweb.org/), a conference focusing on data ownership and online identity. Aaron has spoken at conferences around the world about OAuth, data ownership, quantified self, and home automation, and his work has been featured in Wired, Fast Company and more.+> Aaron Parecki is the co-founder of [IndieWebCamp](https://indieweb.org/), an annual unconference on data ownership and online identity. Aaron helps people own their online content by creating specs such as the W3C [Webmention](https://www.w3.org/TR/webmention/) and [Micropub](https://www.w3.org/TR/micropub/) specifications. He also participates in the OAuth working group, maintains [oauth.net](https://oauth.net/), and wrote [OAuth 2.0 Simplified](https://oauth2simplified.com/). He has spoken at conferences around the world about OAuth, data ownership, quantified self, and even explained [why R is a vowel](https://www.youtube.com/watch?v=FGVJ0eXTRpw).
+13
_notes/Airtime.md
+13
_notes/Airtime.md
···+Airtime used to be called **mmhmm**, and is a video creator app. It includes a virtual camera that can do overlays and branding, and then has a subscription service that does video storage and sharing.
+16
_notes/Autonomous Communicator Protocol.md
+16
_notes/Autonomous Communicator Protocol.md
···+> The AC Protocol encapsulates our chosen message security protocol, Messaging Layer Security (MLS), under a new identity layer, and above a new transport layer. In doing so, we decouple identity from transport, allowing us to remove identity from message envelopes in transit, and free both identity and transport layers to flexibly evolve identifiers to serve the divergent needs of each.+> This protocol is an internet-native reimagination of your contacts — no longer a rolodex of stale information I accumulated about someone else, but a living, cultivated set of connections over E2EE messaging, within which we safely and consensually update each other as our ends of relationships evolve and move.+> Alongside this post, we are open-sourcing our [Swift implementation](https://github.com/germ-network/autonomous-comm-protocol) of the protocol under the MIT license.
+12
_notes/Castopod.md
+12
_notes/Castopod.md
···+Open source podcast hosting software that is [[ActivityPub]] enabled. Each podcast has an AP account that can be followed / mentioned / replied to, and it embeds each episode so that it can be played directly from your feed.
+3
_notes/Germ Network.md
+3
_notes/Germ Network.md
+33
_notes/Groundmist.md
+33
_notes/Groundmist.md
···+Groundmist is a series of experiments using [[Automerge]] for local first editing and private sharing, combined with [[ATProtocol]] for login and public publishing.+[Exploring the AT Protocol as a distribution layer for local-first software](https://hackmd.io/@grjte/groundmist-distribution)+> Groundmist Notebook is an AppView for the [WhiteWind](https://whtwnd.com/) blog entry lexicon _com.whtwnd.blog.entry_. All public WhiteWind content is available.+> A local-first content editor is available at [editor.groundmist.xyz](https://editor.groundmist.xyz/). Use it to create your own notes and keep them off atproto until you're ready to publish.+> Groundmist Sync is a self-hosted personal sync server which is owned by your atproto identity. When you log in to other Groundmist applications (Library or Notebook), data will automatically sync to this server, unifying your local-first data into a personal data store that is analogous to your atproto PDS, but private.
+19
_notes/Let's fix OAuth in MCP.md
+19
_notes/Let's fix OAuth in MCP.md
···+[[Aaron Parecki]]'s thoughts on fixing OAuth in [[MCP]], where he walks through a bunch of OAuth flows. I'll quote the last bit which makes it clear how this impacts LLM usage:+> The problem is only made worse with the explosion of AI tools. Every AI tool will need access to data in every other application in the enterprise. That is a lot of OAuth consent flows for the user to manage. Plus, the user shouldn't really be the one granting consent for Slack to access the company Google Docs account anyway. That consent should ideally be managed by the enterprise IT admin.+> What we actually need is a way to enable the IT admin to grant consent for apps to talk to each other company-wide, removing the need for users to be sent through an OAuth flow at all.+> This is the basis of another OAuth spec I've been working on, the [Identity Assertion Authorization Grant](https://datatracker.ietf.org/doc/draft-parecki-oauth-identity-assertion-authz-grant/).+> The same problem applies to MCP Servers, and with the separation of concerns laid out above, it becomes straightforward to add this extension to move the consent to the enterprise and streamline the user experience.
+40
_notes/OAuth.md
+40
_notes/OAuth.md
···+> OAuth 2.0 is the industry-standard protocol for authorization. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices. This specification and its extensions are being developed within the [IETF OAuth Working Group](https://datatracker.ietf.org/wg/oauth/about/).+> [OAuth 2.1](https://oauth.net/2.1/) is an in-progress effort to consolidate OAuth 2.0 and many common extensions under a new name.+> The OAuth 2.0 Dynamic Client Registration extension provides a mechanism for dynamically or programmatically registering clients. This spec was derived from the OpenID Connect Dynamic Client Registration spec and is still compatible with OpenID Connect servers.+> [DPoP](https://datatracker.ietf.org/doc/html/rfc9449), or Demonstrating Proof of Possession, is an extension that describes a technique to cryptographically bind access tokens to a particular client when they are issued. This is one of many attempts at improving the security of [Bearer Tokens](https://oauth.net/2/bearer-tokens/) by requiring the application using the token to prove possession of the same private key that was used to obtain the token.+> This document describes a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows for the detection of replay attacks with access and refresh tokens.[¶](https://datatracker.ietf.org/doc/html/rfc9449#section-abstract-1)
+13
_notes/Phil Libin.md
+13
_notes/Phil Libin.md
···+> born February 1, 1972 in Leningrad, USSR and moved to America when he was eight years old. He was CEO of the Silicon Valley software company [Evernote](https://en.wikipedia.org/wiki/Evernote "Evernote") from 2007 to 2015, then became Executive Chairman of Evernote's board. In September 2015, Libin joined General Catalyst Partners as its fourth general partner in Silicon Valley. In September 2016, Libin stepped down as Executive Chairman of Evernote's board of directors to focus on his role at General Catalyst Partners.+> Currently, Libin runs the Startup [[Airtime]] (formerly mmhmm) and the [All Turtles](https://www.all-turtles.com/). Libin is a proponent of the benefits of hybrid and remote work and resides in Bentonville, Arkansas
+41
_notes/Protocols for Publishers.md
+41
_notes/Protocols for Publishers.md
···+Web publishers are facing challenges on multiple fronts, which are in turn changing culture as a whole.+- Search engines have broken the social contract with end users, where low quality sites float to the top, and that’s before we look at the integration of AI summaries or generated results (Google)+- Social platforms control algorithmic reach, gated by paid boosts and ads (Facebook, Twitter, Instagram)+- People are turning to answer engines in the form of LLM chat bots, with unknown bias, or reformulated content that often times doesn’t link to the original, published source (ChatGPT, Perplexity, Gemini)+- The pivot to video has just lead to new platform owners where publishers are forced to be participants to access reach (TikTok, YouTube, Instagram)+Things are shifting, and the question is not of keeping up, but rather of working together to chart a path for publishers and share learnings together.+The virtual hackathon will run July 14th → August 8th. We’ll have a private chat server where participants will have access to resources, peer check ins, and direct support for protocol questions and troubleshooting.+We’ll start with an overview and briefing of major trends and protocols, and share knowledge and challenges.+Each week we’ll start with a deep dive and example of the protocol, and live discussion. Each web publisher team will work on one or more self guided learning exercises or experimental project. You can check in with your peers,+After the virtual hackathon, we’ll plan to meet in New York for an in person summit, plus a few select guests. We’ll recap what we learned during the virtual hackathon, and share challenges and opportunities as publishers exploring protocols.+An evening demo day will include a wider group of public demos and explorations of protocols, all hosted at Betaworks.+Publisher teams are welcome to present publicly if they would like to share, otherwise we will showcase an inspiring selection of makers and builders on what they’re up to with protocols.
+33
_notes/Unnamed Good Pod.md
+33
_notes/Unnamed Good Pod.md
···+<iframe width="100%" height="112" frameborder="0" scrolling="no" style="width: 100%; height: 112px; overflow: hidden;" src="https://podcasts.cosocial.ca/@unnamedgoodpod/episodes/introductions-1rg-incubator-and-at-protocol/embed/light"></iframe>+Max and Serena introduce [[1RG]] space & community in Toronto, and describe the new [1RG Incubator](https://incubator.1rg.space/).+Boris goes deep on [[ATProtocol]], the open social protocol that powers Bluesky and other apps.+> At UKAI, we seek and test out approaches to culture that make sense of the world we are creating and handing down to future generations.+> We call this work cultural research and development, and just like R&D in other fields, we are trying to make things better. In our case, we are trying to build resilience to massive volatility and change.+Erin Kissane, saying we can't just have technologists retreat to cozy web spaces that THEY are capable of inhabiting, writing in [Against the Dark Forest](https://www.wrecka.ge/against-the-dark-forest/):+> The public social internet is worth designing and governing in a way that demonstrates less than total amnesia about the history of human civilizations and the ways we’ve learned to be together without killing each other. For people with the ability and willingness to work on network problems, the real choice isn't between staying on the wasteland surfaces of the internet and going underground, but between making safer and better places for human sociability and not doing that.+The [ATProto Browser](https://atproto-browser.vercel.app/) lets you look at the data in your user repo. You'll see Bluesky posts if that's all you've tried, but as an example [Recipe Exchange](https://recipe.exchange/) is an app that stores recipes in your account. This very much demonstrates user-owned data.+You can [browse Boris' account](https://atproto-browser.vercel.app/at/bmann.ca) to get a sense for different types of data.