At yesterday's HWC we talked a bit about the recently released W3C Annotation standards and annotations in general. The W3C standards have many ways of addressing content (“selectors”), many of which likely only work against a specific version of a document and site design. But there is a way to specify timestamps and link archived copies.

• hypothes.is
• Genius

• Fragmentions as a very simple way of linking to specific text locations in URL fragments. A more complex variation of this is described in the W3C annotation standard as well.
• The W3C standards do not specify how to notify sites of (public) annotations created elsewhere, despite showing this in the explanatory diagrams. Webmentions would be a natural fit for this: A receiver that implements the JSON-verification suggested in the standard already would at least recognize a stored annotation as a valid source, and could be extended to understand the entire representation and display it nicely.

Some discussion about (over-)sharing in social media, your own website, and a trend to move social media content to private channels.

Joel found the Indieweb wiki because he found Indieauth.com while searching for a new OpenID provider, and joined us.

• aaronpk has built an IRC-based chat widget for his homepage, inspired by our discussion
• Sebastian now uses his Wordpress login for Indieauth
• I (Sven) am working on a 2FA indieauth endpoint

• JSON Web Tokens as a standard way to create signed tokens with payloads, useful for e.g. authentication endpoints.

• We talked about various messaging-related topics:
  1. Matrix.org as a relatively new and open messaging protocol.
  2. The private webmention specification created from IWC Brighton.
  3. Sebastian would like a chat interface on his contact page so visitors can quickly talk to him if he is available. There are bunch of services targeted at e-commerce sites, but from a quick review not much suitable for individual pages. This was also discussed on IRC. (I’ll probably follow up on this in another post, once I ordered my ideas a bit)
• IndieAuth-the-protocol – several attendees weren't aware that they can use their own systems (e.g. existing website login) for IndieAuth and want to implement this now. Documentation for the necessary authorization endpoint is here.
• Security: Caddy server has a new fingerprinting feature to detect TLS interception proxies. One could show a warning to users along the lines of “Your HTTPS looks wonky. <yeah, I know> <HELP>”. I tried to think of additional ways to detect this, but the only one I could come up with, detecting missing HPKP headers using Javascript, wouldn't work because Firefox and Chrome ignore HPKP on local trust roots, so there is no need for a proxy to strip those.