as an implementor, one of my favorite things about the IndieWeb protocols is that they use SSL and certificates for basic identity, integrity, and privacy, instead of their own crypto layer. crypto is a great tool, but it’s horrible for interop, debugging, and accessibility to implementors. it defaults to opaque and unreadable. you have to invest a lot of time and effort into tools to make it debuggable. browser vendors have done exactly that for SSL, which makes implementing and debugging IndieWeb protocols infinitely easier and more approachable than Salmon, ActivityPub, etc.
(and yes, there are reasonable conversations to be had on whether DNS is decentralized “enough,” whether CAs are secure enough, etc. i don’t personally find them hugely compelling, but i’m open to them. i think this ease of implementation point still stands though.)
I’ve worked in information security for 15+ years, and I’d like to understand what you mean by “crypto” and “crypto layer” especially in the context of this statement:
“…they use SSL and certificates for basic identity, integrity, and privacy, instead of their crypto layer. ”
I certainly hope no one uses SSL.
@Khürt i’m guessing you mean you hope everyone uses TLS specifically as the protocol, instead of SSL? sure, obviously. that’s to be expected these days. people still often use the term “SSL” in casual conversation to refer to the broader ecosystem of https, CA-based certificates and verification, browser lock icons, etc, using TLS as the underlying protocol. that’s how i meant it.
indieweb protocols use domains as primary root identities, and use SSL (TLS) and certificate validation to check that they’re communicating with the right domain, and that the communication is secure and private. indieauth, webmention, microsub, etc all build on that core foundation, which lets them provide similar end to end identity and security guarantees without including any encryption, signatures, or key exchange in their own protocols. that’s what i meant by “crypto” and “crypto layer.”