IndieWeb community entry for the Bluesky Satellite contest.

• Title: IndieWeb
• Name: Ryan Barrett, et al
• Pseudonym: snarfed
• Would you like your real name published if you win? sure
• Associated URL(s):
  • indieweb.org
  • indieauth.net
  • snarfed.org

rel-me links

The IndieWeb is a community that interacts via individual personal web sites, both directly and indirectly through other linked online accounts.

An IndieWeb community member’s primary online identity is their web site, specifically their domain. Ownership of their domain, and serving HTTP on it over TLS with a valid certificate, is considered proof that any content or assertions published on the site come from that person.

An IndieWeb community member connects their web site to their other online accounts with rel-me HTML links (from XFN) that point to them. For example, my home page snarfed.org has rel-me links like these (some real, some examples) to other accounts of mine:

<a rel="me" href="https://twitter.com/schnarfed">Twitter</a>
<a rel="me" href="https://mastodon.technology/@snarfed">Mastodon</a>
<a rel="me" href="mailto:bluesky@ryanb.org">Email</a>
<a rel="me pgpkey" href="/pubkey.txt">PGP public key</a>
<a rel="me payment" href="bitcoin:1234567890abcdefghijklmnopqrstuvwx">Bitcoin</a>

A rel-me link asserts that the linked identity or account is owned by the same person. They can prove this assertion by linking back to their web site from the linked account’s profile, ideally also with rel-me. See identity consolidation, distributed verification. As an alternative, they can authenticate as the linked account, described below.

Authentication

rel-me links allow a form of distributed authentication. When we fetch someone’s home page and read their rel-me links, we get a set of accounts that they’re asserting they own. If someone authenticates with one of those linked accounts via OAuth, or provides a signature that matches a linked public key, or provides a confirmation code sent to a linked email address, they’ve effectively authenticated as the site’s owner.

IndieAuth is one widely used authentication scheme that works this way, along with its predecessor RelMeAuth.

Interactions

The IndieWeb community has gone far beyond rel-me links to implement a wide variety of social networking features between independent personal web sites, including replies, reposts, likes, emoji reactions, events, RSVPs, and more. These are based on simple, proven building blocks like DNS domains, HTTP and TLS, HTML with microformats 2, and the Webmention protocol. The community has also built bridges that translate these rich interactions to and from proprietary sites like Twitter.

Rubric

Here are our proposed scores for the contest rubric.

Thoroughness

3: Works for many types of accounts, and is implemented.

There are tens of thousands of IndieWeb community participants using these techniques, hundreds of independent, interoperating implementations of the core standards and protocols, dozens of tools and services that add functionality, and dozens more IndieWeb-friendly hosting providers that make it easy for new people to join.

Any URI-addressable resource may be supported as a linked account. There are hundreds of official IANA URI schemes, and many more unofficial ones.

Robustness

3: Tolerates different errors or input methods. Considers fallbacks, failcases.

IndieAuth is a W3C Working Group Note and is maintained by the community as a Living Standard. It has dozens of active implementations and multiple well-tested fallback and error handling paths.

Originality

1: Uses existing work with no further elaboration.

This describes the existing IndieWeb community’s work, which has been developed in the public over the last decade, and builds on many more decades’ worth of evolution of the open web and related building blocks. We believe this is a strength, not a weakness.

Decentralization

2.5: Design supports user agency, resilience. Design has one or two points of centralization that make sense.

The vast majority of this design is decentralized. Interactions happen between individual personal web sites, which enjoy a large, robust ecosystem of hosting providers.

One key exception is DNS. DNS domains are hierarchical, so there is a wide selection of registrars, TLDs, and CAs to choose from, with a range of policies and terms of service. However, identities are determined by pay-level domains, so each TLD operator is a partial point of centralization. Verisign, as the DNS root operator, is another.

In practice, DNS has scaled beyond any newer decentralized system such as ActivityPub, IPFS, or blockchains. True, a single domain is at the mercy of its TLD operator, but documented domain clawbacks are very rare, and the breadth of the remaining ecosystem – registrars, CAs, hosts, protocol implementations – provides fertile ground to keep it decentralized and healthy.