<div dir="ltr"><div dir="ltr"><div dir="ltr"><div class="gmail_default" style="font-size:small"><br></div></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Wed, Feb 26, 2025 at 4:07 PM Philip Homburg <<a href="mailto:philip@nlnetlabs.nl">philip@nlnetlabs.nl</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><u></u>
<div>
<p><br>
</p>
<div>On 26/02/2025 21:33, Phillip
Hallam-Baker wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr"><br>
<div style="font-size:small">The user
experience I am aiming for with a webcam is Alice buys the
webcam, gives it a name in the DNS space for her house '<a href="http://webcam.house.example.com" target="_blank">webcam.house.example.com</a>' and
lists @<a href="http://alice.example.com" target="_blank">alice.example.com</a>, @<a href="http://bob.example.net" target="_blank">bob.example.net</a>, @<a href="http://carol.example.com" target="_blank">carol.example.com</a>
as the list of people authorized to access it. From that
point on, they can go to <a href="https://webcam.house.example.com/" target="_blank">https://webcam.house.example.com/</a>
and log in via OAUTH using a regular browser.</div>
<div style="font-size:small"><br>
</div>
<br>
</div>
</div>
</blockquote>
Before moving on with the details of the protocol, it is worth
considering whether it is smart to put handles for users in DNS. DNS
is good a publishing information and a list of authorized users is
typically not something you want to published.<br></div></blockquote><div><br></div><div><span class="gmail_default" style="font-size:small">The authorizations don't go in the DNS. The only thing that goes into the DNS is links to the metadata that allows the user to use it for various purposes.</span></div><div><span class="gmail_default" style="font-size:small"><br></span></div><div><span class="gmail_default" style="font-size:small">@<a href="http://phill.hallambaker.com">phill.hallambaker.com</a> is my Blue Sky account, the unique identifier for my account is in a TXT record with the domain _<a href="http://atproto.phill.hallambaker.com">atproto.phill.hallambaker.com</a><br></span></div><div><span class="gmail_default" style="font-size:small"><br></span></div><div><span class="gmail_default" style="font-size:small">An authorization list is just a list of dns names: {</span><a href="http://alice.example.com/" target="_blank">alice.example.com</a>, <a href="http://bob.example.net/" target="_blank">bob.example.net</a>, <a href="http://carol.example.com/" target="_blank">carol.example.com</a><span class="gmail_default" style="font-size:small">} that doesn't go into the DNS, the webcam gets that out of band.</span><br></div><div><span class="gmail_default" style="font-size:small"><br></span></div><div><span class="gmail_default" style="font-size:small">I see DNS Handles as being the next logical extension of the scope of the DNS. At the start, DNS was used to identify only hosts. Then for email, it was realized that what was needed was to identify an abstract service that can be supported by a set of hosts. A DNS handle is a means of identifying the user service as a domain.</span></div><div><span class="gmail_default" style="font-size:small"><br></span></div><div><span class="gmail_default" style="font-size:small">Services can't resolve a handle to a user but they can resolve it to a means of identifying the user, how to authenticate them when they log in, what messaging, voice and video apps do they support and how to connect to them.</span><br></div><div><span class="gmail_default" style="font-size:small"><br></span></div><div><span class="gmail_default" style="font-size:small"><br></span></div><div><span class="gmail_default" style="font-size:small">Now to be sure, putting the contact record into the DNS is going to get icky because you would really prefer the DNS data to be as static as possible and that can't happen if you are putting hashes of metadata in the DNS. So I am expecting to want to move to a situation where the data in the DNS is a signing key for an assertion scheme.</span></div></div></div></div>