Bill Kearney

PostBack, TrackBack, through Hell and Back?

It seems some nice traction is building toward using more robust tracking of comments and postings. Will it withstand the simpleton arguments?

Overly complex solutions are certainly worth avoiding. But take care not to accept calling it complex as a ruse because lazy, sloppy or proprietary tools can't use it. We seen that canard used before in RSS.

As Einstein is oft quoted, make things as simple as possible but no simpler.

We're all painfully aware that spamming of referring logs, trackbacks and the like are a problem, a situation likely only to get worse. At the same time there's the sociological issues of permission and group forming. My proposal for using digitally signed messages is way for people to maintain some shred of control or at least some accountability. The group forming aspects of this stuff are really not being paid enough attention. Foaf is breaking interesting ground there.

I really like the ideas of trackback and pinging. They're great and it's possible a lot of this stuff can be combined.

My motivation is to find an easy way for me to keep tabs on all the places I've posted. I want an easy way for my postings to "phone home" to me. I'll avoid rehashing the details but I don't want to use a third party service as a reflector. For various reasons, privacy being one of them. I'd also like to have a way for the website to participate in an exchange of messages that have some accountability. I don't want to have to slog through yet another list of bogus messages.

The circle I'm suggesting is this, I get a public key. The sites that support this process also get a key, one for each. Keys using PGP are free. I'll give the site my key when I post to it, probably using a bookmarklet. I, at some point in the process, will have told my postback receiver (my MT blog?) to accept postbacks from that site. The site then sends me a message signed with it's own key and encrypted with mine.

These exchanges do not have to take place in real time. They're bread crumbs leading back to where I've been; I don't need them right away. It's the three days or weeks later when I might want to do some follow up.

What using keys does is prevent my site from having to deal with junk. If I haven't put the sender's key into my local keyring it's not going to ever get accepted. And since the content is encrypted I can feel reasonably assured that it's safe from prying eyes or alteration so I could use mail, instant messengers or any number of different delivery methods.

The pieces to do this are freely available today. PGP itself and keys can be had for free. A nice side effect is these keys can be used as a basis for building up circles of trust. Not only can I have a key but I can sign keys of others as a way to 'vouch' for them. That can be used as a guide about what to accept from others. As more people and sites use keys it becomes possible to start expecting it of them.

This is not rocket science. While it's not plain text it's not as complicated as some folks are undoubtedly going to try to con you into believing.

There's certainly a chicken and egg situation here. But it's high time for this egg to get hatched and for the chicken to cross the road. To sit on one side of the road leaves you open to the spam attacking we're seeing more and more of. Listening to the chicken littles out there will have you stuck in the middle of the road, likely to be run over by vendor scheming. Instead, maybe it's time to take a long look at making use of some sophisticated technology to solve the problems in ways that hold up much better in the long run.

Besides, go look who's doing PGP in CPAN. Ring any bells?