webmention-abuse-joeld | Parallel Transport

While I appreciate the sentiment and the idea of this post, I think having abuse prevention baked into a notification spec is misguided. * How do you include abuse prevention including rate-limiting, trust-verification into a decentralised notification spec based on an HTTP POST request? * What counts as abuse and trust is decided by the communicating parties not the notification spec. Same as whether you trust someone is not built into the English (or other) language… This is why (I think) webmention leaves it up to you to implement rate-limiting and trust-verification ( use PGP or something if you like ) on your own site. I’m sure @indiewebcamp would love to hear suggestions to the contrary though. But remember, webmention is a notification spec and a decentralised one at that.

Replies

Joel Dueck

replied on Twitter with

@kartik_prabhu well we tried this with email and trackbacks too. Just deliver and let the user decide. Assume sender’s goodwill. Bad idea…

@kartik_prabhu To deal with the resulting abuse in email, we came up with DKIM (en.m.wikipedia.org/wiki/DKIM). Trackbacks, well…died in a fire :)