# I am the Watcher. I am your guide through this vast new twtiverse.
#
# Usage:
# https://watcher.sour.is/api/plain/users View list of users and latest twt date.
# https://watcher.sour.is/api/plain/twt View all twts.
# https://watcher.sour.is/api/plain/mentions?uri=:uri View all mentions for uri.
# https://watcher.sour.is/api/plain/conv/:hash View all twts for a conversation subject.
#
# Options:
# uri Filter to show a specific users twts.
# offset Start index for quey.
# limit Count of items to return (going back in time).
#
# twt range = 1 16
# self = https://watcher.sour.is/conv/nxocirq
I remember in grad school one of my professors saying "Networking and data storage are dual. One is about communicating data through space; the other is about communicating data through time" and 🤯. This was in the context of information theory and cryptography. I often go back to that idea.
on a related note, someone please dissuade me from buying a HSM and setting up my own certificate authority.
@abucci Why do you want to setup your own CA? 🤔
@abucci Why do you want to setup your own CA? 🤔
@abucci Why do you want to setup your own CA? 🤔
@abucci Why do you want to setup your own CA? 🤔
@prologic Because then you can do nifty things like issue your own client certificates and use those instead of passwords for secure logins to a bunch of stuff. You could issue your own certificates for web sites too, and as long as your personal certificate authority is registered in your browser or app, it'll work just like one issued by an authority. It mostly makes that kind of stuff easier and within your own control, so that you don't have to trust third parties or purchase certificates. It comes at the cost of a giant pain in the ass to manage the HSM and certificate authority.
@abucci Hmmm does the website or web app have to explicitly support certificate based auth? 🤔
@abucci Hmmm does the website or web app have to explicitly support certificate based auth? 🤔
@abucci Hmmm does the website or web app have to explicitly support certificate based auth? 🤔
@abucci Hmmm does the website or web app have to explicitly support certificate based auth? 🤔
@carsten there's a lot of interesting information in this, including the Infinite Noise TRNG. Thanks!
@prologic lots of apps and especially single-sign on solutions support certificate-based authentication.
@abucci in a personal case, in 2022 I explored client certificates, (I can't recall who suggested that, it was you?).
I think it's amazing for corporates and perhaps power users. Anyway, I think it's too obscure for a normal employee who doesn't understand what's going on.
For something closer to the current Web experience I think Webauthn/Passkeys will be slightly simpler to use and to implement, due to the support of main OS and integrated security hardware in PCs and Phones. Or you can use a USB device which is closer to a "car key" being the physical aspect easier to understand than an abstract encryption technology IMO.
But as they say, why not both?
@eaplmx one of the big advantages of hardware-based cryptographic devices is that they can perform the sensitive operations on the hardware rather than relying on a computer's CPU. The trouble with the latter is that very sensitive information like decrypted keys can get into the RAM, CPU cache, or registers, where they are vulnerable to attacks. Add to that that you can air gap a HSM for most of its life--so that it's never internet accessible--and you have a setup that is significantly safer than alternatives. Yes, it takes work and can be confusing, but I'd be using this for myself mostly and the small group of people who use the services I run.