…
Who can “buy” ActivityPub? Who can “buy” SMTP or HTTPS?
A company doesn’t need to own the protocol if they own enough of the traffic on the network. Email is a good example here. Google has such a large marketshare of email that they can impose structural barriers for outsiders sending email to Gmail users. The barrier for sending a lot of email to Gmail users is incredibly high - even if a sender is using proper DKIM, SPF, and isn’t on any global spammer lists, Google can and often does rate limit the email coming in. At this point, if you’re sending email, you don’t have to contend only with the SMTP standards for sending email, you have to contend with Google’s arbitrary limits, which are most likely entirely opaque. And because Google owns such a large marketshare, senders need to play ball if they want to actually reach users.
Just so happens I’ve been working with email for twenty years. I’ve heard of this Google email thing, and while it certainly exists, it’s not an isolated case. Mail server admins are empowered to handle incoming mail in very many limiting ways, whether that be rate limiting, or spam filtering, or message size, or lots of other things.
While there are general standards for these kinds of limits, they all exist at essentially every receiving mail server - and for good reason. You have to implement limits, or it becomes elementary for your mail server to be attacked and endangered.
Because Google has a large stake in email, they are a large target for such attacks. It stands to reason that they would need to have strict limits in order to reduce their exposure. But again, all mail servers have various limits applied, and we’re still using SMTP.
Oh, and I forgot to mention: if Google wanted email senders to adhere to their limits, they would make those limits public. They don’t, because doing so would just tell malicious senders how to work around those limits.
So then it would seem like SMTP is a pretty poor example of an open standard? Acknowledging that a technology will only work in practice if everyone adds their own unpublished rules around it is kind of admitting that the standard and protocol isn’t sufficient.
You’re not wrong there. SMTP dates back to 1981, and at that time, there were zero security features, and it was designed to be used for plain text only. Every other feature of email has been glommed on to that core. HTTP, DNS, FTP, they all suffer from the same kind of thing - developed a very long time ago when security and identity were barely a thought.
I don’t know the details of how standards for ActivityPub is written, but being that it is much newer, I have to think that more thought has been put to modern needs. Of course, the modern landscape is completely different than it was in the early 1980s, so it’s yet to be seen how this will all develop. That said, these earlier protocols are examples of how a protocol can take hold and not be finally extinguished.