Tuesday, July 27, 2010

pay for your lag?

there's a discussion over at gwyneth llewelyn's blog between her and rob blechner about the upcoming linden town hall meeting. one of the topics mentioned is lag, and what can be done about it. gwen is happy to hear philip rededicate the company to fighting lag, but rob makes the point that in a user generated content world, there's not a lot you can do about it.

this got me thinking... why not build a world where there's a financial cost to creating laggy prims?

determining what's laggy these days isn't an exact science, but i think we know enough to know make a few reasonable assumptions. saying "unoptimized textures and large collections of prims lead to more lag" is a good start.

maybe users in the virtual world could be given a "lag budget" measured in ARC-hours. (ARC is "Avatar Rendering Cost.") if you go over your lag budget, you have to pay for more. so if you were given 6000 ARC-hours per month, you could wear your 1500 ARC outfit for only four hours before you had to buy more lag. but you would get 40 hours of use out of your 150 ARC ruth-esque outfit.

maybe a benefit of premium accounts could be you could sell your unused lag on the "open lag exchange."

just a thought.
Posted by at 3 comments:
Labels: ,

what does it mean for a virtual world to be open?

for the last several years, a bunch of us in Second Life™ have been bemoaning the fact that it's more or less a walled garden. yes, there are plenty of ways to get data in and out of the virtual world (even more with viewer 2's "media on a prim" feature.) but there's still a LOT more we could do to open this place up.

in the vwrap working group, we've been focusing on technical details, only occasionally surfacing for more "broad ranging" conversations. i think everyone in the working group supports the concept of an "open" virtual world, but i don't know that we've sat down to have a detailed conversation about what that means.

so this is my two cents on this topic. i would love to hear other people's ideas.

what you get with Second Life™ at the moment

Second Life™ currently allows for some flow between the virtual world and the 2d web. for instance, you can apply a web page to an object's exterior. viewer 1 limited you effectively to one URL per parcel, using the parcel media feature. viewer 2, with all it's faults, introduced the concept of putting a live web page on a prim face. cool stuff.

LSL scripters can also create objects that query data sources on the web using the LSL HTTP Client feature. More recently objects in world gained the ability to respond to HTTP requests with the LSL HTTP Server feature. these features allow in-world developers to interact with the larger 2d web; objects in world can respond to things happening in embodied reality.

LSL developers have done some great work creating in world objects that act as bridges between data and communication channels in world and out. (i'm thinking specifically of the various devices that bridge SL Group Chat with IRC and XMPP.)

why this isn't enough

but my assertion is that while these features are great, they're just not enough.

these features are relatively limited in terms of MIME types you can use and length of HTTP requests and responses in and out of the virtual world. to do any "real" development, you need to establish a web proxy outside SL.

this isn't a deal killer per se, but it does introduce some issues. in order to consume relatively complicated data (an RSS or ATOM feed, for instance) you need both LSL skills and the ability to code server-side PHP, Python, Perl, Java, Ruby or what-not. again, not a deal killer, but it limits the set of people who can develop for your virtual world.

there are also "plumbing issues" like authentication and federated identity. and getting objects in and out of the world is a minor annoyance (i'm thinking of second inventory and related functionality for OpenSim.) moving things in and out of Second Life™ is not impossible, but it's hard to automate, and requires the use of interfaces the lab may change without advance notice.

don't get me wrong here; i understand there's a rationale for why we live with these limits. i don't subscribe to the opinion that the lab (or some of it's employees) is/are evil just because the lab's business model might not be aligned with my personal opinions of how the world should work.

but i might as well talk about what i would like to see and why.

so what would an "open" virtual world look like? my take on an "open" world is one where just about any bit of data needed to participate or render the world could be hosted on an arbitrary server somewhere.

identity, groups and authentication

let's start with identity, groups and authentication. right now in SL, if you want to create an account, you go to secondlife.com, fill in some data, click a button and viola! you have an account on linden's servers. what could possibly be wrong with that?

well... a lot, that's what.

the 1 million active users metric you hear from the lab is pretty good for a small virtual world, but it's dwarfed by WoW's 11.5 million (paying) users, twitter's 75 million and facebook's 500 million. what if we opened up the virtual world to other identity providers? what if we let people automagically provision an account using other identities. they could use their profile information from facebook, gmail, linkedin, twitter and even the wikipedia. this would remove the "friction" of forcing people to create a new account in order to use the service.

so instead of forcing users to provision a new account with it's own password, we could use OAuth, SAML or something similar to carry identity and authorization information. done correctly, this would allow people to retain their "branding" from other services. it would be very nice to know, for instance, that the Meadhbh Oh you meet in-world is the same as @OhMeadhbh on twitter.

twitter, facebook and gmail all have access to the "long form" name you used when you setup your account. why not use this information to put your account name over your head instead of the "fantasy" name we currently use?

group affiliation and friends lists could also be automagically "imported." or rather than having the virtual world make a copy of your social graph, it would just use your favorite, existing social networking site directly to populate your friends list each time you log in.

in the future, i think the "open" virtual world will provide a semi-public avatar profile that uniquely identifies you to virtual world systems and users. an identity provider could either provide that profile (think of how twitter does http://twitter.com/) or would give you the option of putting your avatar profile URL in your social media site profile next to your email and relationship status.

the virtual world cannot depend on a single identity provider. we must make it easy for users to provision accounts and bring their personal branding and social network with them.

text and voice chat

and what about text and voice chat? right now in SL, you have one provider for text and voice group and person-to-person chat. your text chat is routed though linden's servers for text chat and through vivox for voice. it would be nice if we, the users, could pick our favorite voice and text chat provider.

why? not to put too fine a point on it, group text chat in SL sucks rocks. and people might just want to use their existing skype account for voice chat; maybe they have a skype out account and want to add a POTS user to a conference call. or maybe they want to talk about super secret things and want to use a corporate VoIP system.

or maybe they want to just use IRC or XMPP to chat so that the discussion has the option of moving out of the virtual world and into the less immersive, but more common world of "plain ol' internet chat." imagine an experience where you could be tied into your social network by way of a simple text chat client; then when things "got interesting" you could drop in world to see what people were talking about.

and if you were handy with authentication mechanisms, you could probably use the same identity on the chat channel that you did in world. in fact, i would sort of demand it.

what about assets and land?

digital assets in Second Life™ are now inexorably tied to Linden's asset servers. when their servers go down, you lose access to your goods. things are certainly more stable these days than in the old days where sim crashes and grid-wide downtime were normal occurrences. but it's still very annoying to be forced to deal with someone else's network problems.

wouldn't it be nice if you could have your own asset server on your desktop machine? maybe even running your own simulator so you would have a non-social, desktop development option.

an "open" virtual world would give you that option. your assets are stored where you want them stored. if you want to build your 3d objects with AutoCAD or 3DMax and then drag them into the virtual world browser, that should be your option.

the "open" world goes beyond where we are today. it's more than just a few HTTP messages coming in and out of the virtual world, but interoperable, open standards underpinning every aspect of the experience.
Posted by at No comments:
Labels: ,

Monday, July 19, 2010

VWRAP essentials : capabilities

so i recently got an email from a VWRAP document reviewer asking if web capabilities could be considered "security by obscurity." the simple answer is, "no. as long as you treat a web capability as a one time use password for a resource, you should be fine."

but i realized then there are a number of people who don't grok caps. if you're unfamiliar with the terms "capabilities" or "caps" or "webcaps," this blog post may be for you. (note, i'm cribbing a lot of the text of this post from an earlier message i wrote on the OGPX mailing list )

what are capabilities anyway?

in general, "capabilities" are authorization tokens designed so that possession of the token implies the authority to perform a specific action.

consider a file handle in POSIX like systems; when you open a file, you get back an integer representing the open file. you only get this file handle back if you have access rights to the file. when you spawn a new child process, the child inherits your open file handles and it too can access those files via the file handle, even though the child process lives in a completely different process space. later versions of *nix even allow you to move open file handles between unrelated processes. so the takeaway here is, it's an opaque bit of data (i.e. - a token) and if you have it, it means you have the authority to use it. and, you can pass it around if need be.

capabilities on the web extend the concept. in addition to the token implying authorization to access some resource, it usually also provides the address to access the resource. in other words, a web capability is a URL possessed by a client that the client may use to create, read, update or delete a resource.

a web capabilities in VWRAP are in the form of a "well known" portion of a URL (something like "http://service.example.org/s/") and a large, unguessable, randomly generated string (like "CE7A3EA0-2948-405D-A699-AA9F6293BDFE".) putting them together, you get a valid URL a client can use to access a resource via HTTP. In this example, that URL would be "http://service.example.org/s/CE7A3EA0-2948-405D-A699-AA9F6293BDFE".

why the heck would i ever want to do that !?

no doubt about it, this is not a "standard pattern" for web services. normally, if you have a resource, you publish a well known resource for it and if it's sensitive you require the client to log in prior to being granted access.

for example, you might have a RESTful resource at "http://service.example.org/s/group/AWGroupies" representing the group "AWGroupies". you define an API that says if you want to post a message to the group, you use HTTP POST with data (XML, JSON or whatever) implying the semantic "post this message to this group". for the sake of discussion, let's say the message looks like:
  {
 from: "Meadhbh Oh",
 message: "I'm giving 50 L$ to anyone who IMs me in the next 5 minutes!"
}
authentication is in order here, but this is a well known problem, i simply use HTTP digest auth over HTTPS (or something similar) and we're done. this is a perfectly acceptable solution.

but there are a couple of issues with this solution.

most notably, every service that presents an interface to a sensitive resource MUST understand authentication. so not only does "http://service.example.org/s/group/AWGroupies" need to understand authentication, so does "http://service.example.org/s/user/Oh/Meadhbh" and
"http://service.example.org/s/parcel/Levenhall/Infinity%20is%20full%20of%stars" and so on.

it's not a problem really, until you start adding new authentication techniques. one day your boss comes to you and tells you.. "hey! we're using Secure/IDs for everything now!" ugh. but it's
still not that painful. you've probably abstracted out authentication, so you have a map of service URLs to authentication techniques and common libraries that actually authenticate requests throughout your system.

this works until the day that your boss comes in and says... "hey! we just bought our competitor cthulhos.com! we're going to integrate their FooWidget service into our service offering! isn't it great!" and then you get that sinking feeling cause you know that this means you've got to figure a way to get their service to talk to your identity provider so their service can authenticate your customers. people who have gonethrough this know that depending on the technology this can turn out to be a bag full of pain.

the standard way of doing this is something like:
  1. service request come into http://service.example.org/s/foo/Meadhbh
  2. http://service.example.org/s/foo/ redirects with a 302 to http://foo.cthulhos.com/Meadhbh
  3. http://foo.cthulhos.com/Meadhbh responds with a 401 getting the client to resubmit the request with a WWW-Authenticate: header.
  4. the client resubmits to http://foo.cthulhos.com/Meadhbh with the proper WWW-Authenticate: header, but remember, these are example.org's customers, so
  5. http://foo.cthulhos.com/Meadhbh sends a message to a private interface on example.org, asking it to authenticate the user credentials.
  6. assuming the client is using valid credentials, example.org responds to cthulhos.com with the digital equivalent of a thumbs up, and finally...
  7. http://foo.cthulhos.com/Meadhbh responds to the request.
and this works pretty well up until the point that the new CIO comes in and says, "infocard! we're moving everything to infocard!" there's nothing wrong with infocard, of course, but in this situation you've got to implement it at both example.org and cthulhos.com. and when we start adding to the mix the fact that the biz dev people keep trying to buy new companies and you get a new CIO every 18 months who wants a new user authentication technology, things can get out of hand.

and i didn't even talk about the fact that each time you change the authentication scheme, thick client developers have to go through the code, looking for every place a request is made.

web capabilities are not a magic panacea, but they can help out in this situation. rather than having each request authenticated, the user's identity is authenticated once at a central location (like example.org.) it coordinates with it's services (cthulhos.com) to provide a unique, unguessable URL (the capability) known only to that specific client and trusted systems (example.org and cthulhos.com)

so the flow would be something like...
  1. a client logs in at http://service.example.org/s/authme and asks for a capability to use a particular service
  2. http://service.example.org/s/authme verifies the user's credentials and verifies the user can access that service
  3. http://service.example.org/s/authme sends a request to a private interface on cthulhos.com asking for the capability.
  4. cthulhos.com generates the unguessable capability http://foo.cthulhos.com/EE409B12-6E9B-4F5B-90BF-161AE5DE410C and returns it to http://service.example.org/s/authme
  5. http://service.example.org/s/authme returns the capability http://foo.cthulhos.com/EE409B12-6E9B-4F5B-90BF-161AE5DE410C to the client
  6. the client uses the capability http://foo.cthulhos.com/EE409B12-6E9B-4F5B-90BF-161AE5DE410C to access the sensitive resource.
both approaches require establishing a trusted interface between example.org and cthulhos.com, but in the case of the capability example, only service.example.org has to know about the specific details of user authentication. thick client developers may also notice that they access the capability as if it were a public resource; that is, they don't need to authenticate each request.

another benefit to capabilities is that they are pre-authorized. if you have a resource that is accessed frequently (like maybe "get the next 10 inventory items" or "check to see if there are any messages on the event queue for me") you don't have to do the username -> permissions look up each time the server receives a request. for environments where the server makes a network request for each permissions check, this can lead to reduced request latency.

capabilities are not magic panaceas. there's still some work involved in implementing them and they start making a lot more sense when you have a cluster of machines offering service to a client, but deployers want identity and identity to permissions mapping functions to live elsewhere in the network than the machine offering a service. (i.e. - "the cloud" or "the grid".)

but how do i provision a capability ?

there are several ways to provision capabilities, but the approach we take in VWRAP is to use the "seed capability."

like many other distributed protocols involving sensitive resources, VWRAP interactions begin with user authentication. this is not strictly true; i'm ignoring the case where two machines want to communicate outside the context of a user request, but let me hand wave that use case away for the moment while we talk about using seed caps.

the process begins with user authentication. the VWRAP authentication specification describes this process; the client sends an avatar name and a password to an authentication server. assuming the authentication request can be validated, the server returns a "seed cap." the client then sends a list of capability names to the seed cap and awaits the response.

what the host behind the seed cap is doing while the client waits for a reply is verifying the requested capability exists and the user is permitted to perform the operation implied by the capability. (and it does this for each capability requested.)

so, for example, let's say you are a client that only wants to update a user profile and send/receive group messages. the protocol interaction might look something like this...

a. authentication : client -> server at https://example.org/login
  {
 agent_name: "Meadhbh Oh",
 authenticator: {
   type: "hash",
   algorithm: "md5",
   secret: "i1J8B0rOmekRn8ydeup6Dg=="
 }
}
b. auth response : server -> client
  {
 condition: "success",
 agent_seed_capability: "https://example.org/s/CF577955-3E0D-4299-8D13-F28345D843F3"
}
c. asking the seed for the other caps : client -> server at
https://s.example.org/s/CF577955-3E0D-4299-8D13-F28345D843F3
  {
 capabilities : [
   "profile/update",
   "groups/search"
 ]
}
d. the response with the URIs for the caps : server -> client
  {
 capabilities : {
   profile/update : "http://service.example.org/user/35A59C5D-315C-4D50-B78D-A38D41D2C90A",
   groups/search : "http://cthulhos.com/8579CE1F-9C05-43E8-8677-A645859DCD64"
 }
}

expiring capabilities

readers may notice that there is a potential "TOCTOU vulnerability." TOCTOU stands for "time of check, time of use," and refers to a common security problem. what happens if the permissions on an object change between the time the code managing the resource checks the permission and the time it performs an operation on the resource.

this is a common problem with many systems, including POSIX file descriptors. (seriously.. if you change the permissions on a file to disallow writing AFTER the file has been opened, subsequent writes on the file descriptor will not fail in many POSIX systems.)

VWRAP addresses this problem by expiring capabilities when they get old. so if you request a capability, then wait a LONG time before you access it, you may find you get a 404 response. The VWRAP specifications do not require all caps to expire, but the do require servers to signal their expiration by removing them (thus the 404 response) and require clients to understand what to do when a capability has been expired. in most cases, the appropriate response is to re-request the capability from the seed cap. if the seed cap is expired, clients should re-authenticate.

capabilities may also "expire after first use." Also called "single shot capabilities," they are used to communicate sensitive or highly volatile information to the client.

current practice is to include an Expires: header in the response from the server so the client will know when the resource expires.

introspection on capabilities

finally, RESTful resources represented by a capability are described by an abstract interface (like LLIDL), the interface description language described in the VWRAP Abstract Type System draft. several people have requested introspection so clients may request the LLIDL description of a capability and more accurately reason about the semantics of its use.

the proposed solution to this problem for VWRAP messages carried over HTTP is to use the OPTIONS method when accessing the capability (instead of GET, POST, PUT or DELETE.) upon receipt of the OPTIONS request, the server should respond with the LLIDL describing the resource.

conclusion

capabilities are cool, especially in clouds or grids.

references

A pair of Google Tech Talks at:
provide a pretty good technical introduction to the concept of capabilities.

VWRAP's description of capabilities is at:

VWRAP uses capabilities to access RESTful resources. Roy Fielding's
paper on REST is at:
Posted by at No comments:
Labels: ,

Thursday, July 15, 2010

abstract resource definitions vs. LLIDL

so i've been noodling on LLIDL and LLSD for a couple years now, and i think i've figured something out. i like the concept of an "abstract resource definition" a lot more than i like an "interface description language." (if you have no idea what i'm talking about, you may want to read my previous blog post "VWRAP Essentials : an abstract type system? hunh?." advanced students can take a look at the internet draft: draft-ieft-vwrap-type-system-00.)

the background

the objective of the abstract type system is simple and well defined: it provides system independent type semantics for structured data developed by protocol designers. that is, it defines types that are common to popular implementation languages. and it does it in a way that developers know the details of the types. like whether integers are 32 or 64 bits and whether radix 10 is supported in floats and so forth. the LLSD abstract type system describes how a small set of fundamental types work so implementers know how their "concretized" implementations should behave. and this is a good thing.

the problem

but after having mulled LLIDL around, i'm starting to see some issues with it. the main problem i have with it is that the interface is hopelessly entangled with the resource it describes. that is, you can't define an abstract resource without defining a method of access. for example, the current spec describes a way to say something like this:
 &info = {
name : string,
status_uri : uri
enroll_uri : uri
login_uri : uri
}

%% site_info << &info
in this example, the &info named type describes a structure that includes a string and three URIs. but the only context you can use the &info named type in is when you use a HTTP GET to access it. i think this is wrong.

it's wrong because it links the declaration of the structure of a resource with the transport used to access it. i have no problem with accessing resources over HTTP(S), but i do have a problem with ONLY accessing them over HTTP(S).

i think there's sufficient interest in the VWRAP working group to support the concept of making resource definition and access orthogonal. i would personally want to be able to have the option of using XMPP and (S)RTP when characteristics of those protocols are advantageous. but i don't want to have to create a new data definition language every time i want to go access a resource over a new transport.

furthermore, there are still open questions regarding content negotiation over HTTP(S). suzy deffeyes, john hurliman and i have reached a rough consensus on how to handle content negotiation, but we need to put it in an internet draft so other people can comment on it and implement it without having to refer to random email archives and IRC logs.

a proposed solution

i propose we layer an abstract resource definition on top of the abstract type system. the abstract resource definition can then be used to describe a transfer syntax (aka serialization scheme) for resources. we can then describe how each transport (HTTP(S), XMPP, etc.) carries serialized resource data. we can then describe interaction semantics independent of resource definition.

the benefit of this is it makes it easier to create systems that are transport-neutral. some of the lessons we learned from Second Life™ and the Linden Lab Legacy Protocol are that there's a LOT of stuff that's not "real time" data. I suspect that moving forward, we'll discover there are a lot of interactions that are modeled with the request-response pattern. i am proposing a solution that would offer deployers and protocol designers the ability to describe a resource without describing the method in which it is accessed.

more details

this proposal describes five components: the abstract type system, the abstract resource definition, the transfer syntax, the abstract interaction definition and the transfer mapping.
abstract type system

as mentioned above, the abstract type system defines a core set of types and type behavior. types are intended to be "concretized" in programming languages like C, Java, Python, whatever. we create an "abstract" type system so we're free to define the type behavior we want while not being tied to type behavior of a particular implementation language. individual implementers are responsible for ensuring that type semantics are consistent with the spec.

for example, imagine you were developing an application using an embedded 8 bit microprocessor and there was a protocol flow that involved incrementing an integer. a client might send you a 32 bit integer, assuming you would increment it. you would be responsible for modeling the behavior of a 32 bit integer despite the fact your micro-controller probably only natively knows about 16 bit ints.

abstract resource definition

the abstract resource definition is sort of like the abstract type system for collections. we define a resource as being either an individual item (a boolean, integer, etc.) or we define it as being a map or an array. the abstract resource definition system allows protocol developers to define the "shape" of resources. but because they are dynamic, implementations must allow for the type of a resource to differ from it's definition and for elements in map to be added and removed.

for example, you may want to define the following resource to describe an user logged into a system:

  RESOURCE agent {
 name string,
 identifier uri,
 current_location uri
}

the abstract resource definition is used to group named data elements together into a dynamic structure. these structures will later be used by the abstract interaction definition.

transfer syntax (aka serialization scheme)

these are basically the three serialization schemes defined in the type-system draft: XML, JSON and Binary. they define how structured data is serialized into an octet string in preparation for transmission across a network. for example, the resource defined above might be serialized like this:

  <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE map PUBLIC
"+//IDN meadhbh.org//xxdsd 0.1//EN"
"http://home.meadhbh.org/xml/xxdsd/0.1/xxdsd.dtd">
<map>
<key>name</key>
<string>Meadhbh Oh</string>
<key>identifier</key>
<uri>http://world.secondlife.com/resident/6e7477a7-2de5-4660-bc83-4a47096a18f0</uri>
<key>current_location</key>
<uri>http://world.secondlife.com/place/65f385f0-691c-5755-9ef0-15f3bb05c8b7</uri>
</map>
abstract interaction definition

LLIDL currently defines access verb sets that are tied to HTTP verbs. if we want to be able to access resources using multiple transports, this is wrong. i propose we define an abstract interaction description "language" that is later mapped to a particular transport.

i propose we have five "abstract" verbs: CREATE, READ, UPDATE, DELETE and EVENT. the first four should be pretty straight forward. They're used to create resources, read and write them and then maybe delete them. the last verb, EVENT, is used to define a resource an entity may receive without requesting it. things like object updates, incoming message session requests, etc.

transport mapping

the transport mapping maps abstract verbs from the abstract interaction description language to concretized protocol flows in the transport. so, for instance, you may use this to say that CREATE abstract access methods map to a POST verb in HTTP or that an EVENT message is delivered via the HTTP event queue.


conclusion

i'm going to wrap as much of this as i can into an internet draft and create some example code. but i figured i would get this idea out there so people can comment on it. just lemme know what you think...
Posted by at No comments:
Labels: ,

Monday, July 5, 2010

new VWRAP internet drafts published

hey peeps! this is just a quick note to let you know that i just pushed out several new versions of the following VWRAP Internet Drafts:


this is the draft that's intended to be a "gentle introduction" to our kind of virtual world, the protocol and the documents. (for a very short intro, you can review my earlier blog post, "what's the Virtual World Region Agent Protocol?") i believe it is "very close" to being fully baked. based on feedback from the mailing list and face to face meetings, i added a section on deployment patterns (without using the terms "Second Life" or "OpenSim",) removed the archaic concepts of agent and region domains, added a document roadmap and added a few terms in the glossary. also, i fixed up the references in the back so they *should* be pointing to the most recent revisions of things.



this one still needs a little bit of work and is essentially the same as the version published last february. however, we seemed to be hurtling towards consensus on this one.

if you're unfamiliar with why the working group is developing an abstract type system, you may want to peruse "VWRAP essentials : an abstract type system? hunh?" first.


this is the old draft written by Mark Lentczner before leaving linden. it describes capabilities and the event queue. personally, i would like to rewrite this one. i would like to add a discussion on: event queue over web sockets, content negotiation and caching for accessing resources over HTTP, expiry of capabilities, etc.


i added references to the CALM draft, and removed the legacy bit about agent id's. it's now all account ids, which is what i think we all said we wanted. MD5 is still in the draft 'cause i wasn't completely sure we all agreed to remove it. i need to add some more verbiage about the "trust model," and possibly remove the MD5 references if that's what the working group wants to do.


this is the draft that describes how we send a message from a web site to the viewer to launch the viewer. it's intended to support web-based auth schemes like OpenID and OAuth. i added a little more verbiage regarding the use of a web capability as the location for an agent_login resource and tried to make sure the references were pointing to the right place.

so... i encourage everyone to take a look at these docs and let me know if you see anything wrong with them.

Posted by at No comments:
Labels:
Subscribe to: Comments (Atom)