Conversation

Notices

1. 洪 民憙 (Hong Minhee) (hongminhee@todon.eu)'s status on Friday, 12-Apr-2024 02:26:46 JST 洪 民憙 (Hong Minhee)

   When an #ActivityPub server implements authorized fetch (aka secure mode), how does it associate the keyId in an HTTP request with the actual actor? I know major implementations (like Mastodon) use a fragment appended to the actor IRI as a keyId, but in theory a keyId could be any IRI that seems unrelated to the actor IRI, right? Should I maintain a table of actor–keyIds somewhere in the server?

   #fedidev #httpsignatures #authorizedfetch

   • silverpill (silverpill@mitra.social)'s status on Friday, 12-Apr-2024 02:26:45 JST silverpill

     in reply to

     @hongminhee In theory locations of public key and actor object can be different, but in practice this feature only makes software more complicated for no reason, and you can make Fediverse more friendly to developers by not supporting it. Almost everyone already uses fragment IDs, so you can either ignore projects that contribute to protocol decay or add special rules for them

   • silverpill (silverpill@mitra.social)'s status on Friday, 12-Apr-2024 10:57:58 JST silverpill

     in reply to

     @hongminhee Yes, GtS uses /main-key path. This is the only project I know of that does it differently

   • 洪 民憙 (Hong Minhee) (hongminhee@todon.eu)'s status on Friday, 12-Apr-2024 10:57:59 JST 洪 民憙 (Hong Minhee)

     in reply to

     • silverpill

     @silverpill I heard that GoToSocial constructs keyId as a subpath instead of a fragment. Anyway, I'm building a framework and I need to derive an actor object from a keyId, so I needed a more general method. Finally, I realized that key objects have an owner property, so I'm going to use that method.