search

cs3org / OCM-API

OpenCloudMesh API
38 stars 11 forks source link

Federated contacts public key exchange and signing #95

Closed MahdiBaghbani closed 3 weeks ago

MahdiBaghbani commented 2 months ago

In addition to #92 I'd like to create a PR for a similar matter.

I propose to:

  1. Sign the requests on behalf of the sender instance (which seems to be required).
  2. "Optionally" also sign the requests on behalf of the sender user and receiver user.

This could be beneficial in:

  1. Make sure the sender is the user it claims to be (even if the sender server is authentic)
  2. It allows sharing E2EE shares from one vendor to another (this one needs discussion).

Cons:

  1. This only works if users do the invite-flow first and then try to share something.
michielbdejong commented 1 month ago

Hm, good idea but feels a bit out of scope, and feels like it should be a mechanism that works both for OCM and for Toots and other social notifications and messages. Can we propose this as a separate spec at the fediverse level? Maybe a separate NLnet project even?

MahdiBaghbani commented 4 weeks ago

If you have time we can discuss this as a separate NLnet project in this week.