search

fedi-e2ee / public-key-directory-specification

Specification for a Fediverse Directory Server for Public Keys
Other
37 stars 2 forks source link

MoveIdentity problem #15

Closed raphaelahrens closed 1 month ago

raphaelahrens commented 1 month ago

In the spec it says the following about the MoveIdentity message

https://github.com/fedi-e2ee/public-key-directory-specification/blob/6d4b531874d9e7d6b5fe21b2559ed4d6a7a68a3d/Specification.md?plain=1#L434-L435

What caught my attention is the

but the HTTP Signature MAY come from either Fediverse Server instance.

This could mean that I can run my self hosted instance, create a random account and later move that to @soatok@furry.engineer signed by my instance. This is possible so long as the move to actor-id has not been claimed. This could be used for DoS and maybe impersonation.

I wonder if this a desirable situation. But maybe I'm missing something.

soatok commented 1 month ago

Yeah, I need to rewrite this section. I had a clear idea in my head and it did not translate well to paper.