Closed evanp closed 7 months ago
I'm not aware of any implementation in practice that has the "deadlock" issue, even Authorized Fetch Mastodon makes the actor's key resource available with an unsigned GET request.
Yeah this is generally handled with instance/server actors (#12): https://www.w3.org/wiki/SocialCG/ActivityPub/Authentication_Authorization#Instance_actors , https://seb.jambor.dev/posts/understanding-activitypub-part-4-threads/#the-instance-actor
@nightpool I'm curious, do you have an example of how to get an authorized fetch Mastodon to serve an actor or its key unsigned? Testing on mastodon.art, I couldn't get it to serve me either an actor or its #main-key
(granted, how to even request that is unclear, viz https://github.com/w3c/activitypub/issues/367) with unsigned requests:
$ curl -vL -H 'Accept: application/activity+json' 'https://mastodon.art/users/snarfed'
...
< HTTP/1.1 401 Unauthorized
...
{"error":"Request not signed"}
$ openssl s_client -connect mastodon.art:443
...
GET /users/snarfed#main-key HTTP/1.1
Host: mastodon.art
Accept: application/activity+json
...
HTTP/1.1 401 Unauthorized
...
{"error":"Request not signed"}
I learned recently that this was a change made between the original release of Authorized Fetch (which I reviewed) and a subsequent release which locked user actors down further. This change was made for compatibility reasons (so that instances not supporting authorized fetch didn't show incomplete profiles)
If I remember correctly, Threads actors require signed requests, which caused a deadlock unless the requestor allowed unsigned requests for keys.
Huh, I could have sworn they stopped requiring sigs, and said it was a bug that the originally did require them, but I checked just now and they still are required.
Regardless, the instance actor solution works against servers like Threads too, even if they don't have their own instance actor.
@snarfed yes, they fixed it. It doesn't mean we shouldn't tell the next implementer to avoid that same bug!
First pass at text here is in https://github.com/swicg/activitypub-http-signature/issues/12#issuecomment-1965494431
If I have to use HTTP Signature to fetch the key defined in the key ID, there's a regression issue.
The key resource, actor resource, and/or server actor resources have to be available with unsigned GET requests.