Number of keys

[evanp]

I have yet to see a service that provides multiple keys for the same actor, although that's definitely possible. I think this is a good feature to review.

For publishers, whether it's OK to have multiple keys.

For consumers, what to do if there are 0 keys or 2 or more keys.

[snarfed]

Yes! The HTTP Sig points to the specific key that was used, so sig verification should still work fine, and clients shouldn't have to try all of them, but still worth mentioning.

[perillamint]

From the HTTPSig perspective, it is perfectly fine to validate signatures against multiple keys. cavage and httpbis signatures both state keyid, which states which key they should be validated. Also, this will help make the key rotation process significantly easier. (no longer worry about undelivered Update activities)

However, from the ActivityPub Actor specification perspective, the current Actor definition is not capable of exposing multiple keys, nor are the current ActivityPub implementations prepared to fetch multiple keys due to a lack of specification for that.

I think we need another FEP or another standard to update the Actor specification.

[aumetra]

I think we need another FEP or another standard to update the Actor specification.

There is actually an FEP for representing multiple public keys on an actor, FEP-521a, which I am intending to implement for Kitsune at some point: https://codeberg.org/fediverse/fep/src/branch/main/fep/521a/fep-521a.md

[snarfed]

I'll include this in the draft text for https://github.com/swicg/activitypub-http-signature/issues/8.

[snarfed]

However, from the ActivityPub Actor specification perspective, the current Actor definition is not capable of exposing multiple keys, nor are the current ActivityPub implementations prepared to fetch multiple keys due to a lack of specification for that.

@perillamint just following up here, afaict neither https://www.w3.org/TR/activitystreams-core/ nor https://www.w3.org/TR/activitystreams-vocabulary/ specify keys at all. Those come from https://w3c-ccg.github.io/security-vocab/ , specifically the publicKey property, right? Or am I missing something?

[perillamint]

@snarfed Sorry for the late reply. Yes, The publicKey property is defined in CCG security vocabulary, not in the AS or AP.

AFAIK, current (or previous version? I need to follow up the progression) AP nor AS does not define anything about authentication nor digital signature.