Closed jernst closed 7 months ago
snarfed
commented
7 months ago Hmm! I'm not sure I follow. You mean https://swicg.github.io/activitypub-http-signature/#how-to-obtain-a-signature-s-public-key , right? I think that process is orthogonal to both authorized fetch and instance actors, ie it should work for all actors equally.
jernst
commented
7 months ago Yes, in section 2.3, step 3, "If you don't have it locally, fetch it." the chicken-and-egg situation you describe in 3.2 may apply. But whether or not it applies cannot be determined up-front without trying to fetch and perhaps failing. So should I try without signature, and if that fails, retry with signature, or always sign the request, even if the server ignores it?
snarfed
commented
7 months ago Ah! Got it, good point. I think the algorithm itself still works as is - if it's an instance actor, and you fetch it, the remote server won't care about or try to verify your request's signature - but I'll definitely mention and link to the instance actor section.
steve-bate
commented
7 months ago Ah! Got it, good point. I think the algorithm itself still works as is - if it's an instance actor, and you fetch it, the remote server won't care about or try to verify your request's signature - but I'll definitely mention and link to the instance actor section.
It doesn't have to be an instance actor (although that's the common implementation). It can be any third-party actor that doesn't require a signature for fetching its actor resource.
snarfed
commented
7 months ago True!
Tentatively closing. @jernst feel free to reopen if you want!
Would be nice to have a single algorithm that covers all cases. That way, we can look at this and say ... can we improve this?