Closed jernst closed 6 months ago
Hmm! I'm not sure I follow. You mean https://swicg.github.io/activitypub-http-signature/#how-to-obtain-a-signature-s-public-key , right? I think that process is orthogonal to both authorized fetch and instance actors, ie it should work for all actors equally.
Yes, in section 2.3, step 3, "If you don't have it locally, fetch it." the chicken-and-egg situation you describe in 3.2 may apply. But whether or not it applies cannot be determined up-front without trying to fetch and perhaps failing. So should I try without signature, and if that fails, retry with signature, or always sign the request, even if the server ignores it?
Ah! Got it, good point. I think the algorithm itself still works as is - if it's an instance actor, and you fetch it, the remote server won't care about or try to verify your request's signature - but I'll definitely mention and link to the instance actor section.
Ah! Got it, good point. I think the algorithm itself still works as is - if it's an instance actor, and you fetch it, the remote server won't care about or try to verify your request's signature - but I'll definitely mention and link to the instance actor section.
It doesn't have to be an instance actor (although that's the common implementation). It can be any third-party actor that doesn't require a signature for fetching its actor resource.
True!
Tentatively closing. @jernst feel free to reopen if you want!
Would be nice to have a single algorithm that covers all cases. That way, we can look at this and say ... can we improve this?