swicg / activitypub-http-signature

Repository for a SocialCG report on how HTTP Signature is used with ActivityPub
https://swicg.github.io/activitypub-http-signature/
11 stars 1 forks source link

Suggestion: augment algorithm how to obtain the public key section with authorized fetch and instance actor cases #39

Closed jernst closed 6 months ago

jernst commented 7 months ago

Would be nice to have a single algorithm that covers all cases. That way, we can look at this and say ... can we improve this?

snarfed commented 7 months ago

Hmm! I'm not sure I follow. You mean https://swicg.github.io/activitypub-http-signature/#how-to-obtain-a-signature-s-public-key , right? I think that process is orthogonal to both authorized fetch and instance actors, ie it should work for all actors equally.

jernst commented 7 months ago

Yes, in section 2.3, step 3, "If you don't have it locally, fetch it." the chicken-and-egg situation you describe in 3.2 may apply. But whether or not it applies cannot be determined up-front without trying to fetch and perhaps failing. So should I try without signature, and if that fails, retry with signature, or always sign the request, even if the server ignores it?

snarfed commented 7 months ago

Ah! Got it, good point. I think the algorithm itself still works as is - if it's an instance actor, and you fetch it, the remote server won't care about or try to verify your request's signature - but I'll definitely mention and link to the instance actor section.

steve-bate commented 7 months ago

Ah! Got it, good point. I think the algorithm itself still works as is - if it's an instance actor, and you fetch it, the remote server won't care about or try to verify your request's signature - but I'll definitely mention and link to the instance actor section.

It doesn't have to be an instance actor (although that's the common implementation). It can be any third-party actor that doesn't require a signature for fetching its actor resource.

snarfed commented 6 months ago

True!

Tentatively closing. @jernst feel free to reopen if you want!