Note on why you throw away the key if it's fetched directly

swicg / activitypub-http-signature

Repository for a SocialCG report on how HTTP Signature is used with ActivityPub

https://swicg.github.io/activitypub-http-signature/

11 stars 1 forks source link

Note on why you throw away the key if it's fetched directly #42

Closed evanp closed 6 months ago

evanp commented 7 months ago

It's probably worth mentioning why, if the keyId returns a Key object, you need to follow the owner property and fetch that instead. (The reason is to verify that the owner claims the key, and not just that the key claims the owner.)

snarfed commented 6 months ago

Yes! Agreed, will do.

snarfed commented 6 months ago

Tentatively closing. Feel free to re-open!