search

swicg / activitypub-webfinger

SocialCG report for using ActivityPub with Webfinger
7 stars 0 forks source link

Skipping reverse discovery #15

Closed tesaguri closed 3 months ago

tesaguri commented 4 months ago

Misskey (probably among others) unconditionally uses @preferredUsername@domain as the canonical handle of an ActivityPub actor without performing the reverse discovery process of the (canonical) acct: URI of the actor at all.

While this may lead to inconsistent behavior when there are multiple actors with a same preferredUsername on a single domain, such a situation is rare in practice (even though the ActivityPub Recommendation explicitly states that the preferredUsername property has no uniqueness guarantees), and it won't lead to a security issue (at least by itself) since the behavior only allows an actor to claim a username on the same domain.

What stance should the report take regarding such a strategy?

trwnh commented 4 months ago

It is currently called out as "optional" to verify the canonical subject, but you should still at least verify that the preferredUsername@hostname links back to the same actor document, rather than assuming this... insofar as you care to establish a WebFinger address as an identifier at all.

tesaguri commented 4 months ago

you should still at least verify that the preferredUsername@hostname links back to the same actor document, rather than assuming this... insofar as you care to establish a WebFinger address as an identifier at all.

That's reasonable if the preferredUsername@hostname pair are to be used for discovery, but is that the sole purpose of a username?

Let's revisit the definition of the preferredUsername property:

A short username which may be used to refer to the actor, with no uniqueness guarantees.

It says that the username may be used to refer to the actor. It probably bears the use case of mentions in mind, but I don't see the wording necessarily imply discovery (at least literally). It seems appropriate to me to use the username as a mere label of a Mention, since at least you know that it's a label as which the actor prefers to be referred to, even if it's not guaranteed to be resolvable to the actor by itself.

That said, I think it's a rather theoretical use case given that the majority of ActivityPub servers have WebFinger resources for their actors, and agree that it's advisable (i.e. good candidate for a "SHOULD'/"RECOMMENDED" requirement) to ensure that a mention is actually resolvable (at least to the server's knowledge, if we allow actors to change their canonical WebFinger subjects (#10)).