Closed tesaguri closed 3 months ago
It is currently called out as "optional" to verify the canonical subject, but you should still at least verify that the preferredUsername@hostname
links back to the same actor document, rather than assuming this... insofar as you care to establish a WebFinger address as an identifier at all.
you should still at least verify that the
preferredUsername@hostname
links back to the same actor document, rather than assuming this... insofar as you care to establish a WebFinger address as an identifier at all.
That's reasonable if the preferredUsername@hostname
pair are to be used for discovery, but is that the sole purpose of a username?
Let's revisit the definition of the preferredUsername
property:
A short username which may be used to refer to the actor, with no uniqueness guarantees.
It says that the username may be used to refer to the actor
. It probably bears the use case of mentions in mind, but I don't see the wording necessarily imply discovery (at least literally). It seems appropriate to me to use the username as a mere label of a Mention
, since at least you know that it's a label as which the actor prefers to be referred to, even if it's not guaranteed to be resolvable to the actor by itself.
That said, I think it's a rather theoretical use case given that the majority of ActivityPub servers have WebFinger resources for their actors, and agree that it's advisable (i.e. good candidate for a "SHOULD'/"RECOMMENDED" requirement) to ensure that a mention is actually resolvable (at least to the server's knowledge, if we allow actors to change their canonical WebFinger subjects (#10)).
Misskey (probably among others) unconditionally uses
@preferredUsername@domain
as the canonical handle of an ActivityPub actor without performing the reverse discovery process of the (canonical)acct:
URI of the actor at all.While this may lead to inconsistent behavior when there are multiple actors with a same
preferredUsername
on a single domain, such a situation is rare in practice (even though the ActivityPub Recommendation explicitly states that thepreferredUsername
property has ), and it won't lead to a security issue (at least by itself) since the behavior only allows an actor to claim a username on the same domain.What stance should the report take regarding such a strategy?