Notices where this attachment appears
-
Embed this notice
Hélène (helene@p.helene.moe)'s status on Wednesday, 17-Aug-2022 01:40:20 JST 
Hélène
@trwnh well, to some extent, i’d agree, but i’m not sure that would apply here, considering: https://w3c-ccg.github.io/security-vocab/#publicKey
and even looking at Mastodon’s ActivityPub::FetchRemoteKeyService (noting the fact that Mastodon code tends to be the most accurate, along with Honk, when it comes to ActivityStreams/ActivityPub/etc) it seems like that only works by accident because that /main-key endpoint returns a Person with the id being the actor’s ID (and that too can be a big problem, the data returned is not the same between the two endpoints!!) and no owner/controller associated with the public key
HTTP requests are signed with the user’s main-key in GoToSocial, and using the key ID (which seems good to do), but I am fairly certain it should not return a Person but a Key instead if they wish to not use a fragment!
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.