Conversation
Notices
-
Embed this notice
Hélène (helene@p.helene.moe)'s status on Wednesday, 17-Aug-2022 01:21:06 JST 
Hélène
I'm sorry to inform you all that Misskey respects standards more than GoToSocial does -
Embed this notice
Hélène (helene@p.helene.moe)'s status on Wednesday, 17-Aug-2022 01:23:00 JST
Hélène
@trwnh /users/:username/main-key on GoToSocial returns a Person, not a Key, and there’s no owner Misskey does this correctly
-
Embed this notice
infinite love ⴳ (trwnh@mastodon.social)'s status on Wednesday, 17-Aug-2022 01:23:01 JST 
infinite love ⴳ
@helene what is this about specifically
Hélène likes this. -
Embed this notice
Hélène (helene@p.helene.moe)'s status on Wednesday, 17-Aug-2022 01:27:25 JST
Hélène
@trwnh check /users/:id/publickey for Misskey, they used to do it that way before, but they changed to the Mastodon/Pleroma/etc way nowadays
-
Embed this notice
infinite love ⴳ (trwnh@mastodon.social)'s status on Wednesday, 17-Aug-2022 01:27:27 JST
infinite love ⴳ
@helene ???
i thought it was a url fragment and not a dedicated document, no different than mastodon
what's weirder is that misskey seems to return a Service
Hélène likes this. -
Embed this notice
infinite love ⴳ (trwnh@mastodon.social)'s status on Wednesday, 17-Aug-2022 01:28:38 JST
infinite love ⴳ
@helene oh hm. that's definitely weird. if misskey has a separate document for the key then they should ideally be using it as the id
Hélène likes this. -
Embed this notice
Hélène (helene@p.helene.moe)'s status on Wednesday, 17-Aug-2022 01:29:55 JST
Hélène
@trwnh i think it's just an old route; but it used to be that way, i'm pretty certain
what i'm fairly sure of is that GoToSocial is not doing this right -
Embed this notice
infinite love ⴳ (trwnh@mastodon.social)'s status on Wednesday, 17-Aug-2022 01:30:46 JST
infinite love ⴳ
@helene i'm inclined to say no one is doing this "right" we just all have ways of being subtly wrong
Hélène likes this. -
Embed this notice
Hélène (helene@p.helene.moe)'s status on Wednesday, 17-Aug-2022 01:40:20 JST
Hélène
@trwnh well, to some extent, i’d agree, but i’m not sure that would apply here, considering: https://w3c-ccg.github.io/security-vocab/#publicKey
and even looking at Mastodon’s ActivityPub::FetchRemoteKeyService (noting the fact that Mastodon code tends to be the most accurate, along with Honk, when it comes to ActivityStreams/ActivityPub/etc) it seems like that only works by accident because that /main-key endpoint returns a Person with the id being the actor’s ID (and that too can be a big problem, the data returned is not the same between the two endpoints!!) and no owner/controller associated with the public key
HTTP requests are signed with the user’s main-key in GoToSocial, and using the key ID (which seems good to do), but I am fairly certain it should not return a Person but a Key instead if they wish to not use a fragment!
-
Embed this notice
infinite love ⴳ (trwnh@mastodon.social)'s status on Wednesday, 17-Aug-2022 01:44:59 JST
infinite love ⴳ
@helene oh ok upon seeing this i'm really not sure what gts is doing at all there -- it can be argued that a url fragment should return the whole document, but yeah returning a stub of the Person actor is... weird
Hélène likes this. -
Embed this notice
Hélène (helene@p.helene.moe)'s status on Wednesday, 17-Aug-2022 01:46:58 JST
Hélène
@trwnh well, URL fragments (#abc) aren’t supposed to be sent in the request as far as I know (I could be wrong, though; but almost every HTTP implementation does that by now), so it’d make sense that they should be “ignored”
but yeah, that should probably be fixed here
-
Embed this notice
infinite love ⴳ (trwnh@mastodon.social)'s status on Wednesday, 17-Aug-2022 01:52:48 JST
infinite love ⴳ
@helene my understanding is that clients aren't *supposed* to send the fragment to the server when making the request, but it is entirely possible to do so, and what the server returns in such a case is not defined strictly
in JSON at least, the fragment SHOULD correspond to a key-value pair. so #main-key implies fetching the whole document and then parsing for the `main-key` property. in which case... shouldn't it be #publicKey because that's the actual property?
Hélène likes this. -
Embed this notice
infinite love ⴳ (trwnh@mastodon.social)'s status on Wednesday, 17-Aug-2022 01:56:00 JST
infinite love ⴳ
@helene my bad, it should be #/publicKey per RFC 6901 https://datatracker.ietf.org/doc/html/rfc6901#section-6
Hélène likes this. -
Embed this notice
Hélène (helene@p.helene.moe)'s status on Wednesday, 17-Aug-2022 02:00:41 JST
Hélène
@trwnh hmm, that is odd then, and I believe Gargron@mastodon.social was the one to have introduced HTTP signatures into ActivityPub with Mastodon, but I may be wrong here? (I’d mention him, but I don’t wanna disturb, but he probably would be the one with answers regarding this)
There’s no mention on how to build the keyId on https://docs.joinmastodon.org/spec/security/, which seems to be mostly regarded as “the spec” on that subject
but considering what you’re highlighting, it would seem it should be done this way instead, yes
-
Embed this notice
infinite love ⴳ (trwnh@mastodon.social)'s status on Wednesday, 17-Aug-2022 02:06:35 JST
infinite love ⴳ
@helene fwiw i wrote that page based off of what i could surmise out of mastodon's codebase, and i don't exactly have the best code literacy so there may be details i am missing; this is why i linked to the source code explicitly. so my suggestion is to look at the linked files...
aside from that i just filed https://github.com/mastodon/mastodon/issues/18998 as an issue regarding the current behavior, so hopefully that will lead to more technical discussion and review
Hélène likes this. -
Embed this notice
Hélène (helene@p.helene.moe)'s status on Wednesday, 17-Aug-2022 02:24:32 JST
Hélène
@trwnh no worries :ablobcatwink:
I just looked at Mastodon’s code, and it seems that the fragment part of the keyId URI is completely ignored by Mastodon, so… what comes before the fragment is used to find the related Account by uri, however (and considering what we talked about before with GoToSocial… that may be quite a problem, but I don’t know the rest of Mastodon’s codebase, or how Accounts/actors are handled specifically)
see https://github.com/mastodon/mastodon/blame/main/app/lib/activitypub/tag_manager.rb#L171 which brings relevance to https://github.com/mastodon/mastodon/pull/4630 and https://github.com/mastodon/mastodon/issues/4606 in the discussion
so, in the end, I’m still not sure how that came to be, and it seems particularly bizarre and unexplained
@Gargron sorry to cause so much reading! but, do you know where the URI fragment-based key indexing came from? (did you introduce it?) and is there any particular reason for doing it in this manner? nothing seems to define how the keyId parameter is built besides Mastodon, from what I can see, and the support for WebFinger-like URIs in Mastodon for HTTP signatures seem to make that more complex, as well
-
Embed this notice
Hélène (helene@p.helene.moe)'s status on Wednesday, 17-Aug-2022 02:34:09 JST
Hélène
@trwnh nevertheless, thank you for those docs, creating that issue and talking about it and that RFC! and let's hope we can improve things on this too :blobcatfluffhappy: -
Embed this notice
johann150@genau.qwertqwefsday.eu's status on Thursday, 15-Sep-2022 07:02:25 JST 
Johann150
@trwnh@mastodon.social its a Service because the account is marked as a bot.
Hélène likes this. -
Embed this notice
infinite love ⴳ (trwnh@mastodon.social)'s status on Thursday, 15-Sep-2022 07:02:57 JST
infinite love ⴳ
@Johann150 i thought the generally agreed-upon "bot" indicator was Application type but eh
Hélène likes this. -
Embed this notice
infinite love ⴳ (trwnh@mastodon.social)'s status on Thursday, 15-Sep-2022 07:02:58 JST
infinite love ⴳ
@Johann150 i seem to be wrong oops, it is indeed "service" for some reason
Hélène likes this. -
Embed this notice
infinite love ⴳ (trwnh@mastodon.social)'s status on Thursday, 15-Sep-2022 07:03:00 JST
infinite love ⴳ
@Johann150 i guess this is a certified activitystreams Type moment (as in, types continue to be haphazardly defined and generally not very useful or specific)
Hélène likes this. -
Embed this notice
johann150@genau.qwertqwefsday.eu's status on Thursday, 15-Sep-2022 07:03:01 JST
Johann150
@trwnh@mastodon.social see also: difference between tags and attachments :P
Hélène likes this. -
Embed this notice
infinite love ⴳ (trwnh@mastodon.social)'s status on Thursday, 15-Sep-2022 07:03:06 JST
infinite love ⴳ
@Johann150 i meannnn at least that one makes some kind of sense, grammatically! it may be hard to pin down precisely but they very much have different usages (microsyntax vs sidecars). types on the other hand can be ignored in a lot of cases and no real valuable info is lost... at best they serve to hint intentions, and that's about it.
Hélène likes this. -
Embed this notice
infinite love ⴳ (trwnh@mastodon.social)'s status on Thursday, 15-Sep-2022 07:03:18 JST
infinite love ⴳ
@Johann150 like, the type system is full of shit like Note vs Article, the utterly unused Profile, Document vs its subtypes, i could go on...
wrt actor types specifically, the "real" definition of an actor is "has an inbox and outbox" and not "must be Application / Group / Organization / Person / Service"
Hélène likes this.
-
Embed this notice
All GNU social JP content and data are available under the