Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://metalhead.club/users/mariusor/statuses/114994710041487719">marius (mariusor@metalhead.club)'s status on Saturday, 09-Aug-2025 04:39:02 JST</a><a href="https://metalhead.club/@mariusor" title="mariusor@metalhead.club"><img src="https://gnusocial.jp/avatar/7165-48-20251129232945.webp" width="48" height="48" alt="marius" style="position: absolute; left: 0; top: 0;">marius</a><div><a href="https://mitra.social/objects/01988afe-d10d-8d32-a8fa-a9ffaf84098f" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/346504" title="marius@marius.federated.id">Marius</a></li></ul></div></section><article><p><a href="https://mitra.social/users/silverpill">@silverpill</a> I can't really understand your example. The client doesn't have access to other actor's private keys, so it shouldn't be able to sign requests. Or you're thinking for the case of a client that is used by multiple users, *and* it stores private keys... </p><p>My clients generally use only OAuth2 for authorization to the service their users belong to and  they don't do "signed requests" to other servers (because they don't really have access to the private key in the first place). </p><p><a href="https://marius.federated.id">@marius</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/5447052#notice-10737770">In conversation</a><time datetime="2025-08-09T04:39:02+09:00" title="Saturday, 09-Aug-2025 04:39:02 JST">about 5 months ago</time> <span>from <span><a href="https://metalhead.club/@mariusor/114994710041487719" rel="external" title="Sent from metalhead.club via ActivityPub">metalhead.club</a></span></span><a href="https://metalhead.club/@mariusor/114994710041487719">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
marius (mariusor@metalhead.club)'s status on Saturday, 09-Aug-2025 04:39:02 JSTmarius
in reply to
- silverpill
- Marius
@silverpill I can't really understand your example. The client doesn't have access to other actor's private keys, so it shouldn't be able to sign requests. Or you're thinking for the case of a client that is used by multiple users, *and* it stores private keys...
My clients generally use only OAuth2 for authorization to the service their users belong to and they don't do "signed requests" to other servers (because they don't really have access to the private key in the first place).
@marius
In conversationabout 5 months ago from metalhead.clubpermalink

Public

Embed Notice

HTML Code

Corresponding Notice