Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://mitra.social/objects/01991c7b-79c3-3671-8eab-c050ee022760">silverpill (silverpill@mitra.social)'s status on Saturday, 06-Sep-2025 19:19:05 JST</a><a href="https://mitra.social/users/silverpill" title="silverpill@mitra.social"><img src="https://gnusocial.jp/avatar/85321-48-20230105202807.webp" width="48" height="48" alt="silverpill" style="position: absolute; left: 0; top: 0;">silverpill</a></section><article><p>Added new requirements to FEP-ef34:</p><p><a href="https://codeberg.org/fediverse/fep/pulls/672">https://codeberg.org/fediverse/fep/pulls/672</a></p><p>Previously the FEP put the burden of C2S validation solely on the originating server (producer), but I think it would be better to do corresponding security checks on the consumer side too:</p><p>- When fetching an object: verify that Content-Type includes one of the AP &amp; AS media types.<br>- When verifying a signature: also perform same-owner check and verify key ownership.</p><p>Both are already considered good practices in the Fediverse.</p><p>I also attempted to clarify how fetching from origin (authentication) is related to access control (authorization).</p><p><a href="https://mitra.social/collections/tags/fep_fe34" rel="tag">#fep_fe34</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/5594382#notice-10984347">In conversation</a><time datetime="2025-09-06T19:19:05+09:00" title="Saturday, 06-Sep-2025 19:19:05 JST">about 14 hours ago</time> <span>from <span><a href="https://mitra.social/objects/01991c7b-79c3-3671-8eab-c050ee022760" rel="external" title="Sent from mitra.social via ActivityPub">mitra.social</a></span></span><a href="https://mitra.social/objects/01991c7b-79c3-3671-8eab-c050ee022760">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
silverpill (silverpill@mitra.social)'s status on Saturday, 06-Sep-2025 19:19:05 JST silverpill
Added new requirements to FEP-ef34:
https://codeberg.org/fediverse/fep/pulls/672
Previously the FEP put the burden of C2S validation solely on the originating server (producer), but I think it would be better to do corresponding security checks on the consumer side too:
- When fetching an object: verify that Content-Type includes one of the AP & AS media types.
- When verifying a signature: also perform same-owner check and verify key ownership.
Both are already considered good practices in the Fediverse.
I also attempted to clarify how fetching from origin (authentication) is related to access control (authorization).
#fep_fe34
In conversationabout 14 hours ago from mitra.socialpermalink

Public

Embed Notice

HTML Code

Corresponding Notice