Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://gleasonator.com/objects/9e6d846a-6f3b-4f5e-bb6c-d3d8a7be8b67">Alex Gleason (alex@gleasonator.com)'s status on Sunday, 19-Feb-2023 05:02:36 JST</a><a href="https://gleasonator.com/users/alex" title="alex@gleasonator.com"><img src="https://gnusocial.jp/avatar/1712-48-20220726020642.webp" width="48" height="48" alt="Alex Gleason" style="position: absolute; left: 0; top: 0;">Alex Gleason</a><div><a href="https://orwell.fun/objects/b70ea6cc-ae97-43c5-a426-dc8107549208" rel="in-reply-to">in reply to</a><ul><li></ul></div></section><article><p><a href="https://orwell.fun/users/tassoman">@tassoman</a> Anyone can POST /inbox from anywhere. TLS only helps verify servers, not clients.</p><p>Public activities don’t have to be signed, because if we get an unsigned activity we can just refetch it from the origin server. In that case TLS helps.</p><p>Private activities can’t be fetched, so the only way to verify it is by a key. We fetch the actor and compare their RSA public key with the HTTP Signature.</p><p>What if key-pair is lost/stolen? ?</p><p>Yes, we have to plan for that. This is what Pleroma does:</p><ol><li>Accounts are refetched every 24 hours. A last_refreshed_at is stored on the user. So if keys are stolen, re-roll them.</li><li>Upon getting an invalid signature, refetch the actor and try one more time before giving up.</li></ol></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/1216307#notice-2579305">In conversation</a><time datetime="2023-02-19T05:02:36+09:00" title="Sunday, 19-Feb-2023 05:02:36 JST">Sunday, 19-Feb-2023 05:02:36 JST</time> <span>from <span><a href="https://gleasonator.com/objects/9e6d846a-6f3b-4f5e-bb6c-d3d8a7be8b67" rel="external" title="Sent from gleasonator.com via ActivityPub">gleasonator.com</a></span></span><a href="https://gleasonator.com/objects/9e6d846a-6f3b-4f5e-bb6c-d3d8a7be8b67">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Sunday, 19-Feb-2023 05:02:36 JSTAlex Gleason
in reply to
- Tassoman
@tassoman Anyone can POST /inbox from anywhere. TLS only helps verify servers, not clients.
Public activities don’t have to be signed, because if we get an unsigned activity we can just refetch it from the origin server. In that case TLS helps.
Private activities can’t be fetched, so the only way to verify it is by a key. We fetch the actor and compare their RSA public key with the HTTP Signature.
What if key-pair is lost/stolen? ?
Yes, we have to plan for that. This is what Pleroma does:
1. Accounts are refetched every 24 hours. A last_refreshed_at is stored on the user. So if keys are stolen, re-roll them.
2. Upon getting an invalid signature, refetch the actor and try one more time before giving up.
In conversationSunday, 19-Feb-2023 05:02:36 JST from gleasonator.compermalink