Embed Notice

@p @pwm @kallisti @nyx Mastodon has some of the best support for the keyId field in HTTP signatures, with the ability resolving Key objects into Actors, and figuring that out all by itself; what matters to it is having an URI to the Actor as the keyId or set to the URI of a Key object with the owner field set to the Actor’s URI. This allows for having the Actor’s public key separated from the Actor itself and very useful for authentication purposes/locking access to some Actors/etc. The issue is that Mastodon seems to be the only software that supports it so far. GoToSocial seems to be mostly okay with it but it’s barely working, it somewhat works by accident. Misskey remembers keyIds and can map them into Actors; but if it can’t find it, it will use the given activity’s Actor to discover its public key.

Pleroma does the worst thing I’ve seen amongst all fedi software: it assumes the keyId in the signature is an actor URI. It broke down when Misskey decided to have Key objects separated from their Actors and to give them in a subpath (/users/:id/publickey). Instead of actually bothering, someone decided to remove the /publickey from the keyId if it was found at the end of the URI; because that’d give the actor URI with Misskey. That was done around 5 years ago, and I’m still ranting about this. I don’t think I need to explain why that’s terrible…