I’m trying to better understand Activitypub and I understand that there’s a signature to avoid forgeries of known accounts.
However I’m having trouble understanding what prevents a malicious actor from sending a private spam message supposedly from a never before seen account name with valid generated key pair but for a domain they’ve never bought since there is no DNS lookup or test.
Thank you!
Oh, there’s also
Linked Data SignaturesVerifiable Credential Data Integrity that puts signatures right in the JSON itself. This is a real neat option that would allow for all sorts of great things like super easy and forwarding of messages with verifiable integrity, and the ability to store things in a verifiable/trusted way forever. Nobody really implemented it because:- It was pretty under-baked and not standardized at all when AP started getting implemented (as evidenced by it changing names and basically being entirely rewritten). Mastodon, for example, is still on the old LD spec and would not be able to interop if your AP server did not also send the HTTP header signatures.
- IIRC there were some privacy concerns about always signing every action, thus not being able to deny that you did the thing you did. Not sure how real these concerns were, but I remember seeing this argument in the past and thinking it was unconvincing
On the point of 2, it could be made optional, so that the user could choose.
Maybe… I am working on an AP implementation that will reject anything not signed with VCDI because it has such desirable properties. In my implementation all crypto is done client-side only, so the server can’t reasonably be expected to do HTTP signing.
