Re: Major Security Issue with AP: Server-Stored Private Keys in ActivityPub from a on 2025-04-13 (public-swicg@w3.org from April 2025)

From: a <a@trwnh.com>
Date: Sat, 12 Apr 2025 23:54:34 -0500
To: Melvin Carvalho <melvincarvalho@gmail.com>
Cc: "public-swicg@w3c.org" <public-swicg@w3c.org>
Message-ID: <CACG-3Giwvsr_vBHBaJM27sizQ+R+87Fm+joOEisn0vJZunif0A@mail.gmail.com>

> the publicKey is a property of the entity identified as a Person, which
in practice represents a user.

"represents a user" doesn't mean that the user controls the resource. The
server controls the resource. The server is the agent performing HTTP
requests. The publicKey doesn't matter for anything beyond acting as a
verificationMethod for the HTTP request, to avoid an HTTP GET of the
activity id. (And the activity is then most often discarded, since
fediverse implementations do not keep around activities and instead care
only for their objects.^1)

^1: (Alignment between standards and implementations is another issue, of
course. For how ActivityPub gets used in the fediverse (syndication of
posts to followers' servers via a form of JSON-RPC), there is not much
reliance on Linked Data because even the Note resources are transformed to
and persisted as statuses in databases.)

Received on Sunday, 13 April 2025 04:55:15 UTC