this post was submitted on 26 Jun 2023
0 points (NaN% liked)
Fediverse
36098 readers
75 users here now
A community to talk about the Fediverse and all it's related services using ActivityPub (Mastodon, Lemmy, KBin, etc).
If you wanted to get help with moderating your own community then head over to !moderators@lemmy.world!
Rules
- Posts must be on topic.
- Be respectful of others.
- Cite the sources used for graphs and other statistics.
- Follow the general Lemmy.world rules.
Learn more at these websites: Join The Fediverse Wiki, Fediverse.info, Wikipedia Page, The Federation Info (Stats), FediDB (Stats), Sub Rehab (Reddit Migration)
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
To do the signature validation you need to know/trust the public key signing the incoming request (which will use the
keyId
in the signature to specify the key of the actor, usually a Person, that made the thing, when your server gets this comment thekeyId
will behttps://lemmy.nrd.li/u/terribleplan#main-key
). A good server will check that thekeyId
only differs from the actor of the object by having a fragment appended.Your server needs to fetch my Person object, of
https://lemmy.nrd.li/u/terribleplan
. If you load that with anAccept
header ofapplication/activity+json
you get:You can see my Person object contains
.publicKey.publicKeyPem
, that is what your server will use (and store after fetching it once) to validate the incoming payload/header.Ah, that makes sense. The server tries to retrieve the actor object from the actual url and would notice a discrepancy. That makes sense and is an easy way to implement validations.
I was wondering if I could ask you something else related to activity pub since you seen knowledgeable in the matter. I've been going over these all day and haven't been able to find a good answer:
Is there a consensus on which approach is better and what would happen if the content field in a note is different from the content that would be fetched by a url?
In that regard, I was wondering if it's possible for an organization or group type actor to forward the activity not with announces but by simply delivering the content to the user's inbox in a transparent manner, similar to an email distribution list.
Thank you <3