#social 2018-08-16

2018-08-16 UTC
#
saranix kaniini: pleroma requires the content-length field to be signed on http sigs?
#
kaniini saranix no
#
kaniini you can sign anything you want, but date must be signed
#
kaniini we will soon also require digest be signed, but i haven't flipped the switch yet.
#
dansup thats it? just date?
#
aaronpk i think it's funny that digest is optional right now
#
saranix hrm
#
kaniini implementing digest can be tricky.
#
nightpool[m] aaronpk: digest isn't required because you're (presumably) already speaking to the host over https.
#
saranix kaniini: actor is set
#
nightpool[m] so the only person who could mutate/replay an https sig is the host itself. and as long as you sign host, they can only replay it against themselves
#
aaronpk huh, if that's the case, then it seems like there would be a much simpler solution than http sigs at all
#
nightpool[m] in fact, signing digest is LESS secure under some threat models, since it's non-repudiable.
#
nightpool[m] http sigs is... pretty fucking simple
#
saranix kaniini: from that paste, everything from {type:Create to the close of to=>[]}
#
saranix dang it
#
kaniini that's escaped though
#
kaniini i need the exact binary data
#
saranix well, cause it's debug info. Want the original?
#
kaniini yes
#
kaniini with http headers
#
saranix errr.. won't be able to do that
#
saranix how do you send a direct message in pleroma? I can reply to a direct message, and I see the little private icon in the feed, but I don't see anywhere to set it in the status box like mastodon has
#
saranix kaniini++
#
Loqi kaniini has 3 karma over the last year
#
kaniini saranix have to enable that stuff
#
kaniini saranix priv/static/static/config.json
#
kaniini scopeOptionsEnabled = true
#
saranix so the site admin controls that?
#
saranix might be confusing for users
ajordan, timbl, xmpp-social, heluecht[m], jauntywunderkind[m] and kaniini joined the channel