#social 2018-08-16

2018-08-16 UTC
#
saranix
kaniini: pleroma requires the content-length field to be signed on http sigs?
#
kaniini
saranix no
#
kaniini
you can sign anything you want, but date must be signed
#
kaniini
we will soon also require digest be signed, but i haven't flipped the switch yet.
#
dansup
thats it? just date?
#
aaronpk
i think it's funny that digest is optional right now
#
saranix
hrm
#
kaniini
implementing digest can be tricky.
#
nightpool[m]
aaronpk: digest isn't required because you're (presumably) already speaking to the host over https.
#
saranix
kaniini: actor is set
#
nightpool[m]
so the only person who could mutate/replay an https sig is the host itself. and as long as you sign host, they can only replay it against themselves
#
aaronpk
huh, if that's the case, then it seems like there would be a much simpler solution than http sigs at all
#
nightpool[m]
in fact, signing digest is LESS secure under some threat models, since it's non-repudiable.
#
nightpool[m]
http sigs is... pretty fucking simple
#
saranix
kaniini: from that paste, everything from {type:Create to the close of to=>[]}
#
saranix
dang it
#
kaniini
that's escaped though
#
kaniini
i need the exact binary data
#
saranix
well, cause it's debug info. Want the original?
#
kaniini
yes
#
kaniini
with http headers
#
saranix
errr.. won't be able to do that
#
saranix
how do you send a direct message in pleroma? I can reply to a direct message, and I see the little private icon in the feed, but I don't see anywhere to set it in the status box like mastodon has
#
saranix
kaniini++
#
Loqi
kaniini has 3 karma over the last year
#
kaniini
saranix have to enable that stuff
#
kaniini
saranix priv/static/static/config.json
#
kaniini
scopeOptionsEnabled = true
#
saranix
so the site admin controls that?
#
saranix
might be confusing for users
ajordan, timbl, xmpp-social, heluecht[m], jauntywunderkind[m] and kaniini joined the channel