#social 2019-11-07

2019-11-07 UTC
sl007, xmpp-social, xkr47 and Grishka joined the channel
# 12:15 
Grishka replies again, I received this post in my inbox: https://mastodon.social/@Gargron/103096429218390076
# 12:15 
Loqi [Eugen] @aworas Did you enable the “advanced web interface”?
# 12:15 
Grishka I do follow Eugen but I don't follow the author of the post he's replying to
# 12:16 
Grishka nevertheless, this post I received has …/users/Gargron/followers in its "cc" field, why?
# 12:17 
Grishka (I thought I figured out addressing...)
# 12:22 
Grishka am I right that I'm supposed to fetch the parent post via inReplyTo (or follow the links until I get to the top-level post in case of a longer thread), realize no one on my instance follows its author, and drop the entire thread because it's irrelevant for my instance?
# 12:47 
nightpool[m] Grishka: im not sure I understand what you mean by "supposed to"
# 12:47 
nightpool[m] you can choose to do any of those things
# 12:48 
nightpool[m] the `cc` is there because that's how mastodon (i.e. gargrons client) chose to author the post.
# 13:12 
Grishka yeah, I'm just trying to understand the logic behind that
# 13:12 
Grishka probably for "toots & replies" view?
# 13:16 
nightpool[m] yes
Grishka joined the channel
# 17:51 
Grishka and now a bizarre thing
# 17:52 
Grishka mastodon.social forwards me replies to Eugen's posts made by users on other instances, but the HTTP signature is done with Eugen's key
# 17:53 
Grishka and there's another signature within the object with the correct key, but I don't support this yet and I haven't yet researched how to verify it
# 17:54 
Grishka I understand that this has to be a key that mastodon.social has because it's sending me that object and the signature includes the Host header, but… how do I verify this, anyway?
# 17:55 
Grishka I have to support those signatures inside objects, right?
# 17:56 
Grishka and also probably stop ignoring keyId in the header (I currently use the public key for whichever actor the activity has as its actor)
lanodan, feld and sl007 joined the channel
# 22:19 
nightpool[m] so there's a couple things going on here
# 22:20 
nightpool[m] every request is signed with HTTP Signatures, but that only tells you who made the REQUEST, not who made the content
# 22:21 
nightpool[m] in the case where they're the same, you're fine. if they're not, then you need to verify each separately
# 22:21 
nightpool[m] there are a couple of ways you can verify the content—the simplest is to just take it's ID and deference it
# 22:22 
nightpool[m] then you know for sure what host crested it and can verify that this is the same host as the actor it's attributed to