#social 2021-01-06

2021-01-06 UTC
sl007, KjetilK, dmitriz, tantek and Cult joined the channel
# 15:40 
Cult hello, I need a confirmation about webfinger/activitypub like is there currently an official way to easily confirm the identity of a remote instance ?
# 15:41 
tantek what do you mean by "confirm the identity"?
# 15:43 
Cult I need to be sure that the remote instance is not spoofed, that it has the full keypair of the publickey displayed in the webfinger
# 15:45 
tantek ooh that's a bit beyond my expertise. not sure how you do that
# 15:45 
Cult right now, my only non-official solution would be to send a new string param to the webfinger request, and get the signed value of that string in the properties array. This way I can check that the used private key is the right one
# 15:57 
nightpool[m] Cult: all current ActivityPub systems use HTTPS to provide this guarantee, as far as I know
djangz[m] joined the channel
# 15:59 
djangz[m]  I'm not sure about implementations with signatures via webfinger, but querying the actor can get you the publickey, have a look here for verifying signatures
# 15:59 
djangz[m] https://blog.joinmastodon.org/2018/07/how-to-make-friends-and-verify-requests/
# 15:59 
Cult yes, but while this avoid man-in-the-middle attack, it does not really confirm, at the level of AP, that the instance is still the same than last week
# 16:01 
Cult it seems, from what I understood, that the publickey allows me to confirm the source of the request, but not that the recipient is still my friend
# 16:02 
nightpool[m] yes, conforming that is outside of the scope of ActivityPub
# 16:02 
nightpool[m] *confirming
# 16:02 
tantek ah is this about "did the domain change hands"?
# 16:03 
nightpool[m] as far as the protocol is concerned, the owner of the URI is always the authoritative owner of the resource
# 16:03 
tantek like if some bad actor gains control of the DNS for a domain and then pretends to be that identity?
# 16:39 
sl007 Also please note: Webfinger has nothing to do with ActivityPub! Just mastodon used it, now everyone has to use it. See the criticism of the ActivityPub authors …
# 16:39 
sl007 The next SocialCG meeting is next Saturday, 10 AM EST  [ 4 PM CET ] - we are learning about Fediverse Enhancement Proposals
# 16:39 
sl007 https://socialhub.activitypub.rocks/t/2021-01-09-socialcg-meeting-fep/1246/
# 16:43 
sl007 There is a huge waitlist, so seeAlso https://socialhub.activitypub.rocks/t/upcoming-socialcg-meetings/1257
# 16:59 
Cult ok, thanks for the info, i'll stay with my own little solution :)
cjslep[m] joined the channel
# 17:12 
cjslep[m] There are plenty of folks interested in figuring out a DNS-independent future
# 17:13 
cjslep[m] As well as even more folks interested in figuring out better identity solutions... I've lost track of them all
# 17:38 
nightpool[m] Cult: I don't understand how the string param would help though—wouldnt any attacker that controls the Actor json also control the webfinger response?
# 17:38 
nightpool[m] maybe I'm missing something
# 17:39 
trwnh you could do TOFU on the instance actor so that the first key is trusted and any key changes have to be approved by admins, i guess?
# 17:40 
trwnh although i'd rather see id not bound to the uri at all
sl007 joined the channel
# 20:45 
Cult nightpool, I am sending a random string during my webfinger request, the remote instance sign the random string with the private key and returns the result. I verify the signing using the public key
# 20:46 
Cult I already stored the public key earlier, so I know that the remote instance have the full pair of key
# 20:47 
Cult and that an instance considered as friendly yesterday is still friendly today