I took the time this evening to wade through the swamp of sadness that is #JsonLD and the idiosyncrasies of how it's implemented in Mastodon.

jdt@enigmatick.social

I took the time this evening to wade through the swamp of sadness that is #JsonLD and the idiosyncrasies of how it's implemented in Mastodon. However dubious the whole effort may be, I now have a working prototype that I'll add to #Enigmatick in the next few days.

My motivation is to allow me to connect my server to a relay with some confidence that I can verify the source of the messages that are being relayed in. There are newer standards that I want to build to eventually. But the reality is that this bastardized #RsaSignature2017 format is what's in use for the vast majority of messages today.

I'll add the routines to my #jdtactivitypub crate (on crates.io) so that other #RustLang folks have a working example. I'm also going to try to add my HTTP signature and verification methods to that crate.

alyxshang@mastodon.social

@jdt Noted. But isn't JLD just used for getting actor URLs?

silverpill@mitra.social

@jdt

FEP-8b32 is what modern ActivityPub implementations use to sign activities. LD signatures are not really necessary (though you can add both at the same time if you want).

Also, there are two types of relays: Mastodon relays and LitePub relays. Only Mastodon relays require LD signatures, and they have other major flaws. I don't recommend using them

You can read about the two types here: https://codeberg.org/fediverse/fep/src/branch/main/fep/ae0c/fep-ae0c.md

silverpill@mitra.social

@jdt

cc @justin

I think we're having federation issues. Your inbox responds with status 501

justin@ser.endipito.us

@silverpill @jdt it's not so much about adding the signatures to outgoing messages for me as it is verifying what is sent.

Mastodon only sends the LD signatures (as far as I can see), so that's all we have to work with from those systems. Pragmatically, it seems like I have to be able to process them.

silverpill@mitra.social

@justin @jdt Verifying HTTP signature is sufficient in most cases. Are you concerned about relayed and forwarded activities? When I receive a forwarded Create/Update activity I simply fetch its object by ID, it works well.

I guess if you're following a Mastodon-style relay, that might become a problem because the number of activities is quite big. In this case, implementing LD signature verification would make sense.

jdt@enigmatick.social

@alyxshang It's barely used there.

Where it does matter today is where signatures are attached to activities. You have to convert the JSON to quads and canonicalize it which takes you deep into JSON-LD territory.

RsaSignature2017 is deprecated, but still widely used. And if you want to verify Mastodon messages from relays without reaching out and retrieving them individually, it's the only option today.

alyxshang@mastodon.social

@jdt How neccessary is this as a part of implementing Activity Pub?

jdt@enigmatick.social

@alyxshang Not at all. It's only relevant in the narrow case where you're concerned with the legitimacy of Mastodon activities passed through relays (which is currently on my mind).

alyxshang@mastodon.social

@jdt Jesus, thank you. You had me nervous there for a second. Which language are you implementing this in if I may ask? I'm building my backend in Rust.

jdt@enigmatick.social

@alyxshang Most everything with #Enigmatick is in #Rust. The core is built on Rocket. The web interface is #Svelte, but it relies heavily on a client-side #WASM component built in Rust as well.

My #ActivityPub structs can be found here if they're of any use to you.

The Mitra and Lemmy projects are also Rust and might provide some useful inspiration.