Minutes from 2 May 2024 WG Meeting
-
silverpillreplied to Mike Macgirvin 🖥️ on last edited by
@mikedev Okay, I think I'm starting to see the big picture here. When a group actor publishes Add or Announce activity which wraps another activity, the recipients should somehow verify the authenticity of a wrapped activity. With FEP-8b32 this is easy. Without FEP-8b32 you need to fetch the wrapped activity from its server of origin. However, when the group is private the activity would be private as well, and everything becomes complicated. The originating server may not know who is part of the group and who is not, and therefore it can't enforce privacy by requiring a signed fetch.
To work around this in his non-FEP-8b32 implementation of FEP-400e, @grishka invented "actor tokens": https://codeberg.org/fediverse/fep/src/branch/main/fep/db0e/fep-db0e.md
Am I getting this right?
Curiously, the authentication of wrapped activities is not described in FEP-1b12. I posted about this problem on SocialHub forum yesterday but haven't gotten a response yet: https://socialhub.activitypub.rocks/t/fep-1b12-group-federation/2724/66
Is it so obvious that it doesn't need to be stated? Or is there a huge security hole in existing FEP-1b12 implementations because no one have bothered to think about this?
-
Mike Macgirvin 🖥️replied to silverpill on last edited byThird party issues are subtle enough that they're obvious only after you actually have to deal with them. I've been dealing with them for a long time now. Both in private groups and multiple protocol interactions - where we were trying to make something from protocol 'A' visible to somebody using protocol 'B' when we ourselves used protocol 'C'.
Tokens are one way to do it, but they can be real tricky to secure, and they need to be stripped from conversational objects or inReplyTo's and de-duplication don't work correctly. Or give everybody in the conversation the exact same token - in which case they don't really provide very good access control. These are things most people don't come to grips with until they try it.
We've traditionally implemented private groups in other protocols by doing a straight resend/relay of a signed activity by the group actor, and we did this in AP with LD-signatures for a while. I don't think Mastodon supports relaying any more because they're now verifying sender-id (via the HTTP-sig) against actor-id and rejecting mismatches.
FEP-8b32 along with Collections conveniently gets around all of the related issues. The sender and actor id of the Add activity matches, and the object is a complete signed activity. -
-
@[email protected] said in Minutes from 2 May 2024 WG Meeting:
Do you authenticate wrapped activities?
Do you mean something like a
Announce(Note)
? If it'sAnnounce(Create(Note))
, I am pretty sure NodeBB doesn't handle that yet, so they're dropped.But for the former... on the way in, if
object
is anything other than a uri, we check it's origin. If it matches the actor, then we assume validity. Otherwise we retrieve the object anew from the source.We don't currently support integrity proofs (8b32) or actor tokens (db0e) yet, so if the object cannot be retrieved, then the entire activity is dropped as unprocessable.
-
@julian Makes sense. Accept if origin is the same, otherwise retrieve from source. I think Announce(Create(Note)) and other FEP-1b12 activities should be processed in the same way:
FEP-1b12: Group federation
Internet forums are probably the oldest form of social media. They can be implemented with the Activitypub protocol, but such implementations may not necessarily be compatible with each other. This document defines a com…
SocialHub (socialhub.activitypub.rocks)
-
@[email protected] is the sending of
Announce(Create(Note))
an implementation quirk, or is it explicitly defined in an FEP?My assumption is that you announce Likes and Notes, but I guess there's theoretically nothing stopping someone from Announcing that someone Liked your Announce of a Creation of a Note — a
Announce(Like(Announce(Create(Note))))
... but... yikes.
-
-
@julian Activities like
Announce(Create(Note))
are the main point of FEP-1b12:>In case the incoming activity is deemed valid, the group MUST wrap it in an Announce activity, with the original activity as object.
Announce(Note)
is an additional activity that Lemmy sends to remain compatible with micro-blogging apps. -
@[email protected] Understood... in that case NodeBB should handle the wrapped activity. That might take some refactoring, but nothing major. Thanks for the clarification.
-
Yup! You can wrap that onion as big as you'd like. Nothing stopping you except for convention. It's like how people on Twitter will sometimes quote tweet each other in a really long chain.
-
@[email protected] said in Minutes from 2 May 2024 WG Meeting:
Yup! You can wrap that onion as big as you'd like. Nothing stopping you except for convention.
I'm having a tough time figuring out in my head how my backend is supposed to handle receipt of an activity with n-layers. Just the thought of each layer of said onion having their own side-effects is causing my brain to stop working.
Perhaps this is a scenario where each object having an ID would be helpful?
Contrived e.g.
Announce(Like(Announce(Create(Note))))
might have idse > d > c > b > a
, but if my backend has already processeda
,b
, andc
, then I only have to considerd
ande
? -
Yeah, id helps. it actually wouldn’t be practically possible without ids.
-
Thats how FEP-1b12 works, its necessary if you want to federate activities such as voting, deletions or mod actions and not only post creations. But Lemmy doesnt support arbitrarily wrapped activities, only specific hardcoded ones like Announce/Create/Note, Announce/Like or Announce/Delete.
-
-
-
>The originating server may not know who is part of the group and who is not, and therefore it can't enforce privacy by requiring a signed fetch.
In Friendica, group participants are represented by private
followers
collection, which can be retrieved using signed fetch:https://socialhub.activitypub.rocks/ap/object/781ebb23f1080082071d0c156543eb5f
So I don't see any fundamental difference between FEP-400e and FEP-1b12. The authentication issue, however, is quite important, because without FEP-8b32 the group either doesn't scale or can impersonate anyone.