Ignoring what the specification recommends, could you build a fedi server that uses a single, shared keypair for all actors? Would that even be able to federate, or are there systems out there using key ID as a unique identifier?#ActivityPub #ActivityS...
-
Jenniferplusplusreplied to Hazelnoot on last edited by
@hazelnoot But if a set of actors are sharing the same key, the only thing you can know with confidence is that a message came from one of those actors. It can claim to be a specific member of that set all they like, but that's not a claim anyone can trust.
-
Jenniferplusplusreplied to Hazelnoot on last edited by
@hazelnoot @thisismissem for ~11 million accounts? Seems fine to me. The fediverse is kind of a distributed, primitive key management service when you think about it in these terms.
-
Hazelnootreplied to Jenniferplusplus on last edited by
@[email protected] true, but that's the case either way. When the server is responsible for key management, it can also decide which actor gets which key. As long as you let the remote servers tell you which key goes with which actor, then you have to assume that the actors don't actually hold their own keys.
-
Jenniferplusplusreplied to Hazelnoot on last edited by
@hazelnoot That's true as far as it goes. I would point out that nothing anywhere suggests the server should be in control of the keys. In fact, a lot of the protocol designers really dislike that it shaped up that way in practice. And, I can't imagine a good faith reason for a peer to do that.
-
Hazelnootreplied to Jenniferplusplus on last edited by
@[email protected] yeah, that's all fair. No good-faith instance should be messing with keys like that. But it is possible with the Fediverse as it currently functions.
-
Jenniferplusplusreplied to Hazelnoot on last edited by
@hazelnoot Yeah. My most charitable read of a server doing that is that it's block evasion. And protecting against that block evasion will likely necessarily also prohibit servers that share a private key with all actors.
-
@jenniferplusplus @hazelnoot I think we currently have to trust the admin doesn't take over accounts currently.
-
@risottobias @jenniferplusplus @hazelnoot The server chooses who gets which key already, and you check by asking it for it via webfinger, so separate keys per actor is relying on trusting the server anyway.
-
@[email protected] @[email protected] @[email protected] exactly. Even if an actor was using C2S with cliient-side keys, the server could still MITM by stripping the signatures and re-signing with its own keys. Fedi has no root-of-trust so it's impossible for a remote server to ever know if this happened.
-
Jenniferplusplusreplied to Hazelnoot on last edited by
@hazelnoot @KevinMarks @risottobias
That's not necessarily true.Anyway, the question was why shouldn't a server do this. The answer is because it makes many problems worse, and the benefits are tiny.