mirror of
https://code.naskya.net/repos/ndqEd
synced 2025-01-10 11:26:45 +09:00
FEDERATION.md: Write the authenticated inbox forwarding proposal
This commit is contained in:
parent
e8fe55aee9
commit
dccb91f47c
1 changed files with 74 additions and 0 deletions
|
@ -459,6 +459,80 @@ trivial to do.
|
|||
|
||||
#### (2) Authenticated inbox forwarding
|
||||
|
||||
When you receive an activity from another server, by some actor A, you want to
|
||||
have some confidence that the activity was really published by actor A, and not
|
||||
by someone pretending to be actor A, or just sending you spam attributed to
|
||||
random people. This is done as follows:
|
||||
|
||||
- You verify the HTTP Signature of the request
|
||||
- You verify the signing key's owner actor is the same actor to which the
|
||||
activity is attributed
|
||||
|
||||
However in some cases, such as in ForgeFed, an activity is delivered to you
|
||||
indirectly, by someone who isn't the author. Specifically, there's a mechanism
|
||||
in ActivityPub called *inbox forwarding*, in which a server receives an
|
||||
activity at an inbox, and delivers it further to more actors. For example, in
|
||||
ForgeFed, inbox forwarding is used to allow actors to address activities to
|
||||
collections managed by other servers, and those servers dereference the
|
||||
collections and forward the activity to the collection member actors.
|
||||
|
||||
This proposal suggests a way to authenticate such inbox-forwarded activities.
|
||||
|
||||
The concept is as follows: If Aviva sends Luke an activity, and she'd like him
|
||||
to forward it, in the HTTP POST request to his inbox, she includes an
|
||||
additional signature, in addition to the regular one. Luke uses the regular
|
||||
signature to verify the sender is really Aviva. The additional signature, he
|
||||
sends along when he forwards the activity, and the recipients use it to verify
|
||||
that:
|
||||
|
||||
- The original author is really Aviva
|
||||
- Aviva gave Luke explicit permission to forward the activity
|
||||
|
||||
In addition, the additional signature can be thought of as a *request* to
|
||||
forward the activity.
|
||||
|
||||
The technical details:
|
||||
|
||||
- The additional HTTP Signature that Aviva includes in the POST request to
|
||||
Luke's inbox is placed in the `Forwarding-Signature`.
|
||||
- Aviva also includes a header `ActivityPub-Forwarder`, whose value is Luke's
|
||||
ID URI.
|
||||
- The `Forwarding-Signature` signature must use at least the headers `Digest`
|
||||
and `ActivityPub-Forwarder`.
|
||||
- When Luke receives the activity from Aviva, he notices that the
|
||||
`ActivityPub-Forwarder` header is present, and that it's his ID URI, and that
|
||||
`Forwarding-Signature` is present too, and he takes that as a request and
|
||||
permission to perform inbox forwarding. He determines to whom to forward the
|
||||
activity using the ActivityPub inbox forwarding rules, as specified in the
|
||||
ActivityPub spec. Luke also may examine the `Forwarding-Signature`, verify
|
||||
that the signed headers are present, and perhaps also fetch Aviva's key and
|
||||
verify the signature.
|
||||
- Luke verifies the regular HTTP Signature in Aviva's request, and verifies the
|
||||
`Digest` header by computing the request body hash
|
||||
- When Luke forwards the activity to other actors, he uses the exact same
|
||||
request body that Aviva sent him, copying the bytes without any modification.
|
||||
- Luke includes in his forwarding POST requests the `Digest` header copied from
|
||||
Aviva's request, and the `Forwarding-Actor` header copied as well, and also
|
||||
also her additional HTTP signature, except he places that signature in the
|
||||
`Forwarded-Signature` header, not in `Forwarding-Signature`. For the
|
||||
signature to be successfully verified by recipients, Luke will also need to
|
||||
copy any other headers used in the `Forwarding-Signature` that Aviva sent.
|
||||
Unless extensions to this proposal require other specific headers, the *only*
|
||||
headers used in the forwarding signature should be `Digest` and
|
||||
`ActivityPub-Forwarder`. In particular, don't use `Host` and
|
||||
`(request-target)`, because these vary per request and that will make
|
||||
authenticated forwarding impossible.
|
||||
- Each recipient of Luke's forwarding POST tries to verify his HTTP Signature,
|
||||
to verify that Luke is indeed the author of the activity. However the
|
||||
recipient discovers that while Luke is the sender and his signature is valid,
|
||||
the author is actually Aviva. The recipient then notices the
|
||||
`Forwarded-Signature` header, which means this is a forwarded activity, and
|
||||
that the `ActivityPub-Forwarder` is Luke, which means Aviva gave Luke
|
||||
permission to forward this activity. The recipient then verifies the HTTP
|
||||
Signature in the `Forwarded-Signature` header, verifying Aviva is the
|
||||
original author and gave Luke permission to forward. The recipient then
|
||||
proceeds to process the activity as usual.
|
||||
|
||||
#### (3) Non-announced following
|
||||
|
||||
#### (4) Object nesting depth
|
||||
|
|
Loading…
Reference in a new issue