ActivityPump and signature / origin verification from Jason Robinson on 2015-12-20 (public-socialweb@w3.org from December 2015)

From: Jason Robinson <mail@jasonrobinson.me>
Date: Sun, 20 Dec 2015 17:53:34 +0200
To: "public-socialweb@w3.org" <public-socialweb@w3.org>
Message-ID: <5676CEFE.2040105@jasonrobinson.me>
Hey all,

The current ActivityPump draft specifies the following things [1]:

/> Servers //SHOULD//validate the content they receive to avoid content 
spoofing attacks. In particular, servers //SHOULD NOT//trust client 
submitted content, and federated servers also //SHOULD NOT//trust 
content received from a server other than the content's origin. The 
general mecahism that is specified for this at this time is for a 
recipient of some referenced activitystreams object to verify the 
presence of that object on the original server. Other mechanisms such as 
verifying signatures are left out of scope of this document. (However, 
if other generally agreed upon mechanisms for handling verification 
become available in the future, servers are welcome to use those 
methods, in the future.) //
/
Two things I have problems with in this spec:

*Signature verification*

I think any good standard for a federated web protocol should contain at 
least a SHOULD to signature verification. Ideally, to provide 
reliability to content ownership, received content (server to server) 
SHOULD be 1) signature verified and 2) presence verified (for content 
type messages). Both checks are important for different reasons.

At least when looking at diaspora*, redmatriz/hubzilla and AFAICT GNU 
Social and Friendica, signature verification is *THE* way to verify content.

Another hard to solve problem that needs signature verification is 
identity backup / restore and migration. This is something that afaik is 
only supported on Redmatrix/Hubzilla, from what I know. I've drafted 
some ideas on a possible solution in the diaspora* wiki - and it relies 
on signatures [2]. The idea is to make sure identities can be 
automatically backed up and migrated around.

What are the reasons why we wouldn't have signature verification when 
receiving content from other servers?

*Content received from*

Another problem with the current draft I see is the "SHOULD NOT trust 
content received from a server other than the content's origin". 
Federated web is hard, especially in scaling. We've already built a 
special decentralized relay system [3] that is supported by diaspora* 
and Friendica at the moment, which would simply not be possible if all 
content MUST be delivered from the source. Verifying signatures allows 
this kind of load balancing of moving content around because the target 
node will always make sure the message is from the person it claims to 
be from.

Verifying signatures and allowing content from non-author locations will 
also enable the possibility of not always online federated servers, for 
example in desktops and mobile phones. These would rely on "postman" 
type of relay servers to keep content targeted to their server and fetch 
it on demand. These are afaik just theoretical at the moment, but having 
a SHOULD NOT trust except from original location would kill the 
possibility for anything like this.

Not having this SHOULD NOT in the spec of course means that the content 
should be signed and verified against the public key of the author.

Opinions?

[1]: http://w3c-social.github.io/activitypump/#obj (2nd paragraph)
[2]: https://wiki.diasporafoundation.org/Relay_servers_for_public_posts
[3]: https://wiki.diasporafoundation.org/Account_Backup_And_Restore

-- 
-----
Br,
Jason Robinson
https://jasonrobinson.me
Received on Sunday, 20 December 2015 15:54:02 UTC