Re: HTTP Signature CG report

Hi Ryan and nightpool,

thanks for taking initiative to improve the specifications mandaratorily used in today's fediverse. The previous word of mouth culture is IMO a big obstacle to interoperability.

On Mon, 5 Feb 2024 11:34:07 -0800
Ryan Barrett <public@ryanb.org> wrote:

> We've started collecting candidate requirements in
> https://github.com/swicg/activitypub-webfinger/issues . Feel free to
> comment or add your own proposals!

While I somehow feel the appeal of cryptography, I miss the hard facts about it's benefits here.

We have the tls umbrella, so there should be a certain trust in that the other side is who they pretend to be. Like in "the same private key as last time", right?

Introducing mechanisms (in application layer) where the communicating party (the user) has no hold of the private key, still requires full trust to the holder i.e. the server application and the underlying storage system and their operators.

What do we gain? We still have to trust the application.

Given that, we just could block based on self-declared incoming actor id + ssl validity, save complexity and not have to resort on volatile standard drafts.

What am I missing?

Marcus

Received on Tuesday, 6 February 2024 10:05:08 UTC