Re: HTTP Signature CG report from Dmitri Zagidulin on 2024-02-07 (public-swicg@w3.org from February 2024)

From: Dmitri Zagidulin <dzagidulin@gmail.com>
Date: Wed, 7 Feb 2024 11:43:24 -0500
To: nightpool <eg1290@gmail.com>
Cc: Cristiano Longo <cristianolongo@opendatahacklab.org>, Social Web Incubator Community Group <public-swicg@w3.org>
Message-ID: <CANnQ-L7QEMi2LsVmGpuuBK28xf8SgxcgJsosupkOQ7dM9Ewhaw@mail.gmail.com>

> If clients have custody of keys, then `foo@example.com` could wait for `
bar@example.com` to make a post, and then sign an activity with the same ID
(e.g. "example.com/posts/102930")

Wait, that's not how client signing works tho. The whole point of client
signing is that nobody else can sign with the same ID (cause they don't
have your keys).

Received on Wednesday, 7 February 2024 16:43:48 UTC