Re: HTTP Signature CG report from nightpool on 2024-02-07 (public-swicg@w3.org from February 2024)

From: nightpool <eg1290@gmail.com>
Date: Wed, 7 Feb 2024 11:46:02 -0500
To: dzagidulin@gmail.com
Cc: Cristiano Longo <cristianolongo@opendatahacklab.org>, Social Web Incubator Community Group <public-swicg@w3.org>
Message-ID: <CAJY4u8HfvLP_Lqp6chu+kFSvuJOozhN9K0KYhm3=GP9AWd8Feg@mail.gmail.com>

I'm talking about the ID for the activity itself. The Activity is
attributedTo example.com/users/foo, but it purports to shares an id (
example.com/posts/123) with a legitimate post made by example.com/users/bar.
There is no way a receiving server can tell that example.com/posts/123 is
"supposed to" be bar's ID to sign, instead of foo's.

On Wed, Feb 7, 2024 at 11:43 AM Dmitri Zagidulin <dzagidulin@gmail.com>
wrote:

> > If clients have custody of keys, then `foo@example.com` could wait for `
> bar@example.com` to make a post, and then sign an activity with the same
> ID (e.g. "example.com/posts/102930")
>
> Wait, that's not how client signing works tho. The whole point of client
> signing is that nobody else can sign with the same ID (cause they don't
> have your keys).
>
>
>

Received on Wednesday, 7 February 2024 16:46:19 UTC