- From: Bumblefudge <bumblefudge@learningproof.xyz>
- Date: Wed, 07 Feb 2024 16:54:27 +0000
- To: public-swicg@w3.org
- Message-ID: <9d20ffcc-d080-46f0-a33e-6b11ca9d303b@learningproof.xyz>
Shouldn't `example.com` server the Foo version, not the Bar version, at that URL? I'm confused on where the receiving server is getting the bar version, if not from example.com. I hope no one is advocating for the receiving server to cut example.com out of the loop and let every tom, bar and mallory claim unverified `id`s at example.com? It feels like I'm missing something basic, and we might be uncovering an assumption that should be made more explicit somewhere. Thanks, __bumble On 2/7/2024 8:46 AM, nightpool wrote: > I'm talking about the ID for the activity itself. The Activity is attributedTo example.com/users/foo, but it purports to shares an id (example.com/posts/123) with a legitimate post made by example.com/users/bar. There is no way a receiving server can tell that example.com/posts/123 is "supposed to" be bar's ID to sign, instead of foo's. > > On Wed, Feb 7, 2024 at 11:43 AM Dmitri Zagidulin <dzagidulin@gmail.com> wrote: > >>> If clients have custody of keys, then `foo@example.com` could wait for `bar@example.com` to make a post, and then sign an activity with the same ID (e.g. "example.com/posts/102930") >> >> Wait, that's not how client signing works tho. The whole point of client signing is that nobody else can sign with the same ID (cause they don't have your keys).
Received on Wednesday, 7 February 2024 16:54:48 UTC