Re: HTTP Signature CG report from Ryan Barrett on 2024-02-08 (public-swicg@w3.org from February 2024)

From: Ryan Barrett <public@ryanb.org>
Date: Thu, 8 Feb 2024 07:24:22 -0800
To: Cristiano Longo <cristianolongo@opendatahacklab.org>
Cc: public-swicg@w3.org
Message-ID: <CA+caGh-fqkPYf2kPYiaLqCKr2UfU0z1beXfHOENBn2hRK3Fsuw@mail.gmail.com>
It definitely would! We already have a pretty substantial list of goals for
the report, along with a solid set of other non-goals that we'd love to dig
into but regrettably have to postpone to keep the scope manageable, so
sadly I don't think we'll have time to add this.
https://github.com/swicg/activitypub-http-signature/issues

It definitely seems worth digging into though! Cristiano, we'd love it if
you and/or others were interested in digging into it, in either a follow-up
to this report or maybe a full report on its own! I'm sure Evan and the
other chairs would be happy to talk and help with details.

On Thu, Feb 8, 2024 at 3:59 AM Cristiano Longo <
cristianolongo@opendatahacklab.org> wrote:

> I'm solely suggesting that investigating the client-side signature
> approach, also with reporting the security issue provided by nightpool,
> would make the report more exhaustive.
>
> CL
> On 07/02/24 18:03, Dmitri Zagidulin wrote:
>
> > I think we're probably significantly off-topic for the thread in
> question then,
>
> Yeah, hehe, agreed, sorry bout that.
>
>
>
> On Wed, Feb 7, 2024 at 12:03 PM nightpool <eg1290@gmail.com> wrote:
>
>> I think we're probably significantly off-topic for the thread in question
>> then, which is about a CG report on the current state of HTTP Signatures
>> within the fediverse. The scheme you're proposing would require two keys
>> (one for the actor to sign client-side, and another for the server to sign
>> to verify that the origin https://example.com has been used correctly),
>> or a delegated key with some kind of ID prefix (i.e. some way for
>> example.com to say that mallory's key is valid only for URIs starting
>> with example.com/@mallory/).
>>
>> On Wed, Feb 7, 2024 at 11:57 AM Dmitri Zagidulin <dzagidulin@gmail.com>
>> wrote:
>>
>>> Also, let me back up and try to address this on a slightly more abstract
>>> level.
>>> Server-side signing is a TEMPORARY state of affairs. Like.. it's not
>>> good, it's just an artifact of tech limitation (lack of good client-side
>>> key management options) at the time.
>>> And it's definitely not the "only secure method" that the previous
>>> discussion is implying, but exactly the opposite (something we have to put
>>> up with currently, but will try to move away from).
>>>
>>> If current server implementations don't handle client-side signing
>>> correctly, that's fine, we'll have to fix that (and painfully wait till the
>>> fixes propagate through the ecosystem).
>>> If there's something in the AP protocol that's adding to the confusion /
>>> making client-side signing harder, we'll fix the protocol.
>>>
>>> (Hopefully my answers make more sense in that context.)
>>>
>>>
>>>
>>>
>>> On Wed, Feb 7, 2024 at 11:49 AM Dmitri Zagidulin <dzagidulin@gmail.com>
>>> wrote:
>>>
>>>> > There is no way a receiving server can tell that
>>>> example.com/posts/123 is "supposed to" be bar's ID to sign, instead of
>>>> foo's.
>>>>
>>>> And why's that a problem? (also, let's switch to the usual Alice for
>>>> legit post author and Mallory for the attacker).
>>>> If Alice creates a post and client-side signs it, and then Mallory
>>>> makes a post with the same ID and client-side signs it and sends it to
>>>> another server -- you're right that the receiving server doesn't know who
>>>> the post is "supposed to" belong to.
>>>> However, that doesn't really matter. People who don't subscribe to
>>>> Mallory won't see her posts (they'd only see Alice's posts). Is that not
>>>> the case?
>>>>
>>>>
>>>>
>>>>
>>>> On Wed, Feb 7, 2024 at 11:46 AM nightpool <eg1290@gmail.com> wrote:
>>>>
>>>>> I'm talking about the ID for the activity itself. The Activity is
>>>>> attributedTo example.com/users/foo, but it purports to shares an id (
>>>>> example.com/posts/123) with a legitimate post made by
>>>>> example.com/users/bar. There is no way a receiving server can tell
>>>>> that example.com/posts/123 is "supposed to" be bar's ID to sign,
>>>>> instead of foo's.
>>>>>
>>>>> On Wed, Feb 7, 2024 at 11:43 AM Dmitri Zagidulin <dzagidulin@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> > If clients have custody of keys, then `foo@example.com` could wait
>>>>>> for `bar@example.com` to make a post, and then sign an activity with
>>>>>> the same ID (e.g. "example.com/posts/102930")
>>>>>>
>>>>>> Wait, that's not how client signing works tho. The whole point of
>>>>>> client signing is that nobody else can sign with the same ID (cause they
>>>>>> don't have your keys).
>>>>>>
>>>>>>
>>>>>>

-- 
https://snarfed.org/
Received on Thursday, 8 February 2024 15:25:09 UTC