Re: Show: blog about http signatures

Hi, Marcus

> I don't understand the relevance of CDNs here - that may be my blind spot as a single user server creator.

If the server administrator decides to use CDN or other similar service, TLS terminates at the CDN service provider, not at the ActivityPub server. Those service providers usually don't provide method to authenticate client using client certificate or if they provide, they focuses on validating client certificate against the private CA (for enterprise use cases), not against trusted public CA certs, which required for the potential ActivityPub usecase.

Also, as stated by Evan, TLS client certificate only validates authenticity of the server, not the actor. This will not play well with some FEPs which lets user to manage their own DID and private keys.

> P.S.: attacker M, what a coincidence, lol.

Uhh, actually, I intended A(lice), B(ob) and M(allory or any Malicious word) in there. Sorry if you were offended.

9 Oct 2024 04:56:00 Marcus Rohrmoser <me.swicg@mro.name>:

> 
> Hi perillamint.
> 
> On Wed, 9 Oct 2024 02:43:08 +0900
> perillamint <perillamint@silicon.moe> wrote:
> 
>> M sends an Activity to server B's inbox with an object that claims it originated from server A's actor a
> 
> So you mean http signature is the simplest way to validate the pretending sending actor's domain not being a lie.
> 
> And TLS being organisational overhead so that it's more feasible to do this in the application layer and take control.
> 
> This may be it. However it feels odd to solve the same problem in multiple layers over again and TLS sounds (to me) like promising origin domain authenticity.
> 
> I don't understand the relevance of CDNs here - that may be my blind spot as a single user server creator.
> 
> Marcus
> 
> P.S.: attacker M, what a coincidence, lol.