[Feature request] API extension: SOGS pubkey #185
Comments
|
would a |
|
we can use the we really do need a formal RFC style pipeline for these feature adds. |
|
In cases where the SOGS isn't using SSL wouldn't this be insecure, requesting the public key for a SOGS via an unsecured http request? It's expected that the public key be obtained out of band to secure against MITM, this seems like it would open that attack up |
|
For HTTP SOGS this problem exists anyway, since the only way to get their pubkey right now is to rely on the HTTP preview (Example: http://sog.caliban.org/r/privacy/) which can be MITM-ed, too. |
Hi, maintainer of sessioncommunities.online here.
We're supposing the following API extension:
Currently there's no way to get the public key of a SOGS via API.
If you have access to the API of a specific SOGS, you can get all the info you need to join one or more of the present communities except for the common public key. To get that, you need to open the preview (if accessible) or rely on a third-party source (session.directory, sessioncommunities.online) to provide the key for you.
As the maintainer of one of these third-party ressources, it means we need to make additional http requests to other sites and have to parse that info to (hopefully) find the correct public key to present.
This isn't only computationally wasteful and error-prone, it's also really inconvenient for everyone using the API.
(Anecdote: In the past one SOGS operator changed their public key, which resulted in conflicting public information about which key is the correct one. This resulted in confusion and made us implement a manual workaround to override found public keys with manual known good copies. Ideally this would just be a single API request.)
Since the information clearly is available on the server, I propose to make the public key available via the API.
The text was updated successfully, but these errors were encountered: