Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a description of "RsaSignature2017" #9361

Open
marnanel opened this issue Nov 26, 2018 · 1 comment

Comments

Projects
None yet
3 participants
@marnanel
Copy link

commented Nov 26, 2018

As far as I can see, Mastodon does not document the "RsaSignature2017" signature method, which is needed in order to verify ActivityPub messages received from Mastodon instances.

Please could you document it? Or is there some other way of verifying incoming messages?

My efforts to figure it out from the Ruby source have foundered on its apparent reliance on specific quirks of Ruby's RDF Turtle serializer. Here are my notes, anyway: https://gist.github.com/marnanel/ba6cba944d1f12d705891b1f7a7808d6

@nightpool

This comment has been minimized.

Copy link
Collaborator

commented Nov 26, 2018

mastodon uses json-ld signatures which are documented here: https://w3c-dvcg.github.io/ld-signatures/ but you don't need to use them for most purposes. c14n comes from the RDF Dataset Normalization spec: https://json-ld.github.io/normalization/spec/, which is referenced from the ld-signature spec.

However, for nearly all purposes, you're fine verifying the HTTP Signature header only. HTTP Signatures authenticate the transmission of messages between servers, while the ld-signature values are used only for messages that are forwarded by a third party (a completely optional enhancement).

You can read the HTTP Signature spec here: https://w3c-dvcg.github.io/http-signatures/

all of this is documented on this wiki page: https://www.w3.org/wiki/SocialCG/ActivityPub/Authentication_Authorization and in Mastodon's implementation report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.