10 months ago
evan@cosocial.ca
It's important that ActivityPub developers include data integrity checks for inbound activities.
10 months ago
evan@cosocial.ca
@scott both of those, and also that there are not intentional fibs in there. Naive implementations may suffer from cache poisoning attacks.
10 months ago
scott@loves.tech
So, basically you would need something like:

1. Verification that the server is who they say they are.
2. Verification that the identity is who they say they are.
3. Some way of checking to see if the message was tampered with en route.

Some possible solutions are:

A. Identity proof via public and private keys or some other method, for both the server and the identity. Do not depend on DNS since the DNS cache can be poisoned.

B. Double encrypt messages. First, the platform encrypts the message, and then it sends that message over HTTPS, which encrypts it a second time.

C. Send a checksum or use some other method for verifying that a message has not been tampered with. (Although, if you double encrypt the message, you probably don't need this.)
10 months ago
jwf@cybervillains.com
@evan @jwf @naturzukunft apropos of nothing, I am a fairly good proof-reader, and quite knowledgeable about ActivityPub.
Sorry, you have got no notifications at the moment...