Helge

I'm working myself through http signatures mastodon explanation. My current understanding

  • I want as much traffic signed as possible
  • One has a chicken and egg problem, because one needs to expose a public key to make requests as the server. For example, in order to fetch the public key of parties making requests.
  • Where do I put this public key? I'm currently leaning towards doing something similar to Mastodon with its actor "actor". This would mean that, I create an account "bovine" that represents the server.

    • Does anybody have any comments?

    Security - Mastodon documentation

    Public key cryptography and supported signature schemes over HTTP and JSON-LD.

    Jan 21, 2023 at 11:55amWeb
    Show threadSteve BateJan 21, 2023
    @helge I may not understand the question, but I haven't needed signed requests to fetch public keys of remote actors. I just use webfinger and then fetch the actor profile with the public key. In any case, creating an account for the instance actor sounds reasonable to me. Mastodon has a pseudo-account for "actor" although it can't be queried with webfinger like a regular account (AFAICT).