NodeBB-ActivityPub Bridge Test Instance

silverpill1:

... only location of a key matters. This is specified in FEP-fe34, and I just published a more detailed explanation of how it all works:

After rereading that FEP, I think I understand better why we have different perspectives on this topic. First, "web origin" is not the same as the AP "same origin policy" described in the non-normativeAP authz/authn primer. These two kinds of "origins" are not computed with the "same algorithm" as claimed by the FEP (or at least it appears to me that this is the claim, it's not completely clear). In this thread, it seems to me that you are using "origin" in the "web origin" sense. If not, please clarify what you mean.

The other issue is that the FEP doesn't appear to be consistent with the W3C SocialCG group report on HTTP Signatures. This document describes an algorithm for verifying an actor/key relationship that does not depend on (or require) either the same web origin for actors and keys or the AP same origin policy. The AP "same origin policy" appears to be described in an authorization policy context rather than for HTTP signature authentication.

The inconsistency I see is that the FEP requires "embedded" objects to have same web (?) origin as the containing object. Keys may or may not be embedded as part of the serialized actor graph. They may only be referenced by URI (even Mastodon supports it), but if they happen to be embedded in the actor graph serialization, I know of no good reason to apply the FEP origin-related constraints to the URIs.

What's important for verifying the actor/key relationship is the mutual references between the actor publicKey and the key's owner (or controller) property. The key itself could be served from a different web origin than the actor document. Furthermore, there's no guarantee that removing the key's URI fragment, if any, will lead to successfully verifying the actor/key relationship, even if the relationship is valid. For example:

key URI: https://keyserver.example/bob/keychain#B54F15A0actor URI: https://server.example/bob

As long as, the document retrieved from https://server.example/bob has a publicKey property referring to the key URI and the key object has an owner or controller property referring to the actor URI, it's a valid relationship.

In other words, removing or ignoring the key URI fragment will not generally work. In this example, dereferencing the key URI might result in a key chain object with several public keys having different fragment identifiers. Even more conventional AP actor documents might have multiple public keys with different fragment identifiers (mentioned in the SocialCG report). Ignoring key URI fragments will not work in this case either.

I don’t see how same web origin makes this secure again one actor signing an activity for another actor at the same origin (scheme, hostname, port). However, I agree that the workaround/hack for this bug is to strip the fragment, if any, and check if the result is the same as the actor URI specified in the activity.

scott:

Search engines would not see them.

This doesn't seem to be true.

The content of Julian's post at https://socialhub.activitypub.rocks/t/hi-julian-i-wonder-how-search-engines-and-seo-will/4135/12?u=stevebate is indexed with both socialhub and nodebb URLs.

Google SERP screenshot:

Hi @devnull . I haven't been following the forum topic federation discussions very closely, so this may be a silly question. Are forum topics going to be fully federated or just replicated (which is not quite the same thing, even for 2-way sync)? For example, if in the future there are 1000's of NodeBB instances running and there's a topic X, is it possible that the posts for that topic could be coming from multiple NodeBB instances (or other instance implementations)? If so, a topic-level canonical link will not work. Google currently indexes individual Mastodon posts (at least some of them, not sure about all of them). The AP Note identifier is the canonical URL in this case. (Google also indexes actor profiles in some cases, but that's a different discussion. ) FWIW, this is the canonical link I see for this topic: I'm guessing the canonical link you quoted is on the NodeBB side? Since these are different canonical links, I'd expect that Google will consider these (SocialHub and NodeBB topics) to be different web resources with mostly replicated content.