➡ You send me a request.
🔍 I check the digest matches the contents.
📆 I check the date is roughly correct.
⬅ I request your public key.
🖊 That requires me to sign a request with my private key.
🔑 I get your public key.
🕵 I validate your request by checking the signature matches the entire request - including digest.
But…! When I request your public key, you have to validate my public key. Which leads us into a loop?
@Edent if you're the server receiving a request you won't validate the client certificate unless you require a client certificate. If that's the case, the client is supposed to send its client key with the request.
@goalexandre I might be misunderstanding, but when Mastodon uses Authorised Fetch - that requires the server to validate all requests. Including for profile information.
There's no point sending the public with the request though, is there? You need to be able to validate it separately.
@Edent the http signature that the client sends will include everything (own certificate, intermediate certificates, root certificate, validity dates, signatures, etc). The server will check that information and trust it only if the Certificate Authorities that issued the whole chain of the client certificate are trusted by the server. The server won't need to perform an additional request to validate or trust the client certificate, it already has what it needs to trust a client certificate.
@Edent You're right, I was not talking about http message signatures, but TLS server certificates validation/trust. By reading the link you sent, it looks like the validation process is explained in "3.2. Verifying a Signature, Paragraph 5.". From that link, the validation information would be either pre-configured in the server or included in the signature. If the details are included, the server collects that material without performing signature validation and even authentication.
I suppose an HTTP 410 is a pretty good indication that the user has been deleted. And I might have previously cached the key. But it does feel a little bit pointless.
@Edent it's astonishing the amount of DELETE requests mastodon sends around. I don't have exact numbers but it's almost certainly the nr 1 request I receive from the other servers by far.
@Edent yeah, exactly! I started getting the requests the first week of going live and most of the servers I've never heard of (much less interacted with). Where do they even got my domain from?? Haha, the magic of federation I guess
@dominik thanks, that's helpful.
I'm able to sign messages when I post. But using the same code to get a user's profile is failing.
I'll have a look through your code.
Add comment