I’m trying to better understand Activitypub and I understand that there’s a signature to avoid forgeries of known accounts.

However I’m having trouble understanding what prevents a malicious actor from sending a private spam message supposedly from a never before seen account name with valid generated key pair but for a domain they’ve never bought since there is no DNS lookup or test.

Thank you!

  • Wander@yiffit.netOP
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Ah, that makes sense. The server tries to retrieve the actor object from the actual url and would notice a discrepancy. That makes sense and is an easy way to implement validations.

    I was wondering if I could ask you something else related to activity pub since you seen knowledgeable in the matter. I’ve been going over these all day and haven’t been able to find a good answer:

    1. My understanding is that a create activity doesn’t need to have the content itself in the message since JSON-LD exposes the permanent uri in the id property and the receiving server can then make a subsequent request for the content.

    Is there a consensus on which approach is better and what would happen if the content field in a note is different from the content that would be fetched by a url?

    1. I’ve seen that groups are implemented by doing announces. In theory announces could be private based on the view permissions of the original activity. Does that mean that we could potentially have private Lemmy communities at some point?

    In that regard, I was wondering if it’s possible for an organization or group type actor to forward the activity not with announces but by simply delivering the content to the user’s inbox in a transparent manner, similar to an email distribution list.

    Thank you <3