silverpill @silverpill@mitra.social
Public

Updating FEP-fe34: Origin-based security model:

https://codeberg.org/fediverse/fep/pulls/589

There is a new section titled "Assumptions":

- Servers MUST NOT store invalid objects received from clients.
- Servers MUST NOT allow clients to create objects representing public keys.
- Servers MUST NOT share secret keys with clients.

These are true for most existing ActivityPub servers, but a hypothetical general-purpose server might allow clients to store arbitrary data. In that case origin-based security model stops working.

Incidentally, this is exactly what I was trying to build - a general-purpose FEP-ae97 server. It seems that such server needs to have strict validation rules, and therefore can't really support all possible activities.

#fep_fe34

Summary card of an issue titled "FEP-fe34: Update proposal" in repository fediverse/fep

FEP-fe34: Update proposal

- Added "Assumptions" section. - Added warning about media uploads. - Don't allow clients to create public keys. - Clarified that object must be fetched by its ID. - Updated "Ownership" section to make it more aligned with FEP-2277. - Don't use same-origin policy when authorizing access to p...

codeberg.org · Codeberg.org

0
0
0

If you have a fediverse account, you can quote this note from your own instance. Search https://mitra.social/objects/01967cb3-1b8d-bcda-fe05-a7a3fddb26ba on your instance and quote it. (Note that quoting is not supported in Mastodon.)