FEP-ae97 security audit: https://codeberg.org/fediverse/fep/pulls/595
I added a new section, "Security considerations", and a new requirement: compatible identifiers of server-generated keys MUST have the server's origin. Here's how that looks in practice:
This FEP update goes together with two others:
- FEP-2277: ActivityPub core types - The VerificationMethod class has the highest priority now, because servers must be able to identify a verification method even if it has other class-defining properties (e.g. href).
- FEP-fe34: Origin-based security model - clarifying the base assumptions of the model