Comment on What happens to the content if an Lemmy instance shuts down?
irelephant@lemmy.dbzer0.com 1 week agoWhile they could put up weird images, they can’t change posts without everyones private keys.
Comment on What happens to the content if an Lemmy instance shuts down?
irelephant@lemmy.dbzer0.com 1 week agoWhile they could put up weird images, they can’t change posts without everyones private keys.
skullgiver@popplesburger.hilciferous.nl 4 days ago
I don’t see why not. Based on the spec, a server submits a request signed by a keyId which the receiving server caches or obtains, but the new server is also queried for the keys belonging to the actor. You cannot reuse the old key IDs (probably) because it’ll stay in the cache, but you can just add new keys of your own.
Step 10 of the key verification algorithm explicitly instruct the server to ignore the old key and fetch a new one, in case the other server has done a blind key rotation.
In other words, the ActivityPub spec only verifies that an account was the source of a message at the time a server submitted or forwarded an event. It does not validate that an
Updatewith new text contents belongs to the same server that onceCreated the object.Of course, I expect ActivitiyPub software to (mis)implement this spec in different ways. Some software will be protected against domain hijacking, others will leave domains once registered completely useless in the future for common actor names in ActivityPub.
irelephant@lemmy.dbzer0.com 4 days ago
I was misremembering something here, mastodon always keeps old keys iirc, but lemmy caches them temporarily iirc.