https://socialhub.activitypub.rocks/t/potential-security-vulnerability-remote-json-ld-contexts-may-be-used-to-bypass-restrictions-when-arbitrary-objects-are-allowed-to-be-created/5439
In that thread, 3 related problems were identified:
- Objects that don't appear as public keys may be processed as such by JSON-LD consumers. The FEP currently warns about this, but doesn't suggest a solution. This problem also arises in other situations where duck typing is used (FEP-2277).
- Is it enough for a key to be served at origin, or should it be also linked to an actor? In origin-based security model, being served at origin is enough for any object to be considered authentic. However, additional restrictions might be added (e.g. related to authorization).
- What policy should be used during signature verification: same-origin or same-owner? The FEP recommends same-origin (as the NOTE in section "Signatures" says, same-origin is simpler), but same-owner is also applicable and might be preferable if there is a requirement to check key ownership .
https://socialhub.activitypub.rocks/t/potential-security-vulnerability-remote-json-ld-contexts-may-be-used-to-bypass-restrictions-when-arbitrary-objects-are-allowed-to-be-created/5439
In that thread, 3 related problems were identified:
- **Objects that don't appear as public keys may be processed as such by JSON-LD consumers**. The FEP currently warns about this, but doesn't suggest a solution. This problem also arises in other situations where duck typing is used ([FEP-2277](https://codeberg.org/silverpill/feps/src/commit/6754e99b91f862202b18725b9478b42f5665556e/2277/fep-2277.md)).
- **Is it enough for a key to be served at origin, or should it be also linked to an actor?** In origin-based security model, being served at origin is enough for any object to be considered authentic. However, additional restrictions might be added (e.g. related to authorization).
- **What policy should be used during signature verification: same-origin or same-owner?** The FEP recommends same-origin (as the NOTE in section "Signatures" says, same-origin is simpler), but same-owner is also applicable and might be preferable if there is a requirement to check key ownership .