@Gargron Hey Eugen, am trying to understand HTTP Signatures better for my own AP server implementation.

I have two questions:

1.) How is the private key used to verify incoming request signatures stored on the Actor's server receiving the signed request? Is it a just a file at a well known location on the server/is there some additional layer?

2.) I I assume the private key is never shared with 3rd party clients acting for an actor, only the backend does the verification?

Thanks a lot!

@Gargron Makes sense, Say a 3rd party client acting on behalf of an Actor wants to POST to someone's inbox & this message needs to be signed with the sending Actor's private key. The private key is never transmitted to the 3rd party client, right? It just sends a request to the backend Mastodon API server and the server, who has access to the private key, generates the Signaure header using the private key, which is verified by the target server using the sending Actor's publicKey?

Sign in to participate in the conversation
Matej Lach's mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!