Change OStatus URI in Webfinger "rel" property (pointing to squatted domain)

On the fediverse a discussion came up about WebFinger requests returning a URL-formatted URI, where the URL points to a domain that is taken over by some casino game website.

The URI can be seen in the Webfinger example on Mastodon docs:

{
  "rel": "http://ostatus.org/schema/1.0/subscribe",
  "template": "https://mastodon.social/authorize_interaction?uri={uri}"
}

Though a URI need not be a dereferencable URL and the “rel” property does not indicate a URL, it is not unreasonable to expect developers from trying the link to see if useful information can found there, regarding the specification.

Entering on a squatted domain and potentially malicious site give a very bad impression. If we want to avoid this, an improvement might be, either:

  1. Use a non-URL formatted indicator i.e. a URN
  2. Use a URL at a stable location, that ideally yields documentation (@macgirvin uses purl.org and w3id.org is another option)

Apart from that is the question if OStatus should still be used, or it can be entirely deprecated and replaced by an AS/AP equivalent (I have no opinion on this, and don’t know about compatibility issues this may give).

In any case, if there’s willingness to change, then a FEP can address it.

2 Likes

I’m building a fedi client and I’ve definitely attempted a few times to go to that URL thinking it would lead to the specification.

Outside of the fact that Mastodon’s documentation tends to fall out of date, Mastodon’s usage was the first time I’ve heard of OStatus. So it initially gave me the impression that the specification wasn’t a serious one.

1 Like

What is AS/AP? Would that involve just updating Mastodon’s documentation to use that instead?

I was thinking an ActivityPub/ActivityStreams way could either be just a different URL or URN with a terminology that is more representative of familiar terms we use.

Or, alternatively, but that would be way beyond the scope of this topic… I have heard people mention that we should not rely on Webfinger and do something more conforming to AS/AP mechanics. Though I don’t know what they have in mind, as haven’t seen that part of prior discussions.

1 Like

There are also often references to ostatus.org within the context header of activitypub posts. Those too should be changed, since referring to that domain no longer makes sense.

2 Likes

The thing is that the referenced property has now been extended in undocumented ways to follow content as well as actors. I’d vote to start fresh so we don’t have to keep explaining the complete history including the recent changes to every new fedi developer and also because I’m not certain you can even find the original specification outside archive.org.

2 Likes

Yeah it was pretty difficult to find the true specification site. I did a search on “ostatus spec” and was directed to the following site:

Is it correct?

There was a much more complete technical doc site at one time. That document is kind of a summary. For instance the subscribe link is only described by

The user's XRD document MAY have an additional link template with Rel equal to http://ostatus.org/schema/1.0/subscribe to indicate the endpoint to use for initiating a subscription on the user's subscription server. The template should take a single argument, uri, for the account to subscribe to.

Which is not really a specification but more just a high level description.

Hmm does anybody know where the official specification is then?