Clarification re: Inbox Forwarding

I'm confused about a particular aspect of Inbox Forwarding as detailed in the ActivityPub spec:

... the server needs to forward these to recipients that the origin was unable to deliver them to. To do this, the server MUST target and deliver to the values of to, cc, and/or audience...

... The server MUST only target the values of to, cc, and/or audience on the original object being forwarded, and not pick up any new addressees whilst recursing through the linked objects (in case these addressees were purposefully amended by or via the client).

Emphasis mine.

My reading suggests that only the values of to, cc, and audience on the referenced object should be used, and not those values on the activity itself.

But doing so would preclude the use of Inbox Forwarding in scenarios where the Activity wrapper contains additional addressees that the underlying object does not have.

e.g. A Note by A contains a single addressee: as:Public. It is then Announced by B and C. Later, A updates the Note, and their server sends out Update(Note) with the following addressees: as:Public, B, B/followers, C, C/followers, but the object referenced still contains a single addressee: as:Public.

In that case, when received by B and C, should they forward the activity to their followers?

the “object being forwarded” in this case is the activity. the language is indeed ambiguous. it should say “the original activity being forwarded”. the goal of the language there is to prevent new recipients from being picked up during the recursive processing of other metadata fields – for example, you may institute a policy that incoming activities to be forwarded must be relevant to some local object, and so you check inReplyTo, etc. but you MUST NOT add inReplyTo.attributedTo if they were initially omitted from delivery addressing. you must only check that they are a local user (or whatever your check is).

EDIT: Relevance check for inbox forwarding mistakenly refers to "object being forwarded" instead of "activity being forwarded" · Issue #441 · w3c/activitypub · GitHub

2 Likes

Thank you! That makes sense to me.

If the activity is the thing being forwarded, then an additional complication could arise in that I cannot simply re-sign the activity, as my instance key does not belong to the originating actor.

At least in NodeBB we do a cross-check to make sure the signer's key belongs to the activity actor...

this is indeed an issue that arises due to the following:

  • ActivityPub does not specify any authentication/verification mechanism
  • HTTP Signatures, which the current fediverse uses, are not replayable or relayable.

If you’re concluding that this makes inbox forwarding impossible with HTTP Signatures, then congratulations, you understand why LD Signatures ended up being used for this (and why FEP-8b32 proposes using Data Integrity Proofs at the LD level as well). It’s either that, or find a way to replay entire HTTP messages (so that the HTTP Signature can be validated against the original HTTP interaction). Or otherwise rethink the fundamentals of the fediverse’s entire security model.

2 Likes

Nathan Fillion Speechless GIF

1 Like

@julian
@trwnh
Mbin handles inbox forwarding like this: if the signature does not match, but the url in the id field is from the same domain as a receiver in the to , cc or audience field, we consider it a forwarded message and fetch the original activity from the url in the id field

1 Like