Update: #289 - FEP-521a: Update proposal - fediverse/fep - Codeberg.org
Adding this paragraph:
Actor object MUST be used as a controller document, as described in section 2.3 Controller Documents of Data Integrity specification.
This is merely a clarification, and doesn’t require changing existing implementations.
In other news, Hubzilla now supports FEP-521a
Update: #324 - FEP-521a: Update proposal - fediverse/fep - Codeberg.org
Clarifying how invalid items in assertionMethod array should be processed, adding @fedify to implementations.
Just as an FYI, the other representation is what’s standard in OAuth WG at IETF, and is how did:jwk encodes keys-- this later provides [backwards-compatible] interop with most contemporary (and older-but-still-supported) OIDC middleware, so MAY be useful for people down the road that are trying to implement AP on top of existing software with lots of users that use OIDC for everything (i.e. Log In With Google buttons).
But base58btc can be implemented in a few lines and is probably what I would pick until people start asking for the other. We can always write an extension-FEP making this multi-key-expression later, of course!
This FEP has been updated: #482 - FEP-521a: Update proposal - fediverse/fep - Codeberg.org
Controlled Identifiers is a W3C Recommendation now: Controlled Identifiers v1.0
I’ve made several minor changes in #603 - FEP-521a: Update proposal - fediverse/fep - Codeberg.org, and I think it is done. Please submit your final comments!
Different public keys of the same actor MUST be identified using different fragment IDs.
This statement could be confusing in scenarios where fragment key IDs are not being used. For example, an actor could have multiple public keys where none of them use fragment ids or they might use a mix of fragment and non-fragment ids. The statement implies all keys MUST have a fragment id which isn’t consistent with the SHOULD recommendation for using fragment key ids in the previous sentence.
I think it would also be useful to provide a rationale for strongly recommending that the key id is based on the actor URI with a fragment. I understand this is the common pattern in the Mastoverse, but there are valid scenarios where this is not desirable (external key storage, for example).
Is there a recommended method for adding a PGP public key to an actor?
@stevebate What do you think about the following text:
Identifiers SHOULD be generated by appending a fragment identifier to the actor ID. That allows consumers to retrieve a public key and an associated actor object with a single HTTP request. If keys are identified using fragment identifiers, each key MUST have a unique fragment identifier.
Is it better?
It depends on the purpose of a key:
PropertyValue attachment, or a FEP-fb2a metadata entry.@stevebate I added the text we discussed to the FEP several days ago: #605 - FEP-521a: Rephrase recommendations for constructing key IDs - fediverse/fep - Codeberg.org
Adding new requirements today: #606 - FEP-521a: Update proposal - fediverse/fep - Codeberg.org
Key identifiers MUST be absolute URIs. Controlled Identifiers specification requires identifiers to be URLs, but ActivityPub requires URIs, and I think it is more authoritative in this case. Also opened a related issue in w3c/activitypub: Add RFC-3986 to Normative references · Issue #504 · w3c/activitypub · GitHubAn actor MAY have no associated public keys.@bashrc I opened an issue about registering a codec for PGP public keys: PGP public keys · Issue #381 · multiformats/multicodec · GitHub