If I understand Security - Mastodon documentation correctly, then an activity from mastodon can only be read with HTTPSignature (When secure mode is enabled!).
However, the privateKey of the actor is best known only to the server and not to the client. So a client cannot read an activity from mastodon without the server? Correct ?
So an AP server must provide an endpoint to read “foreign” activities/objects, right?
The same probably applies to objects. So even if the server delivers the inbox with inline activities, the objects in the activities may not be included. Unless the server delivers the inbox with a depth of 3. But it is possible that an object of an activity references another object, i.e. at level 4. At some point, inline is also over. So the problem remains even with inline.
Feedback welcome
Are you asking about something like the proxyUrl defined in ActivityPub?
proxyUrl
Endpoint URI so this actor’s clients may access remote ActivityStreams objects which require authentication to access. To use this endpoint, the client posts an x-www-form-urlencoded id parameter with the value being the id of the requested ActivityStreams object. [reference]
2 Likes
Sounds like what i mean 
does ap instances provides this endpoint ?
It depends. Most AP servers don’t implement C2S.
If you’re talking about a conventional standalone client, then it would have to have access to at least 1 of the actor’s private keys. Mastodon doesn’t provide any way to do that, but that’s a design decision that mastodon made, not something inherent to the AP spec. (for that matter, http signatures as federated authentication mechanism is also a mastodon design decision, not a feature of the spec)
There’s no technical reason that an AP server has to generate private keys for actors. It could allow or require them to provide their own, which they would then obviously be able to independently access. It could also allow them to retrieve their server-generated private keys, although that poses some security risks.
1 Like
well, unfortunately, a server implementation is not successful without communication with mastodon. Therefore, every server developer will probably have to bite the bullet.