Just drawing attention to this proposal and brainstorm thread on the fedi, that is getting elaborate:
My server (fedibird.com) seems to be having trouble fetching objects from enby.life, so I haven‘t read through the linked post. That said…
IIUC AT Protocol‘s PDS acts as a proxy for its users (maybe partly like AP‘s proxyUrl) by forwarding requests with a Bearer header with a JWT signed by the (custodial) private key of the user on behalf of whom the PDS is proxying the request.
I guess we could borrow the idea of using JWTs. Unlike HTTP Signatures, the JWT could be reused until its expiration (which, I assume, is the motivation behind the proposal to use Bearer tokens in the first place?).
As far as I can tell, there is no replay protection.
Yes, Bearers in general are susceptible to replay attacks. But I think the threat model here is similar to that of OAuth 2.0 bearer tokens: The replay attack allows escalation of privilege for an attacker who has compromised the confidentiality of the transport, but you can consider the confidentiality to be a fundamental security property that must be upheld anyway[1]. And to mitigate the risk of the extreme case of token leakage, you can (and should) adopt short expiration time (and maybe scope) for tokens.
While short token duration may imply limited cache efficiency, I expect even a token duration of a few minutes could be useful for e.g. batch requests for resolving a thread of posts.
Well, the ActivityPub spec doesn’t technically mandate confidential transport, but the hypothetical Bearer-for-AP spec could mandate it. ↩︎
1 Like
I think it is an interesting proposal.
Just remembered that something similar was described in FEP-db0e: Authentication mechanism for non-public groups
1 Like
Oh and also this thread: Would there be any interest in a "pre-authorized fetch" FEP?
Somebody needs to tie it all together…