silverpill@silverpill@mitra.social: @HolosSocial It should actually be relatively easy…

Home | Notifications | New Note | Local | Federated | Search | Logout

Note Detail

Reply to @HolosSocial@mastodon.social
silverpill@silverpill@mitra.social (2026-06-07 06:32:23)
@HolosSocial @joergi @dansup Holos with custom domains provides similar benefits but there is an important difference. In classic ActivityPub, identity is tied to a domain name. Keys are supposed to be ephemeral, and HTTP signatures are merely an optimization that servers use to avoid fetching every received activity by its id. In FEP-ef61, identity is tied to a DID, while domains are supposed to be ephemeral. If did:key is used, that key becomes a permanent part of every id.

If you don't use FEP-ef61, a server can perform a MITM attack by serving a different actor document or a different key. FEP-ef61 protects against this (under the assumption that users controls their identity keys).

The difference is subtle but it may matter a lot in some cases, such as when implementing E2EE.
---Reply---
silverpill@silverpill@mitra.social (2026-06-09 05:31:24)
@HolosSocial It should actually be relatively easy to implement client-side FEP-ef61 in Holos. If objects are served by the client, you don't need to implement client-to-server API (which is the most difficult part).

@joergi