[half-kh-hacker]

HTTP signatures ensure that you can't send a message and spoof the user/instance that it's coming from. Think of it like DKIM for AP.

They commonly include the specific actor who is interacting with the network (via the instance), so we can also achieve correct-side enforcement of blocks.

[Timja]

With "actor" you mean "user"?

Every user has their own private key?

[easrng]

Sure an actor is basically a user, there's usually an "instance actor" though too that does some other things but I don't think having one is required. Every actor has a private key but it's kept on the server, it's basically an implementation detail.

[Timja]

Strange that users have private keys. Is that kinda forward-looking, so that at some point those keys could be moved to the users themselves? So they can keep their identity, even if the owner of their instance becomes malicious?

[oever]

The private key is used in HTTP Signatures for authentication. The signature does not cover the body of the http request and is not stored or published. The http post contains an http headers that signs just a few other header fields. The signature is only valid for a short time.

There is an example here: <https://blog.joinmastodon.org/2018/06/how-to-implement-a-bas...>

[half-kh-hacker]

no lol

[Timja]

Then why?