[closewith]

Yes, your caveat at the end there is exactly why this method shouldn't be trusted, as it's indistinguishable from an attacker with access to embed a single link.

So it doesn't confirm the account belongs to the author, it confirms the site has a specific link and nothing more.

[Ukv]

A regular link won't do, since it requires the rel="me" attribute, which is intended for this purpose: https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/...

Adding a <meta> tag or creating a page with certain content are already used even for more impactful verification, like getting issued a certificate for that domain.

If an attacker does have broad access to edit the HTML of your website, I feel that's already the issue and Mastodon verifying that "this person controls this website" isn't even really wrong.

[closewith]

So you have read that page and understand its purpose is to link social media profiles for informational purposes, but don't understand that it's not suitable for any kind of auth, let alone in a software supply chain?

[Ukv]

By the XFN spec, it "demonstrates that the same person has control over [the pages]". The docs page I linked links to two further specs for using it for authentication in the way that Mastodon does.

[closewith]

I'm sorry. The XHTML Friends Network rel tag is neither reliable identification nor authentication. It's designed to say "this is my blog" in low stakes environments.

No sane sober person would use it to authenticate messages about changing URLs in a software supply chain.

[nickv]

No, if somebody has access to edit your home page directly, your blog, your company site, etc - you've already lost the game.

How is this any different than your email address being compromised? How is this different than having your laptop compromised and somebody downloading your .ssh folder?

The issue here isn't "is this reliable identification" - because it IS reliable. Your concern is "how likely is this to be compromised vs other things" and that's a fair concern - but there are plenty of very secure web sites out there. This isn't saying "I am john doe and this is my identity", this is saying with some confidence "this person on mastadon is the same person as the person who wrote this web site copy" and that's a totally fine piece of identification for the right context.

[Ukv]

If an attacker has control over the page to edit arbitrary HTML, that chain is already compromised. Even if the attacker's exploit only allowed certain attributes, just the href and rel attributes needed for this protocol would already be enough to execute javascript and load stylesheets on that page.

This is in addition to the original site linking to the new one with a news post. Does that also mean nothing because an attacker could add a news post to the page?

[account42]

A meta tag won't get you a certificate, that's highly misleading.