Ryan Barrett

TODO: update https://www.w3.org/wiki/SocialCG/ActivityPub/Authentication_Authorization with these ^ practices?

I implemented these, log-only to start, and got some interesting results. First up: [AP inbox forwarding](https://www.w3.org/TR/activitypub/#inbox-forwarding) makes this tricky. For example, we got this `Create` of a reply by @[email protected]...

Interesting data point, we get a substantial number of inbox forwards, roughly 2 per min over the last 45m.

I made a first pass at writing some of this up: https://www.w3.org/wiki/SocialCG/ActivityPub/Authentication_Authorization#Authorization

Got the ok on that writeup! Next step is to review the logs and implement these checks. After that, ideally I should abstract them across protocols, since this applies to...

Current status: planning to implement LD Sig verification, but first I need to know how Mastodon canonicalizes the activity JSON before it signs it. Complete example activity from Mastodon with...

Aha, Claire says > this is defined in app/lib/activitypub/linked_data_signature.rb and app/helpers/jsonld_helper.rb (canonicalize)

[Code is](https://github.com/mastodon/mastodon/blob/c07028b2fae4dc692570df84227023ca90443288/app/helpers/jsonld_helper.rb#L76-L77): ```rb graph = RDF::Graph.new

Finally getting back to looking at this. I'm now inclined to just skip LD Sigs for now and drop those activities instead of handling them. Need to look at a...

OK! Apart from inbox forwarding, one source of activities we're getting that don't pass authz is [Guppe Groups](https://a.gup.pe/). Looks like they similarly forward activities, with a new HTTP Sig from...