MightyNetwork::Doc::JSON-LD-signatures
JSON-LD messages have to be signed with the actor’s key.
Please note that every MightyNetwork::Doc::ActivityPub::Activity are signed, just to be sure that the signature will be available in case we need it. That is not something in MightyNetwork::Doc::ActivityPub standard but it’s a de facto standard.
Please note that this de facto standard’s usage is decreasing: a lot of languages lacks libraries to handle JSON-LD signatures. To ensure the origin of an activity, you can fetch the activity from its original server.
See https://w3c-dvcg.github.io/ld-signatures/.
The signatures are used to authenticate the origin of an activity:
If actor A
send a note and actor B
announce it (i.e. share it), actor C
get the boost.
C
verifies the signature of the boost, to be sure that the boost really comes from B
.
C
fetches the note to display it and verifies its signature, to be sure that the note really comes A
.
Actor A
deletes a note, B
forwards that delete activity to C
who verifies the JSON-LD signature to be sure that A
really wants to delete the note.
Extracts from https://medium.com/@johnrcallahan/linked-data-signatures-with-ruby-3fa4dbc8e1fb (archive.org link).
The process of signing a JSON-LD document includes:
resolving the context vocabularies (i.e., fetching them via their URLs in the @context]
normalizing (or sometimes called ‘canonicalizing’) the document
determining the signature value with a private key (using RSA or Ed25519)
embedding the signature JSON with the metadata and signature value (not part of the JSON-LD document)
Verifying a signed JSON-LD document includes:
extracting the signature block from the JSON-LD document (remove it as well)
normalizing (or sometimes called ‘canonicalizing’) the remaining JSON-LD document
verifying the signature value with the public key (using RSA or Ed25519))
MightyNetwork::Doc, MightyNetwork::Doc::JSON-LD, MightyNetwork::Doc::ActivityPub::Activity, MightyNetwork::Doc::ActivityPub::Actor, https://w3c-dvcg.github.io/ld-signatures/