MightyNetwork::Doc::JSON-LD-signatures
JSON-LD messages have to be signed with the actor’s key.
Please note that every MightyNetwork::Doc::ActivityPub::Activity are signed, just to be sure that the signature will be available in case we need it. That is not something in MightyNetwork::Doc::ActivityPub standard but it’s a de facto standard.
Please note that this de facto standard’s usage is decreasing: a lot of languages lacks libraries to handle JSON-LD signatures. To ensure the origin of an activity, you can fetch the activity from its original server.
See https://w3c-dvcg.github.io/ld-signatures/.
The signatures are used to authenticate the origin of an activity:
If actor A send a note and actor B announce it (i.e. share it), actor C get the boost.
C verifies the signature of the boost, to be sure that the boost really comes from B.
C fetches the note to display it and verifies its signature, to be sure that the note really comes A.
Actor A deletes a note, B forwards that delete activity to C who verifies the JSON-LD signature to be sure that A really wants to delete the note.
Extracts from https://medium.com/@johnrcallahan/linked-data-signatures-with-ruby-3fa4dbc8e1fb (archive.org link).
The process of signing a JSON-LD document includes:
resolving the context vocabularies (i.e., fetching them via their URLs in the @context]
normalizing (or sometimes called ‘canonicalizing’) the document
determining the signature value with a private key (using RSA or Ed25519)
embedding the signature JSON with the metadata and signature value (not part of the JSON-LD document)
Verifying a signed JSON-LD document includes:
extracting the signature block from the JSON-LD document (remove it as well)
normalizing (or sometimes called ‘canonicalizing’) the remaining JSON-LD document
verifying the signature value with the public key (using RSA or Ed25519))
MightyNetwork::Doc, MightyNetwork::Doc::JSON-LD, MightyNetwork::Doc::ActivityPub::Activity, MightyNetwork::Doc::ActivityPub::Actor, https://w3c-dvcg.github.io/ld-signatures/