From 98c9f14bdb637e26266c2aac74945b9ffde62b22 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sun, 7 Jul 2019 15:26:49 +0100 Subject: [PATCH] Change layout --- README.md | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 96007264..d06f6bab 100644 --- a/README.md +++ b/README.md @@ -123,7 +123,18 @@ When posts are subsequently sent from the following instance (server-to-server) Subsequently **Bob** could change the stored capabilities for **Alice** in their database, giving the new object a different id. This could be sent back to **Alice**, perhaps as another **follow Accept** activity with attached capabilities. This could then change the way in which **Alice** can interact with **Bob**, for example by adding or removing the ability to like or reply to posts. -If **Eve** subsequently learns what the capabilities id is for **Alice** by somehow intercepting the traffic (eg. suppose she works for *Eveflare*) then she can't gain the capabilities of Alice due to the *scope* parameter against which the actors of incoming posts are checked. **Eve** could create a post pretending to be from Alice's domain, but the http signature check would fail due to her not having Alice's keys. The only scenario in which Eve might triumph would be if she could also do DNS highjacking and if Bob isn't storing Alice's public key and looks it up repeatedly, or if Alice and Bob's instances are foolishly configured to perform *blind key rotation*. +## Object capabilities adversaries + +If **Eve** subsequently learns what the capabilities id is for **Alice** by somehow intercepting the traffic (eg. suppose she works for *Eveflare*) then she can't gain the capabilities of Alice due to the *scope* parameter against which the actors of incoming posts are checked. + +**Eve** could create a post pretending to be from Alice's domain, but the http signature check would fail due to her not having Alice's keys. + +The only scenarios in which Eve might triumph would be if she could also do DNS highjacking and: + + * Bob isn't storing Alice's public key and looks it up repeatedly + * Alice and Bob's instances are foolishly configured to perform *blind key rotation* such that her being in the middle is indistinguishable from expected key changes + +Even if Eve has an account on Alice's instance this won't help her very much unless she can get write access to the database. ## Install