wait am i reading this right? is there really not any mechanism for activitypub s2s authentication?? what the fuck?!?
ohh ok nvm - it's not in the w3c core protocol doc https://www.w3.org/TR/activitypub/#security-considerations , but there is a more or less consensus mechanism in play https://www.w3.org/wiki/SocialCG/ActivityPub/Authentication_Authorization
@astrid oh did those actually get implemented? I remember being pretty annoyed that wasn't in the spec when it was being formalized.
@astraluma @astrid HTTP Message Signatures were not standardized when the spec was written, still are not standardized, and the current version being worked on by HTTPbis is different from the outdated version implemented by most fediverse apps
so like, it wasn't in the spec for a reason, it is still an area of active standardization work, but yes Mastodon and others do implement something
