On the social web fediverse, generally you post stuff to your homeserver, and if you ever edit stuff, it’s on your homeserver. But in my use case, it’s possible there’s a collaborative document on another server, and you’re granted permission to send edits to the document, and that other server needs to identify you, to know you’re the same person from earlier before it applies your edits.
Suppose a user joe on server A wishes to edit some resource on server B. Suppose server B grants them permission to do so. Now, server A shuts down, and a new server is launched on the same domain name, and it has a user
joe but it’s a different person. Suppose this new
joe wants again to edit a resource on server A. How does server B know that this
joe is a different person despite having the same actor ID and a valid HTTP signature?
- Can the HTTP sig be treated as permanent? i.e. if the sig is invalid and we re-download the actor and it has a new key, do we assume it’s a different person? Do Mastodon, Pleroma, etc. do that or do they just silently re-download the new key and otherwise DB and UI treats it as the same user
- If we don’t use HTTP sig for this:
- Server keeps a permanent private key, if it changes we assume a new instance launched and all users are assumed to possibly be new people, we reject edit permission
- Same, except the server periodically generates a new key to avoid crypto linking all the published stuff forever. Is that even possible, does it help?
- Server keeps permanent private key separately for each user
- Same, except private key is on user’s laptop, they sign their POSTs and their home server just delivers the signature to other servers, so that private key remains in user’s hands
I’m wondering which one to choose! Any advice and insight highly appreciated