logo

litepub.social

Website of https://litepub.social/ git clone https://anongit.hacktivis.me/git/litepub.social.git/

lice.md (10720B)

    

  1. ---
  2. title: "Litepub Capability Enforcement (LiCE)"
  3. ---
  5. # Abstract
  7. Litepub Capability Enforcement (LiCE) is an extension to the [ActivityPub protocol][ap]
  8. which adds support for verifying and enforcing [object capabilities][wikipedia-ocap].
  10.    [ap]: https://www.w3.org/TR/activitypub
  11.    [wikipedia-ocap]: https://en.wikipedia.org/wiki/Object-capability_model
  14. # Overview
  16. LiCE provides two components that, when combined, define a security model based on the
  17. concept of object capabilities:
  19.  * **Proof objects**: Objects which have been created by an *actor* which *controls*
  20.    a given resource that delegate permissions related to that resource.
  22.  * **Capability URIs**: Well-known or private endpoint URIs which either grant
  23.    implicit permissions or return a proof object that permits delegation of permission
  24.    to perform a given action.
  27. ## Security Levels
  29. LiCE implementations make use of both components in different ways, depending on the
  30. configured security level:
  32.  * `disabled`: proof objects are neither verified nor generated upon request.
  33.  * `permissive`: proof objects are not verified, but will be generated upon request.
  34.  * `enforcing`: proof objects are verified and are also generated upon request.
  37. ### Why does LiCE have configurable security levels?
  39. *This section is non-normative.*
  41. LiCE has a configurable security level to allow for a transitional period, with the
  42. eventual goal that the entire ActivityPub network eventually adopts LiCE and defaults
  43. to running in an enforcing mode.  It is strongly recommended that a "flag day" be set
  44. where all implementations transition to having a default security level of
  45. `enforcing`.
  48. # The `capabilities` Object
  50. Objects that have been security labeled have a new `capabilities` object that specifies
  51. what capabilities are implicitly granted or require specific permissions.  Capabilities
  52. with implicit grants are defined using well-known URIs, such as `as:Public`.
  54. A basic object that has been labeled with a `capabilities` object looks like this:
  56. ```
  57. {
  58.   "@context": [
  59.     "https://www.w3.org/ns/activitystreams",
  60.     "https://litepub.social/litepub/lice-v0.0.1.jsonld"
  61.   ],
  62.   "capabilities": {
  63.     "reply": "https://example.social/caps/d4c4d96a-36d9-4df5-b9da-4b8c74e02567",
  64.     "like": "https://www.w3.org/ns/activitystreams#Public",
  65.     "announce": "https://example.social/caps/e379a28e-74ce-ed7a-928c-7c3a4b2158e4"
  66.   },
  67.   "id": "https://example.social/objects/d6cb8429-4d26-40fc-90ef-a100503afb73",
  68.   "type": "Note",
  69.   "content": "I'm really excited about the new capabilities feature!",
  70.   "attributedTo": "https://example.social/users/bob"
  71. }
  72. ```
  74. In this example, `Like` activities are allowed from the public, `Announce` and
  75. `Create.inReplyTo` activities require explicit authorization in the form of a
  76. proof object.
  79. ## Optional Specifiers
  81. A `capabilities` object at the minimum is an object which contains the names of
  82. capabilities but may also contain additional specifiers in the typical JSON-LD
  83. way:
  85. ```
  86. {
  87.   "@context": [
  88.     "https://www.w3.org/ns/activitystreams",
  89.     "https://litepub.social/litepub/lice-v0.0.1.jsonld"
  90.   ],
  91.   "capabilities": {
  92.     "reply": {
  93.       "id": "https://www.w3.org/ns/activitystreams#Public",
  94.       "expires": "2019-09-15T12:00:00Z"
  95.     },
  96.     "like": "https://www.w3.org/ns/activitystreams#Public",
  97.     "announce": "https://www.w3.org/ns/activitystreams#Public"
  98.   },
  99.   "id": "https://example.social/objects/d6cb8429-4d26-40fc-90ef-a100503afb73",
  100.   "type": "Note",
  101.   "content": "I'm really excited about the new capabilities feature!",
  102.   "attributedTo": "https://example.social/users/bob"
  103. }
  104. ```
  106. > *TODO*: document a list of possible specifiers here.  The `expires` specifier
  107. > is obvious, but there may be other specifiers worth examining.
  110. # Proof Objects
  112. When a URI is used for a capability that is not a well-known URI such as `as:Public`,
  113. then it is assumed to be an *authorization endpoint*.  Authorization endpoints
  114. behave similarly to *inboxes* but return either a *proof object* or a rejection object
  115. as a response.
  117. Proof objects MUST:
  119.  * be publicly accessible at the URI specified in their `id`
  120.  * of type `Accept`
  121.  * reference the allowed activity by either embedding it or referencing it by `id`
  123. An example proof object looks like this:
  125. ```
  126. {
  127.   "@context": [
  128.     "https://www.w3.org/ns/activitystreams",
  129.     "https://litepub.social/litepub/lice-v0.0.1.jsonld"
  130.   ],
  131.   "id": "https://example.social/proofs/fa43926a-63e5-4133-9c52-36d5fc6094fa",
  132.   "type": "Accept",
  133.   "actor": "https://example.social/users/bob",
  134.   "object": {
  135.     "id": "https://example.social/activities/12945622-9ea5-46f9-9005-41c5a2364f9c",
  136.     "type": "Like",
  137.     "object": "https://example.social/objects/d6cb8429-4d26-40fc-90ef-a100503afb73",
  138.     "actor": "https://example.social/users/alyssa",
  139.     "to": [
  140.       "https://example.social/users/alyssa/followers",
  141.       "https://example.social/users/bob"
  142.     ]
  143.   }
  144. }
  145. ```
  148. ### Attestation of Properties in the Referent Object
  150. An `attestations` object contains properties and values that must match the
  151. properties and values in the referent object.
  153. In the event that an `attestations` object is included, the `id` property
  154. MUST NOT be present.
  156. When verifying proof objects that contain an `attestations` object, the verifier
  157. MUST ensure that the object being authorized against the proof has the same
  158. properties as present in the proof object.  In the event that the proof object's
  159. child fragments and the referent object disagree, the verifier MUST fail the
  160. verification.
  162. An example proof object with an `attestations` object:
  164. ```
  165. {
  166.   "@context": [
  167.     "https://www.w3.org/ns/activitystreams",
  168.     "https://litepub.social/litepub/lice-v0.0.1.jsonld"
  169.   ],
  170.   "id": "https://example.social/proofs/fa43926a-63e5-4133-9c52-36d5fc6094fa",
  171.   "type": "Accept",
  172.   "actor": "https://example.social/users/bob",
  173.   "object": {
  174.     "id": "https://example.social/activities/12945622-9ea5-46f9-9005-41c5a2364f9c",
  175.     "type": "Like",
  176.     "object": "https://example.social/objects/d6cb8429-4d26-40fc-90ef-a100503afb73",
  177.     "actor": "https://example.social/users/alyssa",
  178.     "to": [
  179.       "https://example.social/users/alyssa/followers",
  180.       "https://example.social/users/bob"
  181.     ]
  182.   }
  183.   "attestations": {
  184.     "type": "Like",
  185.     "object": "https://example.social/objects/d6cb8429-4d26-40fc-90ef-a100503afb73",
  186.     "to": [
  187.       "https://example.social/users/alyssa/followers",
  188.       "https://example.social/users/bob"
  189.     ]
  190.   }
  191. }
  192. ```
  195. ## Invocation
  197. When a proof object is required in order to prove an activity is authorized, it MUST be
  198. attached as the `proof` field, either by embedding the object or referencing it by URI.
  199. This is known as a capability invocation.
  201. An example invocation where the proof object is embedded:
  203. ```
  204. {
  205.   "@context": [
  206.     "https://www.w3.org/ns/activitystreams",
  207.     "https://litepub.social/litepub/lice-v0.0.1.jsonld"
  208.   ],
  209.   "id": "https://example.social/activities/12945622-9ea5-46f9-9005-41c5a2364f9c",
  210.   "type": "Like",
  211.   "object": "https://example.social/objects/d6cb8429-4d26-40fc-90ef-a100503afb73",
  212.   "actor": "https://example.social/users/alyssa",
  213.   "to": [
  214.     "https://example.social/users/alyssa/followers",
  215.     "https://example.social/users/bob"
  216.   ],
  217.   "proof": {
  218.     "id": "https://example.social/proofs/fa43926a-63e5-4133-9c52-36d5fc6094fa",
  219.     "type": "Accept",
  220.     "actor": "https://example.social/users/bob",
  221.     "object": {
  222.       "id": "https://example.social/activities/12945622-9ea5-46f9-9005-41c5a2364f9c",
  223.       "type": "Like",
  224.       "object": "https://example.social/objects/d6cb8429-4d26-40fc-90ef-a100503afb73",
  225.       "actor": "https://example.social/users/alyssa",
  226.       "to": [
  227.         "https://example.social/users/alyssa/followers",
  228.         "https://example.social/users/bob"
  229.       ]
  230.     }
  231.   }
  232. }
  233. ```
  235. An example where the proof object is referenced:
  237. ```
  238. {
  239.   "@context": [
  240.     "https://www.w3.org/ns/activitystreams",
  241.     "https://litepub.social/litepub/lice-v0.0.1.jsonld"
  242.   ],
  243.   "id": "https://example.social/activities/12945622-9ea5-46f9-9005-41c5a2364f9c",
  244.   "type": "Like",
  245.   "object": "https://example.social/objects/d6cb8429-4d26-40fc-90ef-a100503afb73",
  246.   "actor": "https://example.social/users/alyssa",
  247.   "to": [
  248.     "https://example.social/users/alyssa/followers",
  249.     "https://example.social/users/bob"
  250.   ],
  251.   "proof": "https://example.social/proofs/fa43926a-63e5-4133-9c52-36d5fc6094fa"
  252. }
  253. ```
  256. ## Verification
  258. Proof objects SHOULD be verified before accepting any activity which references one.
  259. The default way to do this is to fetch the proof object at the given URI and verify
  260. that there is a cyclical relationship between the accepted activity and the activity
  261. which references the proof.
  263. An optional way of verifying a proof would be to use [Linked Data Signature][lds].
  264. If it is possible to verify the proof using a cryptographic signature, then refetching
  265. the proof object is not necessary.  All implementations MUST support fallback to
  266. fetching the proof object if a valid signature is not present.
  268.    [lds]: https://w3c-dvcg.github.io/ld-signatures/
  271. ### Verifying Attestations
  273. *This section is non-normative.*
  275. Implementations MUST check that properties in the `attestations` object match
  276. properties in the referent object.  In most cases, this is done by doing a
  277. literal comparison.
  279. When comparing sets (JSON arrays), an implementation SHOULD iterate over the
  280. values in the attested property and verify set membership in the referent
  281. property for every value.  As an optimization, an implementation MAY normalize
  282. a copy of both properties and match that the sequence is identical.
  285. # Security Considerations
  287. *This section is non-normative.*
  290. ## Recursive Object Fetching Denial of Service
  292. A malicious proof object could reference itself, either directly or indirectly.
  294. Implementations SHOULD limit the depth to which they fetch referenced activities and
  295. proof objects.  A valid activity will never have a recursive loop, so the depth limit
  296. can be very low.
  299. ## Proof Object/Child Object Swapping
  301. A malicious server could swap the authorized object with a newer version that contains
  302. content that was not authorized by the granting server.
  304. Implementations SHOULD include key properties of the child object when generating a
  305. proof object, such as `content`, `name`, `summary` and `attachment`.
  308. ## Fake Direction Spoofing
  310. A malicious server could present a proof object using a third-party domain or third-party
  311. actor.
  313. Implementations SHOULD verify that the proof object is created by the same actor which
  314. created the content being interacted with.
  316. Implementations SHOULD verify that the proof object is at the same domain as the object
  317. being interacted with.