Just a random thought experiment. Let’s say I have my account on a lemmy instance: userA@mylemmy.com. One day I decide to stop paying for the domain and move to userA@mynewlemmy.com, and someone else gains it and also starts up a lemmy instance.
If they make their own userA@mylemmy.com, how do federated instances distinguish who’s who?
Have I misunderstood the role of domain names in this?
I’ve only read the ActivityPub spec; I haven’t read the Lemmy code.
With that in mind, my impression is —
The new domain owner — if they set up an ActivityPub server instance (e.g. a Lemmy) and got a list of the old user’s post URLs — might be able to delete or edit the old user’s posts stored on other instances. That is a vulnerability, albeit a small one.
If the old user was still listed as a moderator of communities hosted on other instances, the new domain owner might be able to take over that moderator role.
One way to fix this would be for instances to issue a public-key cryptographic identity to each user, and distribute users’ public keys to other instances. Then activities purporting to be from that user would need to be signed by that user’s private key.
Users’ private keys would stay local to their home instance, so users don’t have to do any key management themselves.
This would mean that if an instance goes away (and its key material is destroyed) then nobody can ever act as any of those users again. A new user created with the same username and domain would be a distinct user for all other instances too.
“Small one” is very wrong here. This is by far the largest gaping security hole in the whole specification.