Okay, I need a reality check about how defederation works:
Say, Instance A defederates from Instance C, but there is an Instance B that federates with both.
Can people with accounts on B boost toots from people on A into timelines of people on C?
Can this happen the other way: toots from C boosted by B into A's timelines?
I thought that you could pass around activities signed by their actors (I recall a mechanism called Linked Data Signatures, but now when trying to look it up ended up in a maze of specs, all different: its spec was apparently subsumed by https://w3c.github.io/vc-data-integrity/, which uses some terminology that's confusing for me at first glance). Do I recall correctly that one could do that in principle in APub? Do you know if anyserver does that?
@robryk @ilja @rysiek By the knowledge of year 2019, Mastodon has implemented support for LDsigs as well as HTTPsigs (ephemeral signatures, fetching from origin required), while Pleroma (and thus probably Akkoma) only implement HTTPsigs.
One way for preventing post verification for blocked instances despite signed object announces would be preventing the blocked instance from retrieving the user key. But keys are public properties of a user profile right now.
->
@robryk @ilja @rysiek
We probably need to face that there's no such thing like "almost-public posts".
The only thing we can achieve is preventing interaction below our post – at least on our own instance and on the ones of our followers, as we won't relay these replies to all our followers like done otherwise.
Note that some other instance could forward a reply to an instance of your follower. (You can't avoid that without giving instances of your followers an oracle for querying your blocklist.)
I would dearly like to see more ActivityPub clients as opposed to Mastodon clients, and with the current sad state of proxy fetching anything not publicly fetchable is hard to observe for such clients. (Sure, they'd need the rest of c2s implemented to actually write something, but readonly ones are already pretty useful.) Thus I'd really like us not to do mostly-ineffective public-except-for-blocks posts, because they're not public enough for such clients to see them but also don't help that much against the original problem.
@ilja @rysiek
It seems that microblog.pub does generate ldsigs for public activities when sending them out: https://git.sr.ht/~tsileo/microblog.pub/tree/v2/item/app/outgoing_activities.py#L222 (but apparently only when pushing, not when someone requests activities from it).