From 29f28701fdd54cc6c73725a116ad33e7eb615efa Mon Sep 17 00:00:00 2001
From: alemi <me@alemi.dev>
Date: Tue, 16 Apr 2024 18:05:15 +0200
Subject: [PATCH] docs: explained security and fetching and privacy

---
 README.md | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 29cf838..69da3f8 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
 # μpub
 > micro social network, federated
 
-μpub aims to be a fast, lightweight and secure [ActivityPub](https://www.w3.org/TR/activitypub/) server
+μpub aims to be a private, lightweight, modular and **secure** [ActivityPub](https://www.w3.org/TR/activitypub/) server
 
 μpub is currently being developed and can do most basic things, like posting notes, liking things, following others, deliveries and browsing
 
@@ -11,6 +11,22 @@ a test instance is _usually_ available at [feditest.alemi.dev](https://feditest.
 
 upub's stock frontend is also being developed and can be viewed _usually_ at [feditest.alemi.dev/web](https://feditest.alemi.dev/web)
 
+## about security
+most activitypub implementations don't really validate fetches: knowing an activity/object id will allow anyone to resolve it on most fedi software. this is of course unacceptable: "security through obscurity" just doesn't work
+
+μpub correctly and rigorously implements and enforces access control on each object based on its addressing
+
+most instances will have "authorized fetch" which kind of makes the issue less bad, but anyone can host an actor, have any server download their pubkey and then start fetching
+
+μpub may be considered to have "authorized fetch" permanently on, except it depends on each post:
+ * all posts marked public (meaning, addressed to "https://www.w3.org/ns/activitystreams#Public"), will be fetchable without any authorization
+ * all posts not public will require explicit addressing and authentication: for example if post A is addressed to example.net/actor
+   * anonymous fetchers will receive 404 on GET /posts/A
+   * local users must authenticate and will be given said post only if it's addressed to them
+   * remote servers will be given access to all posts from any of their users once they have authenticated themselves (with http signing)
+
+note that followers get expanded: addressing to example.net/actor/followers will address to anyone following actor that the server knows of, at that time
+
 ## progress
 
  - [x] barebone actors