NotesStore resolving

Store resolving draft

When receiving a message or discovering an actor group, an actor needs to connect to the store of a possibly unknown and untrusted actor. This requires some caution.

Message reception

When receiving a message, the message envelope contains the URL of the sender's store, e.g.

To process the message, the receiver must connect to that store to retrieve the sender's public key (to verify the envelope's signature), and the message content. This results in one or more get requests.

Actor group discovery

Similarly, members of the same actor group publish their stores on their public cards. To discover the group, an actor must connect to these stores, list their public box, and get their public cards and public keys.

Security risks

Get and list request will not cause any direct harm, since they do not modify the store. Careless implementations may however allow an attacker to use an actor as part of a greater attack. Two obvious examples are:


An actor should take the following precautions:

In addition, missing public keys or empty public boxes are a weak indicator for a maliciously indicated store. You may greylist the corresponding sender or actor, rate limit requests on the corresponding store, or log such incidents for manual investigation.

User notifications

Generally, envelopes or public cards pointing to invalid stores should be silently ignored, without notifying the user.

However, if the corresponding actor or actor group is known and trusted (e.g. a friend), the user should be notified so that the problem can be resolved.