Conversation

Notices

1. Embed this notice
   Hrefna (DHC) (hrefna@hachyderm.io)'s status on Friday, 15-Nov-2024 03:51:40 JST Hrefna (DHC)

   • Ben Pate 🤘🏻
   • Jenniferplusplus
   • kopper of sub-standard quality
   • Seb Potter
   • Amber

   @kopper

   There's no access control inherent HTTP signatures or in how they are generally implemented and using it for that purpose is _very_ hackey.

   If we want access controls there are better solutions with things like JWTs.

   @benpate @jenniferplusplus @sebinthestars @puppygirlhornypost2 @lily

   • Embed this notice
     Jenniferplusplus (jenniferplusplus@hachyderm.io)'s status on Friday, 15-Nov-2024 04:01:44 JST Jenniferplusplus

     in reply to

     • Ben Pate 🤘🏻
     • kopper of sub-standard quality
     • Seb Potter
     • Amber

     @hrefna
     The biggest value of http signatures is that they're not forwardable. They also provide some forgery protection. And as long as we're relying on self-asserted credentials, it's no worse of an authn mechanism than anything else. But you're right they convey no authorization, and that's something I wish we had.

     @kopper @benpate @sebinthestars @puppygirlhornypost2 @lily

   • Embed this notice
     Hrefna (DHC) (hrefna@hachyderm.io)'s status on Friday, 15-Nov-2024 04:17:07 JST Hrefna (DHC)

     in reply to

     • Ben Pate 🤘🏻
     • Jenniferplusplus
     • kopper of sub-standard quality
     • Seb Potter
     • Amber

     @jenniferplusplus

     Oh sure, there are uses for them and I don't object to using the modern standard for it in the slightest, it's just that a lot of those uses can be done on a per-server rather than a per-user basis.

     Basically they are good for a handful of things, but my argument is that none of those things can be called access control and few if any of them are great solutions in that space. Especially at the individual level.

     @kopper @benpate @sebinthestars @puppygirlhornypost2 @lily