Conversation

Notices

Embed this notice
silverpill (silverpill@mitra.social)'s status on Tuesday, 03-Jun-2025 23:15:21 JST silverpill

ActivityPub and HTTP Signatures recommends double-knocking to those who want to produce RFC 9421 signatures.
This is ridiculous because it means making ~2x more POST requests to deliver an activity. And eventually there will be another upgrade. Then what, triple-knocking?
I think capabilities like RFC-9421 support can advertised via actor properties.
It can look like this:
{ "id": "https://social.example/actor", "type": "Person", "generator": { "type": "Application", "implements": [ { "name": "RFC-9421: HTTP Message Signatures", "href": "https://datatracker.ietf.org/doc/html/rfc9421" } ] } }
Here is a FEP draft:
https://codeberg.org/silverpill/feps/src/branch/main/844e/fep-844e.md
@rfc9421
In conversation about 5 days ago from mitra.social permalink
Attachments
1. No result found on File_thumbnail lookup.
  
  properties.It
2. Untitled attachment
3. Domain not in remote thumbnail source whitelist: static.ietf.org
  
  RFC 9421: HTTP Message Signatures
  
  from Manu Sporny
  
  This document describes a mechanism for creating, encoding, and verifying digital signatures or message authentication codes over components of an HTTP message. This mechanism supports use cases where the full HTTP message may not be known to the signer and where the message may be transformed (e.g., by intermediaries) before reaching the verifier. This document also describes a means for requesting that a signature be applied to a subsequent HTTP message in an ongoing HTTP exchange.
- Embed this notice
  silverpill (silverpill@mitra.social)'s status on Wednesday, 04-Jun-2025 01:27:00 JST silverpill
  in reply to
  - picofarad
  @picofarad @rfc9421 It's for signing HTTP requests, not content (activities). Until recently, we used a draft of RFC-9421, but now RFC-9421 is final and developers are starting to upgrade (draft and final versions are incompatible).
  Don't know about routers/proxies.
  
  In conversation about 5 days ago permalink
- Embed this notice
  picofarad (picofarad@noauthority.social)'s status on Wednesday, 04-Jun-2025 01:27:01 JST picofarad
  in reply to
  
  @silverpill @rfc9421 hi i'm a dummy. So rfc9421 is "newer" than content message signing, which AP already has? Is the double knocking, as copilot tells me, for backwards compatibility for older clients?
  does RFC9421 sign the content itself? a skim shows headers, methods, and URI. either way, i guess rfc9421 signing means that activitypub can go through protocol specific "routers" and proxies and the like, transparently?
  i don't read RFCs for fun, unless they have a DOI (they probably do...)
  
  In conversation about 5 days ago permalink
- Embed this notice
  silverpill (silverpill@mitra.social)'s status on Wednesday, 04-Jun-2025 02:27:59 JST silverpill
  in reply to
  - FenTiger
  @fentiger @rfc9421 I don't know how it is supposed to work.
  
  In conversation about 5 days ago permalink
- Embed this notice
  FenTiger (fentiger@zotum.net)'s status on Wednesday, 04-Jun-2025 02:28:01 JST FenTiger
  in reply to
  
  @silverpill Do you have to double-knock every time? Can't you cache the result when a POST succeeds, so you know which signature method to use next time you deliver to that instance?
  
  In conversation about 5 days ago permalink
- Embed this notice
  silverpill (silverpill@mitra.social)'s status on Wednesday, 04-Jun-2025 03:30:15 JST silverpill
  in reply to
  - FenTiger
  @fentiger @rfc9421 Caching results might help, but either way, not all servers validate signatures synchronously, so this method is not reliable.
  It is much better if you know what to send in advance.
  
  In conversation about 5 days ago permalink

Public

Notices

Feeds