Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://were.social/objects/5c56afac-c6c8-42e6-8899-1ad4cb444e23">arcanicanis (arcanicanis@were.social)'s status on Tuesday, 27-Feb-2024 07:19:18 JST</a><a href="https://were.social/users/arcanicanis" title="arcanicanis@were.social"><img src="https://gnusocial.jp/avatar/10459-48-20220918060352.webp" width="48" height="48" alt="arcanicanis" style="position: absolute; left: 0; top: 0;">arcanicanis</a><div><a href="https://social.technoetic.com/@steve/111999571395515351" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/238845" title="blog@shkspr.mobi">Terence Eden’s Blog</a></li></ul></div></section><article><p>I think it's worth just replacing/upgrading the present state of HTTP Signatures, such as working towards a FEP that instead utilizes RFC9421 (instead of it's earlier incompatible drafts), enabling the ability to have a server-wide key (especially to lock it down to an HSM or other secured storage) rather than this present joke of private keys generated for each user, typically stored unwrapped in a database, that the user can't export for risk of other users on the same instance.</p><p>The first step however is defining some mechanism for announcing support for "upgraded HTTP Signatures", as I don't think both could coexist without some discovery/upgrade mechanism: <a href="https://socialhub.activitypub.rocks/t/extension-support-discovery/3925">https://socialhub.activitypub.rocks/t/extension-support-discovery/3925</a></p><p>Yes, it won't solve anything with trying to resolve your implementation struggles in the current present, however there needs to be momentum started with fixing this, and garnering support for building a 'better HTTP Signatures', so that people don't have to fight with this absurdity hopefully in the future.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/2764922#notice-5481771">In conversation</a><time datetime="2024-02-27T07:19:18+09:00" title="Tuesday, 27-Feb-2024 07:19:18 JST">about a year ago</time> <span>from <span><a href="https://were.social/objects/5c56afac-c6c8-42e6-8899-1ad4cb444e23" rel="external" title="Sent from were.social via ActivityPub">were.social</a></span></span><a href="https://were.social/objects/5c56afac-c6c8-42e6-8899-1ad4cb444e23">permalink</a><h4>Attachments</h4><ol><li><label><a rel="external" href="https://gnusocial.jp/attachment/2309527">Untitled attachment</a></label><br></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
arcanicanis (arcanicanis@were.social)'s status on Tuesday, 27-Feb-2024 07:19:18 JSTarcanicanis
in reply to
- Steve Bate
- Terence Eden’s Blog
I think it's worth just replacing/upgrading the present state of HTTP Signatures, such as working towards a FEP that instead utilizes RFC9421 (instead of it's earlier incompatible drafts), enabling the ability to have a server-wide key (especially to lock it down to an HSM or other secured storage) rather than this present joke of private keys generated for each user, typically stored unwrapped in a database, that the user can't export for risk of other users on the same instance.
The first step however is defining some mechanism for announcing support for "upgraded HTTP Signatures", as I don't think both could coexist without some discovery/upgrade mechanism: https://socialhub.activitypub.rocks/t/extension-support-discovery/3925
Yes, it won't solve anything with trying to resolve your implementation struggles in the current present, however there needs to be momentum started with fixing this, and garnering support for building a 'better HTTP Signatures', so that people don't have to fight with this absurdity hopefully in the future.
In conversationabout a year ago from were.socialpermalink
Attachments
1. Untitled attachment

Public

Embed Notice

HTML Code

Corresponding Notice