Following Mastodon's plan to adopt HTTP Message Signatures (RFC 9421), we will implement the same standard in #Fedify. We'll use “double-knocking” to maintain compatibility with servers using older signature versions (draft-cavage-http-signatures-12).
@[email protected] · Reply to Fedify: an ActivityPub server framework's post
@fedify Ugh, can't wait to deal with four different signature types
@[email protected] · Reply to Fedify: an ActivityPub server framework's post
>The primary technique we recommend is double-knocking. First, try generating or verifying an HTTP Signature with one version, ideally (but not necessarily) the latest. If the remote server rejects that signature, eg with an HTTP 401 response, or the incoming signature doesn't verify, try with another version. Repeat until a signature passes or you've tried all supported versions.
Do they recommend making two requests instead of one? This is ridiculous. Today no one supports RFC9421, and everyone supports Draft 12, so there is no reason to try RFC9421 version first. Once RFC9421 is widely supported, we can simply switch to RFC9421.
One can also add a boolean flag to actor document. If supportsRFC9421 is true, inbox deliveries can be signed with RFC9421.