Fedify: ActivityPub server framework
@fedify@hollo.social

Following Mastodon's plan to adopt HTTP Message Signatures (RFC 9421), we will implement the same standard in . We'll use “double-knocking” to maintain compatibility with servers using older signature versions (draft-cavage-http-signatures-12).

datatracker.ietf.org

Signing HTTP Messages

When communicating over the Internet using the HTTP protocol, it can be desirable for a server or client to authenticate the sender of a particular message. It can also be desirable to ensure that the message was not tampered with during transit. This document describes a way for servers and clients to simultaneously add authentication and message integrity to HTTP messages by using a digital signature.

1 reply

silverpill
@silverpill@mitra.social · Reply to Fedify: ActivityPub server framework

@fedify

>The primary technique we recommend is double-knocking. First, try generating or verifying an HTTP Signature with one version, ideally (but not necessarily) the latest. If the remote server rejects that signature, eg with an HTTP 401 response, or the incoming signature doesn't verify, try with another version. Repeat until a signature passes or you've tried all supported versions.

Do they recommend making two requests instead of one? This is ridiculous. Today no one supports RFC9421, and everyone supports Draft 12, so there is no reason to try RFC9421 version first. Once RFC9421 is widely supported, we can simply switch to RFC9421.

One can also add a boolean flag to actor document. If supportsRFC9421 is true, inbox deliveries can be signed with RFC9421.