search

swicg / activitypub-http-signature

Repository for a SocialCG report on how HTTP Signature is used with ActivityPub
https://swicg.github.io/activitypub-http-signature/
11 stars 1 forks source link

Describe potential improvements #10

Closed evanp closed 5 months ago

evanp commented 7 months ago

I can think of at least two:

  1. Using the most recent version of HTTP BIS (although I don't think there's a final version yet!)
  2. Using the most recent version of W3C Security (2?)
evanp commented 7 months ago

One principle that might need to be articulated is that double-knocking might be necessary.

So if you make a request with AP+Sig 2.0, and it fails, fall back to AP+Sig 1.0, and try again. If it works, maybe set a flag that the remote server doesn't support 2.0 yet (so you cut down on retries). You might need to try 2.0 again randomly until the remote server upgrades, which honestly may take years.

It's not great, but it maximizes compatibility.

perillamint commented 7 months ago

Worth to note that Mastodon does not like non-string RFC 8941 formatted headers, which prevents stuffing httpbis and cavage in the same request.

I agree that double-knocking is current best approach.

snarfed commented 6 months ago

Initial double-knocking text is in https://github.com/swicg/activitypub-http-signature/issues/29#issuecomment-2005080039