Closed evanp closed 5 months ago
One principle that might need to be articulated is that double-knocking might be necessary.
So if you make a request with AP+Sig 2.0, and it fails, fall back to AP+Sig 1.0, and try again. If it works, maybe set a flag that the remote server doesn't support 2.0 yet (so you cut down on retries). You might need to try 2.0 again randomly until the remote server upgrades, which honestly may take years.
It's not great, but it maximizes compatibility.
Worth to note that Mastodon does not like non-string RFC 8941 formatted headers, which prevents stuffing httpbis
and cavage
in the same request.
I agree that double-knocking is current best approach.
Initial double-knocking text is in https://github.com/swicg/activitypub-http-signature/issues/29#issuecomment-2005080039
I can think of at least two: