swicg / activitypub-http-signature

Repository for a SocialCG report on how HTTP Signature is used with ActivityPub
https://swicg.github.io/activitypub-http-signature/
11 stars 1 forks source link

How to upgrade supported HTTP Sig version(s) #29

Closed snarfed closed 7 months ago

snarfed commented 8 months ago

How should we advise projects to upgrade the version(s) of HTTP Sigs that they generate and validate?

Related: #1, #3, #17

@nightpool, I'm pretty sure you know more about this than me, https://github.com/swicg/activitypub-http-signature/issues/1#issuecomment-1927992088 , can I ask you to take a first pass at text here?

snarfed commented 7 months ago

@nightpool friendly ping! ok if you don't have a draft of text here yet; I'm just checking if you're still interested in working on this, and the report in general.

snarfed commented 7 months ago

Initial draft text below. Please review and revise!


The HTTP Signatures standard has made a few backward-incompatible changes on its path to becoming a full Proposed Standard RFC. Many fediverse servers currently handle older versions of the standard and aren't yet compatible with the final (httpbis-19) version. Here's advice on how to implement HTTP Signatures so as to be compatible with as many different servers as possible.

The primary technique we recommend is "double-knocking." First, try generating or verifying an HTTP Signature with one version, ideally (but not necessarily) the latest. If the remote server rejects that signature, eg with an HTTP 401 response, or the incoming signature doesn't verify, try with another version. Repeat until a signature passes or you've tried all supported versions.

(Many fediverse servers do process incoming activities asynchronously, but they generally still verify signatures synchronously, so double knocking is still viable when delivering activities to remote inboxes.)

Here's a list of ways to check for different versions, in descending order: