Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • World
  • Users
  • Groups
Skins
  • Light
  • Brite
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse

NodeBB

  1. Home
  2. General Discussion
  3. Could be potentially nice for fediverse server testing, as more implementations make the jump to final RFC 9421 HTTP signatures.

Could be potentially nice for fediverse server testing, as more implementations make the jump to final RFC 9421 HTTP signatures.

Scheduled Pinned Locked Moved General Discussion
activitypubfedidevrfc9421
57 Posts 11 Posters 133 Views
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • julian@fietkau.socialJ julian@fietkau.social

    @julian@activitypub.space As I understand the migration path, it's like

    1. Able to receive RFC 9421 in addition to draft-cavage
    2. Able to send RFC 9421 in addition to draft-cavage
    3. Send RFC 9421 by default, but be able to fall back to draft-cavage if needed

    So by β€œcan't handle” I meant step 1. πŸ™‚ Although the unspoken step 4 is to remove draft-cavage support once everyone else has taken step 1, I'm ultimately also wondering when we'll get there.

    evan@cosocial.caE This user is from outside of this forum
    evan@cosocial.caE This user is from outside of this forum
    evan@cosocial.ca
    wrote on last edited by
    #5

    @julian@fietkau.social @julian@activitypub.space Honestly, I think it's going to be a while.

    I think the term for step 3 is "double knocking", and it's called out in the HTTP Signature report for the Social CG:

    https://swicg.github.io/activitypub-http-signature/

    1 Reply Last reply
    1
    • julian@fietkau.socialJ julian@fietkau.social

      RE: https://mastodon.social/@bagder/116359048796181736

      Could be potentially nice for fediverse server testing, as more implementations make the jump to final RFC 9421 HTTP signatures.

      On the flip side, ever more complex curl invocations (here: Accept header plus signature fields plus key file, presumably) suggest use of more specialized CLI tools, such as provided by @fedify, or at least scripts/aliases.

      Speaking of RFC 9421, which notable fediverse implementations can't handle it yet? Anyone keeping track?

      #ActivityPub #FediDev #RFC9421

      gabboman@gabboman.xyzG This user is from outside of this forum
      gabboman@gabboman.xyzG This user is from outside of this forum
      gabboman@gabboman.xyz
      wrote on last edited by
      #6

      @fedify@hollo.social @julian@fietkau.social

      I still cant! but I wonder, any example of a software in node/javascript that uses the new signature standard?

      1 Reply Last reply
      0
      • julian@fietkau.socialJ This user is from outside of this forum
        julian@fietkau.socialJ This user is from outside of this forum
        julian@fietkau.social
        wrote on last edited by
        #7

        @gabboman @fedify Fedify does it in TypeScript, as for vanilla JavaScript I have no idea.

        gabboman@gabboman.xyzG 1 Reply Last reply
        1
        • julian@fietkau.socialJ julian@fietkau.social

          @gabboman @fedify Fedify does it in TypeScript, as for vanilla JavaScript I have no idea.

          gabboman@gabboman.xyzG This user is from outside of this forum
          gabboman@gabboman.xyzG This user is from outside of this forum
          gabboman@gabboman.xyz
          wrote on last edited by
          #8

          @fedify@hollo.social @julian@fietkau.social

          excelent

          1 Reply Last reply
          1
          • mradcliffe@nokoto.orgM This user is from outside of this forum
            mradcliffe@nokoto.orgM This user is from outside of this forum
            mradcliffe@nokoto.org
            wrote on last edited by
            #9

            @evan @julian@fietkau.social @julian@activitypub.spaceΒ  I think organizing a contribution event to refactor @peertube/http-signature and golang’s httpsig or gotosocial's fork of httpsig to support both cavage-12 and RFC9421 would go a long way to getting this done sooner as most of the software missing implementation depend on those libraries.

            evan@cosocial.caE 1 Reply Last reply
            0
            • mradcliffe@nokoto.orgM mradcliffe@nokoto.org

              @evan @julian@fietkau.social @julian@activitypub.spaceΒ  I think organizing a contribution event to refactor @peertube/http-signature and golang’s httpsig or gotosocial's fork of httpsig to support both cavage-12 and RFC9421 would go a long way to getting this done sooner as most of the software missing implementation depend on those libraries.

              evan@cosocial.caE This user is from outside of this forum
              evan@cosocial.caE This user is from outside of this forum
              evan@cosocial.ca
              wrote on last edited by
              #10

              @mradcliffe The thing about double-knocking is that it requires two implementations (RFC 9421, draft-cavage-12). It also requires a persistent cache, so once you figure out which signature system the remote server supports, you only use that one -- you don't double-knock every time. It might not work as a library.

              mradcliffe@nokoto.orgM 1 Reply Last reply
              0
              • julian@activitypub.spaceJ This user is from outside of this forum
                julian@activitypub.spaceJ This user is from outside of this forum
                julian@activitypub.space
                wrote on last edited by
                #11

                @gabboman@gabboman.xyz are you coding typescript?

                NodeBB is plain js. C'mon you don't need type safety. Code like its the 2000s.

                1 Reply Last reply
                1
                • julian@fietkau.socialJ julian@fietkau.social

                  RE: https://mastodon.social/@bagder/116359048796181736

                  Could be potentially nice for fediverse server testing, as more implementations make the jump to final RFC 9421 HTTP signatures.

                  On the flip side, ever more complex curl invocations (here: Accept header plus signature fields plus key file, presumably) suggest use of more specialized CLI tools, such as provided by @fedify, or at least scripts/aliases.

                  Speaking of RFC 9421, which notable fediverse implementations can't handle it yet? Anyone keeping track?

                  #ActivityPub #FediDev #RFC9421

                  hazelnoot@void.lgbtH This user is from outside of this forum
                  hazelnoot@void.lgbtH This user is from outside of this forum
                  hazelnoot@void.lgbt
                  wrote on last edited by
                  #12

                  Speaking of RFC 9421, which notable fediverse implementations can't handle it yet? Anyone keeping track?

                  @julian@fietkau.social @fedify@hollo.social I'm honestly not aware of any that do support it yet...

                  julian@fietkau.socialJ 1 Reply Last reply
                  0
                  • julian@fietkau.socialJ julian@fietkau.social

                    @julian@activitypub.space As I understand the migration path, it's like

                    1. Able to receive RFC 9421 in addition to draft-cavage
                    2. Able to send RFC 9421 in addition to draft-cavage
                    3. Send RFC 9421 by default, but be able to fall back to draft-cavage if needed

                    So by β€œcan't handle” I meant step 1. πŸ™‚ Although the unspoken step 4 is to remove draft-cavage support once everyone else has taken step 1, I'm ultimately also wondering when we'll get there.

                    julian@activitypub.spaceJ This user is from outside of this forum
                    julian@activitypub.spaceJ This user is from outside of this forum
                    julian@activitypub.space
                    wrote on last edited by
                    #13

                    @julian@fietkau.social ah, then no, NodeBB has no support yet. That's true though that there is a step-wise upgrade pattern.

                    Updating our HTTP Signature lib is part of our grant funded work so it'll get sorted out soon!

                    cc @evan@cosocial.ca @gabboman@gabboman.xyz

                    1 Reply Last reply
                    1
                    • evan@cosocial.caE evan@cosocial.ca

                      @mradcliffe The thing about double-knocking is that it requires two implementations (RFC 9421, draft-cavage-12). It also requires a persistent cache, so once you figure out which signature system the remote server supports, you only use that one -- you don't double-knock every time. It might not work as a library.

                      mradcliffe@nokoto.orgM This user is from outside of this forum
                      mradcliffe@nokoto.orgM This user is from outside of this forum
                      mradcliffe@nokoto.org
                      wrote on last edited by
                      #14

                      @evan Thanks for the response. I think how a given software does double-knocking is up to that software. It is not necessarily true that you have to store the result, but it is ideal. I am much too lazy to refactor a persistent cache and I just double-knock every time. πŸ˜›

                      But to start, those libraries need to be able to support both signature implementations as those libraries are already in-use by the majority of software that has not implemented RFC 9421 yet.

                      1 Reply Last reply
                      1
                      • evan@cosocial.caE This user is from outside of this forum
                        evan@cosocial.caE This user is from outside of this forum
                        evan@cosocial.ca
                        wrote on last edited by
                        #15

                        @gabboman @fedify @julian I'm adding it to activitypub-bot this week. I'll send a link when it's up.

                        evan@cosocial.caE 1 Reply Last reply
                        0
                        • hazelnoot@void.lgbtH hazelnoot@void.lgbt

                          Speaking of RFC 9421, which notable fediverse implementations can't handle it yet? Anyone keeping track?

                          @julian@fietkau.social @fedify@hollo.social I'm honestly not aware of any that do support it yet...

                          julian@fietkau.socialJ This user is from outside of this forum
                          julian@fietkau.socialJ This user is from outside of this forum
                          julian@fietkau.social
                          wrote on last edited by
                          #16

                          @hazelnoot @fedify At the very least, Mastodon and Fedify (and by extension Hollo and Ghost) do. Outside of those I'm very unsure! I've seen @silverpill talk about it a bunch, so maybe Mitra supports it as well.

                          silverpill@mitra.socialS 1 Reply Last reply
                          0
                          • julian@fietkau.socialJ julian@fietkau.social

                            @hazelnoot @fedify At the very least, Mastodon and Fedify (and by extension Hollo and Ghost) do. Outside of those I'm very unsure! I've seen @silverpill talk about it a bunch, so maybe Mitra supports it as well.

                            silverpill@mitra.socialS This user is from outside of this forum
                            silverpill@mitra.socialS This user is from outside of this forum
                            silverpill@mitra.social
                            wrote on last edited by
                            #17

                            @julian @hazelnoot @fedify Mitra can verify RFC-9421 sigs.

                            I think all FEP-844e implementations support RFC-9421 in some capacity. The list of known implementations includes:

                            - Streams / Forte
                            - ActivityPub for WordPress
                            - tootik

                            julian@activitypub.spaceJ 1 Reply Last reply
                            0
                            • silverpill@mitra.socialS silverpill@mitra.social

                              @julian @hazelnoot @fedify Mitra can verify RFC-9421 sigs.

                              I think all FEP-844e implementations support RFC-9421 in some capacity. The list of known implementations includes:

                              - Streams / Forte
                              - ActivityPub for WordPress
                              - tootik

                              julian@activitypub.spaceJ This user is from outside of this forum
                              julian@activitypub.spaceJ This user is from outside of this forum
                              julian@activitypub.space
                              wrote on last edited by
                              #18

                              @silverpill@mitra.social how do I test against Mitra?

                              1 Reply Last reply
                              0
                              • silverpill@mitra.socialS This user is from outside of this forum
                                silverpill@mitra.socialS This user is from outside of this forum
                                silverpill@mitra.social
                                wrote on last edited by
                                #19

                                @julian Just send a request with RFC-9421 signature. It should return 401 on failure.

                                Mitra doesn't use RFC-9421 for signing outgoing requests.

                                1 Reply Last reply
                                1
                                • julian@fietkau.socialJ julian@fietkau.social

                                  RE: https://mastodon.social/@bagder/116359048796181736

                                  Could be potentially nice for fediverse server testing, as more implementations make the jump to final RFC 9421 HTTP signatures.

                                  On the flip side, ever more complex curl invocations (here: Accept header plus signature fields plus key file, presumably) suggest use of more specialized CLI tools, such as provided by @fedify, or at least scripts/aliases.

                                  Speaking of RFC 9421, which notable fediverse implementations can't handle it yet? Anyone keeping track?

                                  #ActivityPub #FediDev #RFC9421

                                  M This user is from outside of this forum
                                  M This user is from outside of this forum
                                  mayel@activitypub.space
                                  wrote on last edited by mayel@activitypub.space
                                  #20

                                  we recently added RFC-9421 to @bonfire@bonfire.cafe : https://docs.bonfirenetworks.org/federation-interoperability.html#7-http-signatures-secure-fetch

                                  not doing double-knock but rather using different methods to try and discover what the other side supports (in priority order):

                                  1. Inbound signature caching: When a remote server sends us a signed request, we cache which format they used (cavage or RFC 9421)
                                  2. Accept-Signature header: When we receive an Accept-Signature response header from a remote server (on any response β€” WebFinger, object fetch, inbox POST), we cache RFC 9421 support for that host
                                  3. FEP-844e generator detection: Check remote actors' generator.implements or the instance service actor's implements property for RFC 9421 support URIs (see below)
                                  4. NodeInfo software version: Look up the remote's software name and version against a known-support map (e.g., Mastodon β‰₯ 4.5.0, Fedify β‰₯ 1.6.0, Hollo, Mitra)
                                  5. Default: Fall back to draft-cavage
                                  1 Reply Last reply
                                  1
                                  • julian@fietkau.socialJ julian@fietkau.social

                                    RE: https://mastodon.social/@bagder/116359048796181736

                                    Could be potentially nice for fediverse server testing, as more implementations make the jump to final RFC 9421 HTTP signatures.

                                    On the flip side, ever more complex curl invocations (here: Accept header plus signature fields plus key file, presumably) suggest use of more specialized CLI tools, such as provided by @fedify, or at least scripts/aliases.

                                    Speaking of RFC 9421, which notable fediverse implementations can't handle it yet? Anyone keeping track?

                                    #ActivityPub #FediDev #RFC9421

                                    mro@digitalcourage.socialM This user is from outside of this forum
                                    mro@digitalcourage.socialM This user is from outside of this forum
                                    mro@digitalcourage.social
                                    wrote on last edited by
                                    #21

                                    Hi @julian @fedify,
                                    #complexity benefits the big players. That's huge harm to diverse #federation. Challenge it, refuse it, stop it.

                                    evan@cosocial.caE 1 Reply Last reply
                                    0
                                    • julian@fietkau.socialJ julian@fietkau.social

                                      RE: https://mastodon.social/@bagder/116359048796181736

                                      Could be potentially nice for fediverse server testing, as more implementations make the jump to final RFC 9421 HTTP signatures.

                                      On the flip side, ever more complex curl invocations (here: Accept header plus signature fields plus key file, presumably) suggest use of more specialized CLI tools, such as provided by @fedify, or at least scripts/aliases.

                                      Speaking of RFC 9421, which notable fediverse implementations can't handle it yet? Anyone keeping track?

                                      #ActivityPub #FediDev #RFC9421

                                      evan@cosocial.caE This user is from outside of this forum
                                      evan@cosocial.caE This user is from outside of this forum
                                      evan@cosocial.ca
                                      wrote on last edited by
                                      #22

                                      @julian @fedify tags.pub now accepts RFC 9421 and does double-knocking (with cached results) for outgoing requests.

                                      julian@fietkau.socialJ 1 Reply Last reply
                                      0
                                      • evan@cosocial.caE evan@cosocial.ca

                                        @julian @fedify tags.pub now accepts RFC 9421 and does double-knocking (with cached results) for outgoing requests.

                                        julian@fietkau.socialJ This user is from outside of this forum
                                        julian@fietkau.socialJ This user is from outside of this forum
                                        julian@fietkau.social
                                        wrote on last edited by
                                        #23

                                        @evan Great work! πŸ‘

                                        evan@cosocial.caE 1 Reply Last reply
                                        0
                                        • julian@fietkau.socialJ julian@fietkau.social

                                          @evan Great work! πŸ‘

                                          evan@cosocial.caE This user is from outside of this forum
                                          evan@cosocial.caE This user is from outside of this forum
                                          evan@cosocial.ca
                                          wrote on last edited by
                                          #24

                                          @julian I started a conversation on public-swicg about doing a new version of the HTTP Signature report.

                                          https://lists.w3.org/Archives/Public/public-swicg/2026Apr/0013.html

                                          mariusor@metalhead.clubM 1 Reply Last reply
                                          0

                                          Hello! It looks like you're interested in this conversation, but you don't have an account yet.

                                          Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.

                                          With your input, this post could be even better πŸ’—

                                          Register Login
                                          Reply
                                          • Reply as topic
                                          Log in to reply
                                          • Oldest to Newest
                                          • Newest to Oldest
                                          • Most Votes


                                          • Login

                                          • Don't have an account? Register

                                          • Login or register to search.
                                          Powered by NodeBB Contributors
                                          • First post
                                            Last post
                                          0
                                          • Categories
                                          • Recent
                                          • Tags
                                          • Popular
                                          • World
                                          • Users
                                          • Groups