Could be potentially nice for fediverse server testing, as more implementations make the jump to final RFC 9421 HTTP signatures.
-
@gabboman@gabboman.xyz are you coding typescript?
NodeBB is plain js. C'mon you don't need type safety. Code like its the 2000s.
-
RE: https://mastodon.social/@bagder/116359048796181736
Could be potentially nice for fediverse server testing, as more implementations make the jump to final RFC 9421 HTTP signatures.
On the flip side, ever more complex curl invocations (here: Accept header plus signature fields plus key file, presumably) suggest use of more specialized CLI tools, such as provided by @fedify, or at least scripts/aliases.
Speaking of RFC 9421, which notable fediverse implementations can't handle it yet? Anyone keeping track?
Speaking of RFC 9421, which notable fediverse implementations can't handle it yet? Anyone keeping track?
@julian@fietkau.social @fedify@hollo.social I'm honestly not aware of any that do support it yet...
-
@julian@activitypub.space As I understand the migration path, it's like
1. Able to receive RFC 9421 in addition to draft-cavage
2. Able to send RFC 9421 in addition to draft-cavage
3. Send RFC 9421 by default, but be able to fall back to draft-cavage if neededSo by βcan't handleβ I meant step 1.
Although the unspoken step 4 is to remove draft-cavage support once everyone else has taken step 1, I'm ultimately also wondering when we'll get there.@julian@fietkau.social ah, then no, NodeBB has no support yet. That's true though that there is a step-wise upgrade pattern.
Updating our HTTP Signature lib is part of our grant funded work so it'll get sorted out soon!
-
@mradcliffe The thing about double-knocking is that it requires two implementations (RFC 9421, draft-cavage-12). It also requires a persistent cache, so once you figure out which signature system the remote server supports, you only use that one -- you don't double-knock every time. It might not work as a library.
@evan Thanks for the response. I think how a given software does double-knocking is up to that software. It is not necessarily true that you have to store the result, but it is ideal. I am much too lazy to refactor a persistent cache and I just double-knock every time.
But to start, those libraries need to be able to support both signature implementations as those libraries are already in-use by the majority of software that has not implemented RFC 9421 yet.
-
-
Speaking of RFC 9421, which notable fediverse implementations can't handle it yet? Anyone keeping track?
@julian@fietkau.social @fedify@hollo.social I'm honestly not aware of any that do support it yet...
@hazelnoot @fedify At the very least, Mastodon and Fedify (and by extension Hollo and Ghost) do. Outside of those I'm very unsure! I've seen @silverpill talk about it a bunch, so maybe Mitra supports it as well.
-
@hazelnoot @fedify At the very least, Mastodon and Fedify (and by extension Hollo and Ghost) do. Outside of those I'm very unsure! I've seen @silverpill talk about it a bunch, so maybe Mitra supports it as well.
@julian @hazelnoot @fedify Mitra can verify RFC-9421 sigs.
I think all FEP-844e implementations support RFC-9421 in some capacity. The list of known implementations includes:
- Streams / Forte
- ActivityPub for WordPress
- tootik -
@julian @hazelnoot @fedify Mitra can verify RFC-9421 sigs.
I think all FEP-844e implementations support RFC-9421 in some capacity. The list of known implementations includes:
- Streams / Forte
- ActivityPub for WordPress
- tootik@silverpill@mitra.social how do I test against Mitra?
-
@julian Just send a request with RFC-9421 signature. It should return 401 on failure.
Mitra doesn't use RFC-9421 for signing outgoing requests.
-
RE: https://mastodon.social/@bagder/116359048796181736
Could be potentially nice for fediverse server testing, as more implementations make the jump to final RFC 9421 HTTP signatures.
On the flip side, ever more complex curl invocations (here: Accept header plus signature fields plus key file, presumably) suggest use of more specialized CLI tools, such as provided by @fedify, or at least scripts/aliases.
Speaking of RFC 9421, which notable fediverse implementations can't handle it yet? Anyone keeping track?
we recently added RFC-9421 to @bonfire@bonfire.cafe : https://docs.bonfirenetworks.org/federation-interoperability.html#7-http-signatures-secure-fetch
not doing double-knock but rather using different methods to try and discover what the other side supports (in priority order):
- Inbound signature caching: When a remote server sends us a signed request, we cache which format they used (cavage or RFC 9421)
- Accept-Signature header: When we receive an Accept-Signature response header from a remote server (on any response β WebFinger, object fetch, inbox POST), we cache RFC 9421 support for that host
- FEP-844e generator detection: Check remote actors' generator.implements or the instance service actor's implements property for RFC 9421 support URIs (see below)
- NodeInfo software version: Look up the remote's software name and version against a known-support map (e.g., Mastodon β₯ 4.5.0, Fedify β₯ 1.6.0, Hollo, Mitra)
- Default: Fall back to draft-cavage
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better π
Register Login