julian5d ago

Re: @peertube/http-signature

@[email protected] I have a question for you... I'm seeing in Are we HS2019 yet? that Peertube and Misskey both use your package: @peertube/http-signature

NodeBB currently rolls its own cavage-12 support but and I did some preliminary research into updating to the latest HTTP Signatures draft, but quickly got overwhelmed.

For a variety of reasons, but mainly to avoid NIH, I'd consider switching to a dependency.

My question is: does your library support verification for non-hs2019 signatures, or will I need to invoke your library in front, and fall back to existing cavage-12 verification otherwise?

I suppose, same question re: double-knocking.[...]

https://activitypub.space/post/1865

Are We HS2019 Yet?

mariusApr 17

I've started working on generating RFC9421 compatible HTTP-Signatures in #GoActivityPub about a week and a half ago, but it felt more like a month.

Writing tests for the client module took the bulk of this time and it was a proper slog. We did manage to increase code coverage from under 20% to 80% plus.

This makes it a bit harder to migrate to a new API when the future version 1 of the library will be tagged, but the changes I have planned shouldn't be insurmountable.

Now I just need to implement the verification, and I'll be done with what is a very large milestone for the library.  

#ActivityPubDev #fedidev #httpsig

Show threadHelgeMar 16, 2023

Hi Marius.

Supporting Ed25519 keys is just one of the aspects for me. Furthermore, I want to make explicit that the "public key" used is an Identity, that's why I use the did:key format. Second, I want explicit examples! Everybody wanting to implement this, can now write unit tests with copy and paste.

Third, HTTP-Sig contains a lot of unnecessary details, it specifies how to encode dictionaries contained in HTTP headers in TWO! ways. This is not the type of specification one can "quickly" implement. It's the type of specification that I want a battle hardened library for. So let's give HTTP-Sig at least 1 year to exit draft stage and 1 year to acquire good library support. Then we can talk again about it.

Helge's blog: BIN-1 Moo Authentication and Authoriation

HelgeJan 25, 2023
Javascript question: Does there exist a library that allows one to add http signatures in the browser? http-signature seems to be very popular, but it seems to be nodejs only and not really clear how to use in JavaScript. Thanks!
http-signature

Reference implementation of Joyent's HTTP Signature scheme.. Latest version: 1.3.6, last published: a year ago. Start using http-signature in your project by running `npm i http-signature`. There are 526 other projects in the npm registry using http-signature.

npm
HelgeJan 21, 2023

I'm working myself through http signatures mastodon explanation. My current understanding

  • I want as much traffic signed as possible
  • One has a chicken and egg problem, because one needs to expose a public key to make requests as the server. For example, in order to fetch the public key of parties making requests.
  • Where do I put this public key? I'm currently leaning towards doing something similar to Mastodon with its actor "actor". This would mean that, I create an account "bovine" that represents the server.

    • Does anybody have any comments?

    Security - Mastodon documentation

    Public key cryptography and supported signature schemes over HTTP and JSON-LD.

    Show threadsumiyakiNov 30, 2020
    ActivityPub実験はやはりなかなか進まず。
    HTTP Signatureがよく分からない。

    httpsig
    https://github.com/ahknight/httpsig
    でsigningの仕方はなんとなくわかるけど、verifyの仕方がよく分からない。

    pylodon
    https://github.com/rowanlupton/pylodon
    でhttpsigが使われているけど、verifyはしていない?

    #ActivityPubで作りたい #ActivityPub
    #HTP_signature #httpsig
    ahknight/httpsig

    HTTP Signature for Python. Contribute to ahknight/httpsig development by creating an account on GitHub.

    Show threadmariusorNov 20, 2018
    @matt I might eat my words later, but the assumption I'm using when developing littr.me is that all of the interactions that are available for local actors will be available for external ones too.
    I'm not yet done with modelling all these interactions, but so far I see no major impediment from doing so stemming either from the #ActivityPub spec nor from #httpsig.
    Ideally if an actor has a resolvable ID/PubKey and tries to interact with us using a correct AP activity type, it should just work.