Julian Fietkau6d ago

RE: https://mastodon.social/@bagder/116359048796181736

Could be potentially nice for fediverse server testing, as more implementations make the jump to final RFC 9421 HTTP signatures.

On the flip side, ever more complex curl invocations (here: Accept header plus signature fields plus key file, presumably) suggest use of more specialized CLI tools, such as provided by @fedify, or at least scripts/aliases.

Speaking of RFC 9421, which notable fediverse implementations can't handle it yet? Anyone keeping track?

#ActivityPub #FediDev #RFC9421

Show threadEvan Prodromou2d ago
@julian @fedify tags.pub now accepts RFC 9421 and does double-knocking (with cached results) for outgoing requests.
Show threadJulian Fietkau2d ago
@evan Great work! 👍
Show threadEvan Prodromou2d ago

@julian I started a conversation on public-swicg about doing a new version of the HTTP Signature report.

https://lists.w3.org/Archives/Public/public-swicg/2026Apr/0013.html

RFC 9421 and the HTTP Signature report from Evan Prodromou on 2026-04-10 ([email protected] from April 2026)

Show threadmarius2d ago

@evan while perusing the spec, I realized that an implementation doesn't really need double knocking at all.

Any implementation can just stuff two Signature headers in there, one for the cavage v12 version, and one for RFC9421, and requests should still be valid.

Can anyone trust cavage HTTP signature verifiers to not break on this: no, probably not... :(

@julian

Show threadEvan Prodromou
@mariusor @julian probably not.
Apr 11 at 11:39amWeb
Show threadEvan Prodromou2d ago
@mariusor @julian you only have to double knock once, though. Or, rather, once in a while.
Show threadmarius1d ago

@evan you mean, if you cache the one that worked? Sadly I don't have that available to me directly in GoActivityPub... Of course one might add support for that, but there isn't a straightforward way to introspect which knock worked for a specific request. Maybe something I need to add to my todo list...

@julian

Show threadEvan Prodromou1d ago
@mariusor @julian yes, cache the one that worked. With a long but not infinite expiry, so if the host upgrades to a new version of the software that supports RFC 9421, eventually you try again.