Julian Fietkau6d ago

RE: https://mastodon.social/@bagder/116359048796181736

Could be potentially nice for fediverse server testing, as more implementations make the jump to final RFC 9421 HTTP signatures.

On the flip side, ever more complex curl invocations (here: Accept header plus signature fields plus key file, presumably) suggest use of more specialized CLI tools, such as provided by @fedify, or at least scripts/aliases.

Speaking of RFC 9421, which notable fediverse implementations can't handle it yet? Anyone keeping track?

#ActivityPub #FediDev #RFC9421

Show threadMarcus Rohrmoser ๐ŸŒป2d ago
Hi @julian @fedify,
#complexity benefits the big players. That's huge harm to diverse #federation. Challenge it, refuse it, stop it.
Show threadEvan Prodromou1d ago
@mro @julian @fedify everyone who wants to can park on draft-cavage-12 indefinitely. As long as others double-knock, you'll be fine. Then, when everyone else has converted, switch to RFC 9421 with no detection or fallback. That keep things simple.
Show threadMarcus Rohrmoser ๐ŸŒป

Hi @evan
regarding 'keeps things simple' - have you looked into #RFC9421?
(Looking at you, Innerlist https://doi.org/10.17487/RFC9421)

All this #complexity for what benefit?

@julian @fedify

P.S.: I don't consider #ActivityPub to be simple in the first place, so hard to keep it simple that way.

Information on RFC 9421 ยป RFC Editor

Apr 11 at 11:53amWeb
Show threadEvan Prodromou1d ago

@mro @julian @fedify

Yes, I just finished implementing it.

I agree, HTTP Message Signatures aren't simple.

Sticking with one spec as long as possible and swapping to the other when you need to is the simplest strategy to manage that transition.

Show threadEvan Prodromou1d ago

@mro @julian @fedify for server-to-server authentication, I think there are other mechanisms that could be simpler.

My friend @blaine says that if you get to PKI, you've gone too far, and you need to look for other options.

For pump.io, I used two-legged OAuth, which was pretty nice. I kick-started it with a dialback mechanism:

https://datatracker.ietf.org/doc/html/draft-prodromou-dialback-00

I also think mutual TLS would be a good option.

HTTP Authentication: Dialback Access Authentication

This specification defines the Dialback Access Authentication Scheme. It provides a way for HTTP clients to identify an Internet host or account responsible for an HTTP request, and for HTTP servers to verify that identity by sending a token to a declared dialback endpoint. The specification defines a new HTTP authentication scheme, "Dialback". It also defines a new link relation, "dialback", to specify the endpoint for the dialback verification. Finally, it defines the interface for the dialback endpoint.

IETF Datatracker
Show thread๐Ÿซง socialcoding..1d ago

@mro @evan @julian @fedify

P.P.S. My latest blog post about #ActivityPub fediverse contains a "Back to (potentially radical) simplicity" call-to-reflection (among other subject matters) .. https://social.coop/@smallcircles/116368803389082089

Solution is.. difficult, but simple, yet not easy. ๐Ÿ˜

#SX #SocialCoding #ParadoxOfEmergence

Show threadEvan Prodromou1d ago
@smallcircles @mro @julian @fedify I'm glad you enjoy thinking through these issues. Good luck with your blog post!
Show thread๐Ÿซง socialcoding..1d ago

@evan @mro @julian @fedify

Blog post is done already ๐Ÿ˜ƒ and you and @silverpill the first ones I made reference to :)

Here's the announcement, and be sure to fill in the #poll if you want.. https://social.coop/@smallcircles/116379158584600016