State of HTTP Signatures?

The “Guide for new ActivityPub implementers” (here) links to draft 8 of HTTP Signatures, but it seems there are newer versions now that might not be exactly compatible? How are AP implementations treating this situation?

2 Likes

The only major difference I am aware of is how the algorithm field was handled, and that change doesn’t realistically create incompatibilities. Just eliminates a security vulnerability. I know Mastodon is up to date with that change. I know contributors have been keeping github.com/go-fed/httpsig update with the latest drafts.

The main thing I noticed was the introduction of (created) and (expires), and I had to disable sending those for certain other servers to accept my signatures

I also notice that the algorithm change indicates that it should be ‘Derived from metadata associated with “keyId”’. Do we have such metadata?

From what I’ve seen it looks like most implementations have hardcoded SHA256…

https://arewehs2019yet.vpzom.click/

Mastodon for sure hardcodes SHA256.

The go-fed implementation I think is slightly more flexible and is hs2019/expires compliant. It’s just not widely used. :wink:

I’m not sure there’s currently a standard to convey what kind of key metadata is associated with a key id. I think most Mastodon profiles, for example, just list id, owner, and publicKeyPem properties from the security vocabulary. There’s lots more that could be adopted.