Important to mention here is that this is in no way an attempt to undermine the work of FEP-8b32. It is a great attempt to move towards more W3C standardised works instead of continuing to grip onto a Draft RFC.
Instead we see this as a complementary work.
HTTP signatures, love or loathe them, are here to stay for a while. They are the only way you can communicate with 99% of the Fediverse.
The current status-quo of HTTP signatures is to point to Mastodon and essentially say “do what they do if you wanna be compatible”.
Maybe the new implementers get a link to the correct draft RFC and off they go.
Issues arise at this very stage already. One of the largest issue is overlooking very important possible security issues.
To name one, there is the case of the HTTP digest header. It is essential to either verify or recompute the Digest header and forcing the Digest header to be included in the HTTP signature when receiving a POST request to ensure authenticity of the body.
This is unfortunately overlooked too often. And I don’t fault any implementor. They implement the RFC and are happy when Mastodon finally accepts the signature after a lot of back and forth.
After they are done, they just commit their work and don’t ever want to look at the code ever again.
Another issue is the origin checks: Do the origin servers match? Do the actor IDs match? Does the actor ID match the signature key ID?
Those are things that are easily overlooked and missing readily available test vectors definitely don’t help the issue.
One solution we can try to work towards is the standardisation of the HTTP signatures.
Similar to FEP-7888, which aims to demystify the context property, our FEP would demystify the HTTP signatures and the required checks for ensuring authenticity and the origin of activities.
The standard would not only give a condensed version of the draft RFC for HTTP signatures, it would also provide ActivityPub-specific guidance on how to implement checks that proof your implementations against most known HTTP signature exploits and provide test vectors.
This post is mostly for seeking feedback, whether this is something the wider community thinks is worth investigating and following.
If we receive positive feedback, me and @perillamint would go ahead and attempt to draft an FEP.