You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm the GitLab contributor currently working on implementing ActivityPub to expose a few actors to Mastodon and other Fediverse apps. I'm currently gathering information to implement the part about HTTP signature.
I've seen the documentation you published about that part (thanks for that!) and I've read the RFC, but I also see that it flags all encryption algorithms but HS2019 as deprecated. And from there, everything start to go wrong. 😅
I just wanted to check with you if the older implementation is something you're phasing out and we should start directly with the newer one, or if you consider the old implementation to be the production ready one, and the new one is unstable and may be replaced by something else.
Also, I guess we must be able to verify signatures with all (or most) algorithms used out there, but which one would you recommend we use for generating our own keypairs, given we're starting a brand new implementation and can use whatever we want? HS2019 or RSA? Or ED25519 (that would be my obvious choice, but it doesn't seem to be discussed much around this feature)?
OK, so I guess the question in this topic is now : are you migrating to draft-ietf-httpbis-message-signatures or should we start a new implementation with draft-cavage-http-signatures as well?
I leave the title and body of this question page unchanged, as it may be more searchable for people going through the same path than me.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Hi there 👋
I'm the GitLab contributor currently working on implementing ActivityPub to expose a few actors to Mastodon and other Fediverse apps. I'm currently gathering information to implement the part about HTTP signature.
I've seen the documentation you published about that part (thanks for that!) and I've read the RFC, but I also see that it flags all encryption algorithms but HS2019 as deprecated. And from there, everything start to go wrong. 😅
It's the first time I hear about HS2019 and it seems like there is not much information about it around. Looking at Mastodon's codebase, I see it still uses RSA, but there are also some references about HS2019. Then I found out that there are new versions of the RFC (draft-richanna-http-message-signatures and draft-ietf-httpbis-message-signatures), but apparently, they are problematic and people might not implement them?
I just wanted to check with you if the older implementation is something you're phasing out and we should start directly with the newer one, or if you consider the old implementation to be the production ready one, and the new one is unstable and may be replaced by something else.
Also, I guess we must be able to verify signatures with all (or most) algorithms used out there, but which one would you recommend we use for generating our own keypairs, given we're starting a brand new implementation and can use whatever we want? HS2019 or RSA? Or ED25519 (that would be my obvious choice, but it doesn't seem to be discussed much around this feature)?
Thanks for your time!
EDIT: after more unsuccessful chasing for the specs of the mysterious HS2019 algorithm, I discovered it apparently does not exist and is just a placeholder.
OK, so I guess the question in this topic is now : are you migrating to draft-ietf-httpbis-message-signatures or should we start a new implementation with draft-cavage-http-signatures as well?
I leave the title and body of this question page unchanged, as it may be more searchable for people going through the same path than me.
Beta Was this translation helpful? Give feedback.
All reactions