-

2025-06-20 15:37:46

mro@digitalcourage.social

Hi @jupiter_rowland @mikedev @evan @j12t,
does anybody know of a HTTP signature (cavage, #RFC9421) compliance echo bot? You send a DM there and get back a report.

Do you think to have one would be beneficial?

2025-06-20 23:02:28

Mike Macgirvin ?️

mikedev@fediversity.site

I think we're going to have a lot of compliance issues because many/most RFC9421 implementations I've seen cheat a bit and don't provide any of the structured-fields stuff. Only headers and a few of the '@' elements. You're allowed to do this and only process structured fields where you know the type, except your signatures which use those headers won't work if the receiving site actually knows what type it is.

As far as draft-cavage, I think across the fediverse the only compliant implementations are lemmy, lotide, streams, and forte; and we had to put it behind a feature toggle because if you enable full hs2019 support from the latest draft-cavage, you won't federate with Mastodon any more.

So yes it would be beneficial.

But not sure an echo bot is the way to go. You can't really check full compliance unless you provide a single signed message with hundreds of covered field definitions, some of which might conflict. Might make more sense to have an endpoint you can hit hit with anything you specifically want to test and get back pass or fail.

What would be even more useful to me than an echo bot, is just a well-vetted reference test suite. Far as I know, we'll only fail "cookie";sf and "set-cookie";sf and a few signing algorithms; but there are some very subtle requirements buried in the RFC text; and I haven't yet extracted all of them into test cases.

2025-06-21 12:29:20

Jupiter Rowland

jupiter_rowland@hub.netzgemeinde.eu

@Mike Macgirvin ?️ @Marcus Rohrmoser 🌻 It'd certainly be a lot more beneficial if it was possible to pressure Mastodon into standards compliance.

But as things are right now, Mastodon and its religiously faithful followers can and do declare Mastodon and the way things are done on and by Mastodon the one and only valid standard. They even declare anything that works differently from Mastodon broken. And they can easily get away with it.

In fact, if certain Fediverse server applications preferred compliance with actual standards to compatibility with Mastodon, it's them who'd be on the losing side whereas Mastodon, where probably over 99% of all content are from within Mastodon itself, won't lose anything. Not unless all those that are perceived as add-ons to Mastodon (Pixelfed, PeerTube, Ghost, Flipboard etc.) follow suit.

But seriously, even if Flipboard changed its ways and went for actual standards compliance even if that meant breaking compatibility with Mastodon, then Mastodon wouldn't be convinced that following standards rather than forcing its own "standards" upon everyone is the better way to go. Rather, Flipboard and Mastodon would accuse each other of being broken by design.

#Long #LongPost #CWLong #CWLongPost #FediMeta #FediverseMeta #CWFediMeta #CWFediverseMeta #Fediverse #Mastodon #Standards