home.social

#signedhttp — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #signedhttp, aggregated by home.social.

  1. Trying to make sense of this #SignedHTTP thing that #ActivityPub uses.

    Looks like you sign some HTTP headers (minimally Date, but that by itself is pretty weak), which, if you care about the content means you also sign the Digest header, which is a hash of the content payload.

    The keyid in the Signature header appears to be a URL referencing the ActivityPub Actor, so the accepting server then apparently grabs that (json) to find the public key inside and verify.

    #HowDoesItWork