So I just had an idea. I don't love http message signatures. The only thing they're really good at is protecting the integrity of a message. But we also use them for authn and authz. What if they didn't have to carry that extra burden?
What if we used routine jwt bearer tokens to carry identity/enable authn and authz, and just let http sigs provide message integrity?
#ActivityPub I guess (don't make me regret that)
1/
Jenniferplusplus /
npub1dp…c5rwe
2024-03-22 15:30:41
Author Public Key
npub1dpcfwhxdwkmnq50954nvyqarujca4saxj4mckx48qqy52v44r2ts6c5rwePublished at
2024-03-22 15:30:41Event JSON
{
"id": "6b5288e5068d331c0c531fd7dc674fbe8bb5df0986c55d87cc72a358be4b25e8",
"pubkey": "6870975ccd75b73051e5a566c203a3e4b1dac3a695778b1aa700094532b51a97",
"created_at": 1711121441,
"kind": 1,
"tags": [
[
"t",
"activitypub"
],
[
"proxy",
"https://hachyderm.io/users/jenniferplusplus/statuses/112140054796169329",
"activitypub"
]
],
"content": "So I just had an idea. I don't love http message signatures. The only thing they're really good at is protecting the integrity of a message. But we also use them for authn and authz. What if they didn't have to carry that extra burden?\n\nWhat if we used routine jwt bearer tokens to carry identity/enable authn and authz, and just let http sigs provide message integrity?\n\n#ActivityPub I guess (don't make me regret that)\n1/",
"sig": "3df1dd79835f0be25cd00deb9f6555853356e9d570178df0fefb6f42d9a161b31e54fa1cc3f55e213ac38162985bff41e2860580bb4457729521ea3d6a15c4a1"
}