Skip to content

Add RFC 9421 support via rfc-http-sig capability and publicKeys array #305

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mickenordin merged 1 commit into from
Dec 10, 2025
Merged

Add RFC 9421 support via rfc-http-sig capability and publicKeys array #305

mickenordin merged 1 commit into from
Dec 10, 2025

Conversation

@mickenordin
Copy link
Member

@mickenordin mickenordin commented Dec 3, 2025

  • Add rfc-http-sig capability to advertise RFC 9421 support
  • Add publicKeys array with algorithm field for HTTP Message Signatures
  • Deprecate publicKey field in favor of publicKeys
  • Reference IANA HTTP Signature Algorithms Registry
  • Maintain backward compatibility with draft-cavage signatures used by Nextcloud

glpatcern
glpatcern requested changes Dec 8, 2025
View reviewed changes
Copy link
Member

@glpatcern glpatcern left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some minor changes to fit in the width and to just refer to http-sig as capability.

spec.yaml
Comment on lines +449 to +452
DEPRECATED: Use publicKeys array instead for RFC 9421 support.
Legacy field for draft-cavage HTTP Signatures (RSA only).
Maintained for backward compatibility with existing deployments.
The signatory is optional but it MUST contain `keyId` and `publicKeyPem`.
Copy link
Member

@glpatcern glpatcern Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As commented in person, I'm tempted to say we entirely drop this as opposed to deprecate it, despite we know there is one implementation. I'd like to see what other people think about this.

Copy link
Member

@MahdiBaghbani MahdiBaghbani Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also agree that we should drop it, true that Nextcloud is still using this but in case of an update, they can still backport it.

Copy link
Member Author

@mickenordin mickenordin Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we change the key, and allow arbitrary fields it will not impact Nextcloud if we remove it, but we have a lot of other deprecated things in there already and it is good practice to deprecate before removing I think. But not a strong opinion, I am fine with just removing it if that is what people want

@glpatcern glpatcern self-requested a review December 10, 2025 15:00
glpatcern
glpatcern approved these changes Dec 10, 2025
View reviewed changes
Copy link
Member

@glpatcern glpatcern left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So it seems there's no strong opinion either way. Maybe let's bring the topic of deprecation to the mailing list? Otherwise this looks good for me

@mickenordin @glpatcern
Add RFC 9421 support via http-sig capability and publicKeys array
72af0ef 
* Add http-sig capability to advertise RFC 9421 support
* Add publicKeys array with algorithm field for HTTP Message Signatures
* Deprecate publicKey field in favor of publicKeys
* Reference IANA HTTP Signature Algorithms Registry

Co-authored-by: Giuseppe Lo Presti <[email protected]>
@mickenordin mickenordin merged commit d29618a into develop Dec 10, 2025
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MahdiBaghbani MahdiBaghbani MahdiBaghbani left review comments

@glpatcern glpatcern glpatcern approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mickenordin @glpatcern @MahdiBaghbani