<p>Ever wonder how your site proves it’s really you talking to the rest of the Fediverse? It’s not magic—it’s HTTP signatures, the digital equivalent of a secret handshake. With our next release, we’re making that handshake a lot more universal (and a little less awkward).</p>
<p>Why HTTP Signatures Matter</p>
<p>When you interact with the Fediverse, you want to know that the messages you send and receive are genuine. HTTP signatures are the technology that makes this possible. Every time your […]</p>
Ever wonder how your site proves it’s really you talking to the rest of the Fediverse? It’s not magic—it’s HTTP signatures, the digital equivalent of a secret handshake. With our next release, we’re making that handshake a lot more universal (and a little less awkward).
Why HTTP Signatures Matter
When you interact with the Fediverse, you want to know that the messages you send and receive are genuine. HTTP signatures are the technology that makes this possible. Every time your site sends a message, it includes a digital signature—like sealing an envelope with your personal stamp. This signature proves that your content really came from your account and that no one has tampered with it along the way. As a result, you can trust that your interactions across the network are authentic.
A Bit of Background: draft-cavage and RFC 9421
If you’ve heard about HTTP signatures, you might have come across terms like “draft-cavage” and “RFC 9421.” These are just different versions of the rules for how those digital signatures are created and checked.
For a long time, most of the Fediverse has used what’s called the draft-cavage-12 specification. Think of this as a set of instructions that people agreed to try out, but that hadn’t been officially finalized. It worked well enough to let sites talk to each other securely, but because it was just a draft, there were sometimes small differences in how different software used it.
Recently, the community agreed on a final, official version of these rules, called RFC 9421. This is now the standard way to create and verify HTTP signatures. This makes it easier for sites and servers to understand each other and work together, since everyone is following the same process.
Incoming Support for the New Standard, Out of the Box
With this update, the plugin will support incoming HTTP signatures that use the new standard right away. There’s nothing extra you need to do. This means that when other servers use the new, official approach for signatures, your site will recognize and accept them. By making support for the new standard easy and automatic, the plugin helps move the Fediverse forward, encouraging more sites to adopt this approach and making connections across the network more reliable.
Outgoing Requests and the Double Knock Approach
There’s a new setting for outgoing requests, but for most people, there’s no need to touch it. This option is really for the folks who like to be on the cutting edge and want to start using the new standard for outgoing messages right away. If that sounds like you, here’s how to find it: head to the ActivityPub settings in your dashboard, open “Screen Options” at the top right, and enable “Advanced Settings.” Then, click on the Advanced Settings tab and turn on “Use modern signature format for Fediverse communications.”
But don’t feel any pressure—leaving this setting off is perfectly fine. The plugin already handles incoming messages with the new standard out of the box, and we’ll automatically enable outgoing support for everyone once the wider Fediverse is ready. For now, this is just an option for early adopters.
If you do turn it on, the plugin uses what we call the “double knock” approach. It’ll try the new standard first, and if the other server isn’t ready for it, it’ll automatically fall back to the older method. So, you can experiment without worrying about breaking communication with anyone.
Improved Verification for Existing Signatures
The plugin also brings improvements to how it handles signatures that use the older method, especially those using the hs2019 algorithm. Now, when a signed message arrives, the plugin fetches the sender’s public key and uses it to determine the correct way to verify the signature, following the specification more closely. This means more reliable verification and fewer errors, making your experience smoother and more predictable.
Looking Forward
With this update, the plugin helps move the Fediverse toward a shared standard for signing and verifying messages. By supporting both the new standard and the older method, you’re making it easier for everyone to communicate using the same agreed-upon approach. There’s no change in security, but you’re part of making the network more consistent and helping the community take the next step forward.
We hope this explanation helps clarify these technical changes. If you have any questions about HTTP signatures or how our plugin interacts with the Fediverse, please don’t hesitate to reach out in the comments below.
Takahe has limited support for this type: See Original Article
