Are there standards for public keys?

[benpate]

The answer may just be "yes" which would make this a short-lived issue, but here's the dilemma:

The very first hurdle in federating with any other app is negotiating and validating keys. But, it seems like different apps support varying encoding/encryption algorithms.

Is it possible, and is there any value in trying to document this along with the ActivityPub actions that an app supports?

[gabek]

Are you talking about HTTP Signatures, or some other level of keys and validation?

[benpate]

Yes. Sorry for being vague. The specific algorithms used in HTTP signatures seem to vary between apps, and are not very clearly documented - so I don't know what is the right one to implement in a new project.

[HelgeKrueger]

No, there is no standard for how to do it. At least for how the keyId relates to the actor object. Something like fetch_public_key in https://bovine.readthedocs.io/en/latest/tutorial_server.html#verifying-signatures-and-accepting-a-follow-request seems to be a valid solution, and the one preferred by some projects (steams). Other people have different opinions (e.g. me).

Unfortunately, bovine does not contain any good test cases for http signatures. Reason again, no standards and too complicated to test with the need to fetch public_keys. One stops caring once it starts working in most cases. If one wants something that is testable, it's easier to invent a new standard.

[HelgeKrueger]

I've now added test cases for http signatures to bovine: https://codeberg.org/helge/bovine/src/branch/dev/bovine/bovine/crypto/test_crypto.py

I hope these help if someone wants to implement http signatures themselves.