@gabboman @fedify @julian

https://github.com/evanp/activitypub-bot

@mro @julian @fedify for server-to-server authentication, I think there are other mechanisms that could be simpler.

My friend @blaine says that if you get to PKI, you've gone too far, and you need to look for other options.

For pump.io, I used two-legged OAuth, which was pretty nice. I kick-started it with a dialback mechanism:

https://datatracker.ietf.org/doc/html/draft-prodromou-dialback-00

I also think mutual TLS would be a good option.

#France plans to switch #government #computers from #Microsoft #Windows to the #open-source #Linux operating system to lessen its dependence on #U.S. #technology and regain control of its digital infrastructure. This move, starting with the digital agency #DINUM, aligns with Europe's broader efforts towards digital sovereignty.

https://techcrunch.com/2026/04/10/france-to-ditch-windows-for-linux-to-reduce-reliance-on-us-tech/

@mro @julian @fedify

Yes, I just finished implementing it.

I agree, HTTP Message Signatures aren't simple.

Sticking with one spec as long as possible and swapping to the other when you need to is the simplest strategy to manage that transition.

Hi @evan
regarding 'keeps things simple' - have you looked into #RFC9421?
(Looking at you, Innerlist https://doi.org/10.17487/RFC9421)

All this #complexity for what benefit?

@julian @fedify

P.S.: I don't consider #ActivityPub to be simple in the first place, so hard to keep it simple that way.

@mariusor @julian you only have to double knock once, though. Or, rather, once in a while.

@mro @julian @fedify of course, the Postel principle is pro-network and pro-social; it keeps people and servers connected. Which is what we're here to do.

@mro @julian @fedify everyone who wants to can park on draft-cavage-12 indefinitely. As long as others double-knock, you'll be fine. Then, when everyone else has converted, switch to RFC 9421 with no detection or fallback. That keep things simple.

@mariusor @julian probably not.

@evan @atomicpoet 💯