@mro @julian @fedify everyone who wants to can park on draft-cavage-12 indefinitely. As long as others double-knock, you'll be fine. Then, when everyone else has converted, switch to RFC 9421 with no detection or fallback. That keep things simple.

@mariusor @julian probably not.

@evan @atomicpoet 💯

@evan while perusing the spec, I realized that an implementation doesn't really need double knocking at all.

Any implementation can just stuff two Signature headers in there, one for the cavage v12 version, and one for RFC9421, and requests should still be valid.

Can anyone trust cavage HTTP signature verifiers to not break on this: no, probably not... :(

@julian

@atomicpoet 💪🏼

Make it more sensual

#ObliqueStrategies

@julian I started a conversation on public-swicg about doing a new version of the HTTP Signature report.

https://lists.w3.org/Archives/Public/public-swicg/2026Apr/0013.html

Time for a gym selfie.

Been 6 months since I shared one. I’m self-conscious about sharing one but here it is.

But this is three years of weight-lifting. Not bodybuilding. I train for function, not form.

And I’m a dude who can now do full-stacks on all the machines. 200lbs with bench press. 320lbs with deadlift.

@evan Great work! 👍

@julian @fedify tags.pub now accepts RFC 9421 and does double-knocking (with cached results) for outgoing requests.