a sketch:
POST /new
_algorithm: HMAC;
_pubkey=…;
_entityID={new};
attribute=value;
attribute=value;
attribute=value;
_signature: ...
insert generates:
* agentID
* entityID (if {new})
* transactionID
* add or nullify (boolean)
records are of the form
{ agentID, entityID, transactionID, attribute, value, [ add | null ] }
where transactionID is some object that can be sorted by time at the desired scope, local, global, or high speed distributed. (e.g. integer, UTC, vector clock )
POST /{entityid}
_algorithm: HMAC;
_pubkey=…;
attribute=value;
attribute=value;
_signature: …
Only accept post if pubkey matches previous agentID.
I guess.
I HAVE NO IDEA WHAT I'M DOING.
so basically, imagine some kind of social networking site, but in order to sign up you must provide your public key.
how many non nerd people have I turned away with that one requirement?
what if i include friendly instructions for how to safely generate and store a keypair. does that help?
what if i generate the keypair FOR you.
fine, that’s insecure, and dodge.
what would i need to put in place to prevent abuse? invite only? human vetted registrations?
@zens I keep wondering why Google added Filesystem, Battery, Sensor etc. API to browser but nothing to do public key cryptography that would work with normies (e.g. keys generated for you by the browser). I have been waiting for this for decades now... that would solve many problems like this.
@brombek in fact, google + mozilla did get something like that into browsers. but it’s not keypairs it’s smart cards/smartkeys - like yubikey
@zens I am not a normie and I don't have one. This is probably to only helping corpos.
@brombek there is alao this thing https://mattrubin.me/authenticator/
which is… not terribly complicated but i haven’t seen any user tests on it. it’s one of a whole class of apps that basically do the job of the smart card/ yubikey thing
