a sketch:
POST /new
_algorithm: HMAC;
_pubkey=…;
_entityID={new};
attribute=value;
attribute=value;
attribute=value;
_signature: ...
insert generates:
* agentID
* entityID (if {new})
* transactionID
* add or nullify (boolean)
records are of the form
{ agentID, entityID, transactionID, attribute, value, [ add | null ] }
where transactionID is some object that can be sorted by time at the desired scope, local, global, or high speed distributed. (e.g. integer, UTC, vector clock )
POST /{entityid}
_algorithm: HMAC;
_pubkey=…;
attribute=value;
attribute=value;
_signature: …
Only accept post if pubkey matches previous agentID.
I guess.
I HAVE NO IDEA WHAT I'M DOING.
so basically, imagine some kind of social networking site, but in order to sign up you must provide your public key.
how many non nerd people have I turned away with that one requirement?
what if i include friendly instructions for how to safely generate and store a keypair. does that help?
what if i generate the keypair FOR you.
fine, that’s insecure, and dodge.
what would i need to put in place to prevent abuse? invite only? human vetted registrations?
@zens I keep wondering why Google added Filesystem, Battery, Sensor etc. API to browser but nothing to do public key cryptography that would work with normies (e.g. keys generated for you by the browser). I have been waiting for this for decades now... that would solve many problems like this.
@brombek in fact, google + mozilla did get something like that into browsers. but it’s not keypairs it’s smart cards/smartkeys - like yubikey
@zens I am not a normie and I don't have one. This is probably to only helping corpos.
@zens I just want a UI that let me add identity (with a nick name) and it generates key pair for me. If one is requested I can select one from list or I can have on by default. Signing and encryption done by browser natively. Keys stored in password store. That is it. I think some Gemini browsers do that (for client certs though).
@brombek browsers have client certs that do all that… on paper. but god the ui is just confusing and terrible.
it’s occasionally come up and i am asked to pick a certificate from a list i didn’t know i had, with names that are garbled uuid looking things, and i don’t know even what’s at stake in picking the wrong one- am i giving a random website secret information? how do i generate a new one just for this site? i don’t know!
@zens Yeah, but this is for TLS (link layer security). Has nothing to do with signing and encryption of data. And I don't see how this is even useful. What you want to be signing is not the connection between your client and the server but data that you provide to the server that travel beyond the scope of that connection (e.g. end to end to some other person).
@brombek not for the thing in my sketch, but yeah, end to end is a thing people want.
@zens Cool! I stand corrected :) Looks like Netflix needed this: https://www.w3.org/TR/WebCryptoAPI/
@brombek the challenge of course is without API support, you can't use javascript to do signing and keep the private key private. THere's things you can kinda do, but it's really card to keep anything available to javascript a secret.
@zens well in Wikipedia it says "... would permit rich Internet applications to conduct cryptographic functions without the need to access raw keying material". Looks like you can make an non-extractable key as well. I guess it's usage is limited but still you can do some interesting things with it.
@brombek yep, like throwing a message over a wall and asking the browser "can you sign this with the key for www.birdspoo.webpoop ? "
@brombek actually, some of these are suported by safari, but similarly named things aren't. I guess this one had a a lot of false starts?
@zens Yeah, looks like you can use https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto in most browsers.
