remove hmacs

[dominictarr]

we should remove hmac - A hmac is just a shared secret. If we just share an ephemeral private key that will be functionally the same - knowing the secret gives you authority to use an api, but we won't have to have two auth protocols...

A compressed private key is also 32 bytes (i.e. the seed from which the private key is generated), so capabilities won't be any larger either.

[pfrazee]

Youre saying, use tokens (and a token registry) instead of hmacs, and let the token also be a private key so that the token can sign?

So we need...

• authed, encrypted channels
• privkey-signed messages
• pubkey-encrypted message content
• applications authed to the local sbot instance

Youre asserting we dont need hmac in any of those, yeah?

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.