snarfed
commented
8 months ago Partial first draft at text below. Please revise!
@nightpool, @trwnh, do either of you know Nomad's or Diaspora's federation authentication methods well enough to take a pass at them here? I know Nomad is keypair based, but I don't know it deeply, and I don't know Diaspora's at all.
Other decentralized social protocols have similar trust models and authentication techniques. Almost are all some combination of SSL and per-user asymettric keypairs.
- IndieWeb uses primarily SSL for authentication. Data is always fetched via HTTP GETs, and each user is generally expected to have their own [sub]domain. It also uses IndieAuth, a domain-based OAuth profile of OAuth, to authenticate users with their own servers, but not for requests between servers themselves.
- AT Protocol uses DIDs as user identities, specifically did:plc and did:web. Each user has two asymmetric keypairs, a signing key and a recovery key. User data records are signed with one of these keys, usually the signing key, and other services in the network verify those signatures.
- Nostr users publish an asymmetric keypair inside their NIP-01 user profile event to one or more relays. They sign all other events they publish with their private key.
It'd be nice to briefly survey how other related decentralized social protocols do authn. I'm thinking Nomad (née Zot), Diaspora, ATProto, Nostr, Indieweb. Less is more here, but ideally at least something would be nice.