Server should be able to sign documents on behalf of user

[science]

Server should be able to crypto-sign published docs for an api user.

• Server has login/user/api authn management system
• Server can sign docs
• Maintain public/private keys for users
• Publish public keys for users

In order to sign docs on behalf of users, we need to be able to validate the user's identity. Propose that we use third party OAuth/OIDC authn Identity Providers (IP) such as Google, Microsoft, Facebook, Twitter, Amazon. Server relies on these identities to validate a user's identity claim. Whatever data is provided by the IP should be included in an "Original Publisher" field in the metadata registry's "custom metadata" area in the resource data - such as: name, email, organization, which IP, IP user ID - if any.

Once the IP has authenticated the user to the server:

• If the user is new/first-time publisher: generate a new public/private keypair for the user
  • Publish the public keypair at a permaurl on the server - possibly as an entry in the registry metadata community itself (a special kind of envelope).
    • Using an envelope would ensure that the public key is also backed up to Archive.org
  • Save the public/private keypair to somewhere secure, and affiliate it with this user
  • [Optional] Provide some mechanism for the authenticated user to download their public/private keypair at any point (so they can publish on their own behalf in the future).
• If the user is not new (or after completing above for new user): access their existing public/private keypair for the user
  • Merge the user-submitted metadata with the special/custom metadata generated to publish-on-behalf-of to create a final resource_data payload, including:
    • User identity data
    • Public key URL location
    • Server identity info (ID of server that published this info - full URL etc)
  • Use that public/private keypair to crypto-sign the merged resource_data
  • Publish this signed envelope to metadata community