You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Server should be able to crypto-sign published docs for an api user.
Server has login/user/api authn management system
Server can sign docs
Maintain public/private keys for users
Publish public keys for users
In order to sign docs on behalf of users, we need to be able to validate the user's identity. Propose that we use third party OAuth/OIDC authn Identity Providers (IP) such as Google, Microsoft, Facebook, Twitter, Amazon. Server relies on these identities to validate a user's identity claim. Whatever data is provided by the IP should be included in an "Original Publisher" field in the metadata registry's "custom metadata" area in the resource data - such as: name, email, organization, which IP, IP user ID - if any.
Once the IP has authenticated the user to the server:
If the user is new/first-time publisher: generate a new public/private keypair for the user
Publish the public keypair at a permaurl on the server - possibly as an entry in the registry metadata community itself (a special kind of envelope).
Using an envelope would ensure that the public key is also backed up to Archive.org
Save the public/private keypair to somewhere secure, and affiliate it with this user
[Optional] Provide some mechanism for the authenticated user to download their public/private keypair at any point (so they can publish on their own behalf in the future).
If the user is not new (or after completing above for new user): access their existing public/private keypair for the user
Merge the user-submitted metadata with the special/custom metadata generated to publish-on-behalf-of to create a final resource_data payload, including:
User identity data
Public key URL location
Server identity info (ID of server that published this info - full URL etc)
Use that public/private keypair to crypto-sign the merged resource_data
Publish this signed envelope to metadata community
The text was updated successfully, but these errors were encountered:
Server should be able to crypto-sign published docs for an api user.
In order to sign docs on behalf of users, we need to be able to validate the user's identity. Propose that we use third party OAuth/OIDC authn Identity Providers (IP) such as Google, Microsoft, Facebook, Twitter, Amazon. Server relies on these identities to validate a user's identity claim. Whatever data is provided by the IP should be included in an "Original Publisher" field in the metadata registry's "custom metadata" area in the resource data - such as: name, email, organization, which IP, IP user ID - if any.
Once the IP has authenticated the user to the server:
The text was updated successfully, but these errors were encountered: