Update README with iteration postmortem for iteration 1

parent 23fc86ac
......@@ -4,6 +4,24 @@
https://ar.al/2019/01/10/hypha-spike-aspect-setup-1/
## Iteration 1
__Goal:__ Review [what we implemented on the Indienet project](https://source.ind.ie/indienet/spikes/security/publickey-auth-feathers-nuxt-sockets).
## Post-mortem
The [Indienet](http://) concept we were exploring had an always-on node that didn’t have the private keys but was still _privileged_ due to the following aspects of its design:
* It kept an encrypted copy of the private key and provided it when asked (this is how we handled setup of multiple clients). The owner unlocked the private key using a password derived key.
* It web server performed public-key authentication to authenticate the web client
While this works, it privileges the always-on-node and makes it difficult to use as a temporary support to be removed later once the peer-to-peer network has enough resilience and duplication to stand on its own (in the far future).
This design also overly relies on the domain name as both the identifier and the address of the owner. This is an unacceptable centralisation.
Instead, in Iteration 2, I will explore using session25519 to generate the DAT keypair directly from a strong passphrase and using the domain name as the salt.
## Usage
1. Create keys using [mkcert](https://github.com/FiloSottile/mkcert):
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment