dat.json icon indicating copy to clipboard operation
dat.json copied to clipboard
verified publisher icon dat-ecosystem-archive

half-baked: signing of dat keys (eg, with GPG)

Open bnewbold opened this issue 8 years ago • 3 comments

I don't have specific details to propose yet, but it might be interesting to have a standard dat.json way to sign a dat archive (public key) using, eg, GPG.

The use-case i'm imagining with this is that a person (or organization, or bot) might want to "push" or "send" data to a remote service. The remote service doesn't want to accept just any ol' dat archive from anybody, but it could accept connections, receive just the metadata and content hypercore contents to grab dat.json, and check if the archive was signed by a known/trusted user. If it was, it would accept the whole thing; if not it would drop the connection without writing anything to disk (or receiving much data). A specific use-case for this would be somehow "pushing" to hashbase.io in a similar manner to pushing git repositories to gitolite (note that AFAIK, github and gitlab don't support this usecase). Note that the dat protocol doesn't current have any such "push" functionality.

An alternative way to do this would be to have a known dat archive with a list of archive keys in it; a user would append to that list when it wanted the remote service to update.

bnewbold avatar Jan 18 '18 02:01 bnewbold

An alternative way to do this would be to have a known dat archive with a list of archive keys in it; a user would append to that list when it wanted the remote service to update.

That's something we've been considering for Hashbase.

pfrazee avatar Jan 18 '18 16:01 pfrazee

Sounds cool!

The protocol doesn't quite have a push, but we can implement it by connecting to the target and sending data until it stops asking for more. I've worked to prototype this on and off, it kinda works right now.

(we also were thinking of using a known dat archive with keys to talk to remote services, this will be especially nice using hyperdb because you could add them from multiple locations.)

joehand avatar Jan 18 '18 16:01 joehand

This has to do with DAT signing but it doesn't have to do with DAT uploading. In my case I want to make sure that a certain DAT was created by a certain real person. To verify if a person actually is a person: A given user-interface could use a service such as keybase to show further verified data of a person: a persons identity.

It would be awesome to be able to sign all chunks, but it also means additional effort on upload and download progress and changes.

It should be simple - and straight forward - to just sign the dat's public key?

{
  ...
  verifyKey: 'USER_PUBLIC_KEY',
  verifySign: <Signature(DAT_PUBLIC_KEY, USER_PRIVATE_KEY)>,
}

This way we could verify that the original owner of the secret key of this DAT was that person. If a creator looses or changes a private user key but still has the dats secret: they could simply re-sign the DAT.

martinheidegger avatar Nov 03 '18 07:11 martinheidegger