Enhance Authentication, Homeserver, and PKARR Architecture docs#49
Enhance Authentication, Homeserver, and PKARR Architecture docs#49
Conversation
|
|
||
| **Records expired**: Identity discovery fails until republished, but the identity itself remains valid — only the Homeserver pointer becomes unavailable. | ||
|
|
||
| **Under attack**: Cached versions on relays remain accessible. Attacks can only prevent updates, not erase existing records. |
There was a problem hiding this comment.
This needs more detail, what is the attack scenario?
|
|
||
| 2. **No Key Delegation**: AuthToken must be signed by the user's main key. | ||
|
|
||
| 3. **Key management software must be trusted**: [[PubkyRing|Pubky Ring]] keeps keys out of third-party apps, but apps that handle keys directly must be fully trusted. |
There was a problem hiding this comment.
This is a forever limitation rather than a current one i think?
|
|
||
| ## Data Retrieval and Synchronization | ||
| - `GET /events/` — Paginated event feed (cursor-based, 1000 events per batch) | ||
| - `GET /events-stream` — Server-Sent Events (SSE) real-time stream |
There was a problem hiding this comment.
The main difference between these is that /events returns all events on the homeserver for all users. /events-stream allows for a list of users to be specified plus other filters. This is primarily so that nexus can pull events for users from third party homeservers without having to deal with spammy users that they may have.
There was a problem hiding this comment.
obviously SSE is also another difference worth mentioning
| - `GET /events-stream` — Server-Sent Events (SSE) real-time stream | ||
|
|
||
| - **API**: Any service can access data through a RESTful API | ||
| Used by clients like [[PubkyBackup|Pubky Backup]] to stay in sync. Note: the SSE broadcast channel is per-instance, so horizontal scaling requires architectural changes (e.g., Redis pub/sub). |
There was a problem hiding this comment.
dont mention the horizontal scaling issue here, it will be fixed soon and just confuses things
|
|
||
| - Homeservers can be operated by individuals, cooperatives, or commercial entities, with the option for anonymous operation, promoting a decentralized and resilient storage ecosystem where users could tune their preferred redundancy while maintaining the benefits of a central Homeserver. | ||
| - We do not yet have any mirroring or replication tools available yet. Feel free to build with us! | ||
| Pubky hosts use **PubkyTLS** for transport security (TLS with Raw Public Keys, RFC 7250). ICANN hosts use standard X.509 TLS. See [[SecurityModel|Security Model]] for details. |
There was a problem hiding this comment.
I think actually that all homeservers expose both, confirm though please
|
|
||
| ## Running a Homeserver | ||
|
|
||
| > **Note:** Production deployment guides are not yet available. Easy deployment packages (Umbrel, apt, docker, start9) are planned. |
There was a problem hiding this comment.
| > **Note:** Production deployment guides are not yet available. Easy deployment packages (Umbrel, apt, docker, start9) are planned. | |
| > **Note:** Production deployment guides are not yet available. Easy deployment packages (Umbrel, apt, docker, start9) are under development. |
d50d2a9 to
dd367d5
Compare
Expand existing pages with richer content: Authentication (participants, relay security, session rework), Homeserver (architecture, event stream details, transport security, running instructions), PKARR Architecture (SignedPacket format, DNS record types, caching, failure modes).