Authentication Architecture
Users identify to hosts as the public key portion of an Ed25519 asymmetric keypair.
All endpoints use the same authentication mechanism. We call it authTS, short for "authentication timestamp". An authTS is the current timestamp (from the perspective of the user's client device), signed with user's Ed25519 keypair. The host verifies that:
- The user's public key is registered in the host's list of users (unless the user is registering for the first time).
- That the timestamp is close-enough to the server's view of the current time. This is important, because DIPLOMATIC relies on wall clock time for consistent ordering of messages.
- That the signature is validly produced by the private key corresponding to the user's public key.
This mechanism proves that the user controls the private key of their Ed25519 keypair at the time they made the request. Even if the authTS is snooped, it will only work if replayed quickly.
AuthTS Data Structure
| Field | Bytes | Encoding |
|---|---|---|
| pubKey | 32 | raw bytes |
| sig | 64 | raw bytes |
| ts | 5-8 | var-int milliseconds since UNIX epoch |
Total size: 101-104 bytes.