Stephen Guerin # Online Services Using Domain-Based Identity with Self-Hosted Key Discovery | Service | Identity Format | Key Discovery Mechanism | Self-Hostable? | Notes | |---------|-----------------|------------------------|----------------|-------| | **Mastodon / Fediverse** | `@user@domain.tld` | WebFinger at `/.well-known/webfinger` returns ActivityPub actor URL | Yes - run your own instance | Most mature implementation; ActivityPub federation; anyone can point their domain to their account | | **Bluesky (AT Protocol)** | `@domain.tld` or `@user.domain.tld` | DNS TXT record `_atproto` or `/.well-known/atproto-did` returns DID | Yes - self-host PDS (Personal Data Server) | DIDs (Decentralized Identifiers) provide key rotation; domain is the human-readable handle | | **Nostr** | `user@domain.tld` (NIP-05) | `/.well-known/nostr.json` maps username to public key | Yes - just host a static JSON file | Simplest implementation; keys are the true identity, domain just provides human-readable mapping | | **Matrix** | `@user:domain.tld` | `/.well-known/matrix/server` for federation delegation; keys at `/_matrix/key/v2/server` | Yes - run Synapse/Dendrite homeserver | Federation requires valid TLS; server signs events with published keys | | **Diaspora** | `user@domain.tld` | WebFinger at `/.well-known/webfinger` | Yes - run your own pod | Early federated social network; uses hCard for profile data | | **OpenID Connect** | `user@domain.tld` | WebFinger for issuer discovery at `/.well-known/webfinger` → `/.well-known/openid-configuration` | Yes - run your own IdP | Enterprise SSO standard; Okta, Auth0, Keycloak all support self-hosted | | **Solid (Tim Berners-Lee)** | WebID URL (e.g., `https://you.example/profile#me`) | WebID document contains public key; `/.well-known/` for pod discovery | Yes - run your own Solid pod | RDF-based; most "web native" approach; data stored in user-controlled pods | | **Keybase** (deprecated) | `user` with domain proofs | `/.well-known/keybase.txt` or DNS TXT record proves domain ownership | No (centralized, now part of Zoom) | Pioneered domain-as-identity-proof; linked cryptographic identity across platforms | | **IndieWeb / IndieAuth** | Your URL (e.g., `https://example.com`) | `rel="me"` links + `/.well-known/oauth-authorization-server` | Yes - your website IS your identity | URL is the identifier; OAuth-like flow; h-card for profile | | **remoteStorage** | `user@domain.tld` | WebFinger at `/.well-known/webfinger` returns storage endpoint | Yes - run your own storage server | Unhosted web apps; separates app from data storage | ## Key Patterns ### WebFinger-based (RFC 7033) - **Mastodon, Diaspora, remoteStorage, OpenID Connect** - Query: `GET /.well-known/webfinger?resource=acct:user@domain.tld` - Returns JSON with links to profile, keys, endpoints ### Custom `.well-known/` files - **Nostr (NIP-05)**: `/.well-known/nostr.json` - static JSON mapping names to pubkeys - **Matrix**: `/.well-known/matrix/server` - federation delegation - **Bluesky**: `/.well-known/atproto-did` - returns DID document (alternative to DNS TXT) ### DNS-based - **Bluesky**: `_atproto.domain.tld` TXT record contains DID - **Keybase**: DNS TXT record for domain verification ### URL-as-Identity - **IndieWeb/Solid**: The URL itself (not user@domain) is the identifier - Most self-sovereign; no separate discovery needed ## Relevance to Acequia The **Nostr NIP-05** pattern is particularly interesting for Acequia because: 1. **Minimal infrastructure** - just a static JSON file 2. **Keys are the real identity** - domain provides human-readable discovery only 3. **Separation of concerns** - someone can verify you at `stephen@simtable.com` without SimTable hosting your actual data 4. **Graceful degradation** - if the domain goes down, keys still work A hybrid for Acequia might look like: ``` embudo.acequia.io/.well-known/acequia.json { "parciantes": { "guerin": { "pubkey": "abc123...", "endpoints": ["https://guerin.simtable.com/acequia/"], "water_rights": "2.5_acres", "recovery": "sha256(phone_hash)" } } } ``` This gives you: - **Domain as trust anchor** (mayordomo controls `embudo.acequia.io`) - **Parciante-controlled endpoints** (I control where my data lives) - **Portable identity** (my pubkey works even if I leave embudo) - **Phone as recovery** (buried, not primary)