Authentication: exchanging public keys, signing messages

[csarven]

https://solid.github.io/notifications/ldn-channel-2023#authentication (copied from ldn-channel-2023 PR: #147 )

---

Details need to be further specified. The Security Vocabulary (or The Cert Ontology, WOT) can be used.

• Subscription Clients to share Notification Receiver's public key, where sendTo has a controller (which is the receiver).
• Subscription Servers to share Notification Sender's public key, where sender describes the key.

See Notification Channel Data Model for example where subscription request and response including public keys.

Subscription Client lets the Notification Receiver know about the Notification Sender and their public key.

Notification Receiver sets Authorization rules for Notification Sender.

Notification Sender can optionally use HTTP Message Signatures.

[elf-pavlik]

I think we should first evaluate Voluntary Application Server Identification (VAPID) for Web Push which is already used by WebPush #140

Following #155 we could recommend VAPID as one of the available auth schemes, where WebPushChannel2023 would only work with this one since it builds on top of WebPush.

All the sendTo channel types would be able to use it, it seems reasonable to include the public key in the SubscriptionService description. For WebPush it is required since before Subscription Request is made the client is already using that public key to create a subscription with WebPush Service.

[csarven]

See also https://docs.joinmastodon.org/spec/activitypub/#publicKey