Following is a description of a workflow I am thinking about for sending messages from one user to another for a particular app. I would love to know what you think about this
Consider 2 users Alice and Bob, who are users of an app someawesome.app
- Alice’s app wants to securely send Bob’s app a message.
- Alice and Bob have a URL for their preferred messaging server at a well known location in their gaia bucket for this app. The app allows a user to configure this URL in settings.
- Alice and Bob’s app public keys are available at a well known location on their Gaia buckets for this app.
Alice’s app constructs a message with a message ID, encrypts the message with Bob’s public key, and stores it on Gaia.
It then sends Bob’s message server
– The message ID, encrypted with Bob’s app public key.
– A bearer JWT token that contains info such as the sender’s blockstack name, the reciever’s blockstack name
The Bob’s preferred message server receives the message , authenticates the message by verifying Bob’s public key which is at a well known location for this app.
The message server then adds bob’s message to a database
Bob’s app queries the server for a list of unread messages. The app authenticates bob’s request using a bearer JWT that is sent with the request.
The message server returns all the encrypted message IDs that are intended for Bob.
Bob’s app decrypts the message IDs, and retrieves each message from the appropriate users’s gaia bucket for this app.
A couple of advantages I think this would have are:
- It doesn’t disclose any valuable information about the message to the server. All the server knows is that Bob has received a message from alice.
- The message ID is encrypted and then sent to the server. This would ensure that the server doesnt even know the location of the message on the user’s gaia bucket for this app.
- Allowing users to specify their own messaging server to store their incoming messages, would allow messging service providers offer competitive prices security features, provided they all use the same protocol.