| HN Mirror

You (the user) hold the master key. It's generated for you when you sign up for a Blockstack ID. From there, the authenticator generates a per-ID, per-application key-pair via BIP32 -- each app key is a hardened child whose path is generated from the key that owns the ID on-chain and the hash of the application's DNS origin.

Authentication happens completely client-side. The Blockstack authenticator registers itself as a protocol handler for the "blockstack:" protocol, such that when you click a sign-in button, you will be redirected to your locally-running authenticator (or to a hosted version of the same, if you don't have the authenticator installed). The authenticator stores your master key, and will derive the ID- and application-specific key-pair for you when you select the ID to sign in as.

Once you sign in, the authenticator redirects you back to the application. The authenticator passes the app the Blockstack ID and application-specific private key via the URL string (encrypted with an ephemeral ECDSA key generated by the app on sign-in), and the blockstack.js library fetches and downloads the user's profile to learn the storage endpoint(s) as part of completing the sign-in. In so doing, the application learns the storage endpoint to which to GET and POST user data, and learns the key to use to sign/encrypt it and to authenticate to the user's preferred storage (access to which is mediated by a Gaia hub that the user selects when onboarding).

Agreed that a deep dive with protocol diagrams would be handy. We're working on it! :)