I just came up with a neat portable, decentralized auth system. I feel like someone probably has done this before, but it's inspired by both bluesky's domain verification system as well as gemini's client cert identification system, but for the web generally.
You create a client certificate with a Subject of CN=username@mydomain.com. In Powershell:
New-SelfSignedCertificate -Subject "CN=username@mydomain.com" -CertStoreLocation "Cert:\\CurrentUser\\My" -KeyUsage DigitalSignature,KeyEncipherment -Type Custom -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256
Then get the thumbprint of that cert:
$> Get-ChildItem -Path "Cert:\\CurrentUser\\My" | Where-Object {$_.Subject -eq "CN=username@mydomain.com"} | Select-Object Thumbprint
# Thumbprint
# ----------
# 400E0A39A5E08DDFA30A0292A9C4EDFD40375F92
Then, in your domain registrar, you create a TXT record with the format
_identification.username.mydomain.com=400E0A39A5E08DDFA30A0292A9C4EDFD40375F92
A participating server would configure its TLS settings to request (or require) a client certificate. The browser would then challenge the user, and they'd pick the certificate they want (With Subject of CN=username@mydomain.com)
When then server accepts the connection (configured to accept all self-signed certificates), it would then send a TXT record request against _identification.username.mydomain.com and compares the thumbprint in the client cert it received to the value of the TXT record. If they match, the server can then attest that the user is, in fact username@mydomain.com, and allow the user to sign all content with that name, without requiring the user to create an account on the site. Portable identity across the internet! You can take it even further by storing PGP keys in a TXT record and allow E2E messaging with various clientside apps.