GPG can encrypt pages to be decrypted by any one of multiple recipients:
# gpg: enable many people to decrypt a message gpg --encrypt \ --recipient alice@example.com \ --recipient bob@example.com \ clear-message.txt
> GPG encrypts the file once with a symmetric key, then places a header identifying the target keypair and an encrypted version of the symmetric key.
>
> [...] When encrypted to multiple recipients, this header is placed multiple times providing a uniquely encrypted version of the same symmetric key for each recipient.
>
> stackoverflow 
- [ ] explore browser options for dat & static wiki variants
CloudFlare built OpenCA using WebCrypto and PKI.js
article
webcrypto
pki.js
caniuse#cryptography
TLS becomes important when transmitting passwords over the internet. Here is an example configuration for Caddy to include HTTP basic auth in addition to terminating TLS connections for the domain.
https://{$AUTH_DOMAIN}, http://{$AUTH_DOMAIN} { gzip basicauth / {$AUTH_NAME} {$AUTH_PASS} proxy / {$ORIGIN} { transparent } }
This configuration uses a single shared password, so not best practice. Nevertheless useful for exposing some work: basic auth breaks the wiki sharing. The client javascript needs to learn to include auth headers when requesting `wiki.example.com/slug.json` from other wikis in the protected federation.
While I was getting the above to work I also learned of a few more recent caddy plugins which might work better than basic auth. https://caddyserver.com/docs/http.jwt https://caddyserver.com/docs/http.login https://caddyserver.com/docs/http.authz
.
Paul adds, Not sure about gpg - it won't cope with people joining/leaving the group. Or maybe it would - but you would need to re-encrypt whenever membership of the group changed, changing the document key as well.