Skip to content
This repository has been archived by the owner on Dec 12, 2024. It is now read-only.

Connect the Service to remote signers. Support remote key management. #346

Open
decentralgabe opened this issue Mar 24, 2023 · 5 comments
Open

Connect the Service to remote signers. Support remote key management. #346

decentralgabe opened this issue Mar 24, 2023 · 5 comments
Assignees
@andresuribe87
Labels
road-to-prod service-readiness

Comments

@decentralgabe
Copy link
Member

As the title states; demonstrate integration with remote keystores.
@decentralgabe decentralgabe moved this to 📋 Backlog in SSI Mar 24, 2023
@decentralgabe decentralgabe added this to the Next milestone Mar 30, 2023
@andresuribe87
Copy link
Contributor

The first thought here is that we should focus on ssi-sdk first. When we have an SDK that handles remote key generation and cryptographic operations, then we can use that to inform the design that we should follow for ssi-service. I've created TBD54566975/ssi-sdk#336 to track on that side.

@decentralgabe decentralgabe removed this from the Next milestone May 10, 2023
@decentralgabe decentralgabe removed their assignment May 15, 2023
@decentralgabe decentralgabe moved this from 📋 Backlog to 🏗 In progress in SSI May 15, 2023
@decentralgabe
Copy link
Member Author

@andresuribe87 can this be closed?

@andresuribe87
Copy link
Contributor

#420 addresses having and external KMS to store the service's keys. That PR doesn't address the ability to have external signers, nor to bring your own keys when creating an ION did (or any other did).

This issue is about supporting that.

@andresuribe87 andresuribe87 mentioned this issue May 17, 2023
Merged
@nearlyjuly
Copy link

Seems all good. So would it be on the user to specify first the storage (kms or other) and signer (remote or local)? As in, for DID creation ask first where the keys are to be stored or where existing keys can be found, for DID creation & credential creation ask the same plus which signer to use, and for only credential creation ask where the keys and the signer are (making it possible to provide one or both)?

@andresuribe87
Copy link
Contributor

The signer is expected to hold the keys that they're using to sign with and never share them. So there isn't an expectation to separate storage and signer.

When you create a DID, you'll have to option of specifying that you want to sign yourself, with your own keys.
If you don't specify that option, then the service will generate the keys and they will never leave the boundaries of the service.

Any task within the service that requires signing will decide wether to sign inside the service (if the keys are available), or to defer signing to the external party.

@nearlyjuly , let me know if that makes it more clear.

@andresuribe87 andresuribe87 moved this from 🏗 In progress to 🔖 Up Next in SSI Jun 23, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@andresuribe87 andresuribe87

Labels
road-to-prod service-readiness
Projects
No open projects
SSI
Status: 🔖 Up Next
Milestone
No milestone
Development

No branches or pull requests
3 participants
@andresuribe87 @decentralgabe @nearlyjuly