Decide on key management approach for did:dht

[jiyoonie9]

slack convo summary:

• In all web5 sdks, AwsKeyManager does not support Ed25519 algorithm (because AWS KMS does not support this algo)
• Using the only accepted alternative secp256k1 algo works for did:jwk, but this is not a viable approach fordid:dht as it requires an Ed25519 key.
• Several approaches to enable key access from AWS for did:dht includes
  • Wrap the key (use a symmetric key, supported by the KMS (like AES), to encrypt the asymmetric key (Ed25519)) and store in AWS KMS
  • Storing the Ed25519 key in AWS Secrets Manager (may be more favorable despite having key material in in-memory process?)
  • Create and store ed25519 identity key and store in cold storage, generate secp256k1 signing key and store in AWS KMS

TODOs

• discuss on the "recommended" route for key management for did:dht when using non-local (enterprise?) key manager - get expert opinions from security eng
• update key management documentation for devrel docs

[angiejones]

thank you for opening this @jiyoontbd 🙏🏾
cc @acekyd

[acekyd]

Thank you! @jiyoontbd @angiejones