Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhance AtClient to leverage new metadata #999

Open
gkc opened this issue Apr 17, 2023 · 1 comment
Open

Enhance AtClient to leverage new metadata #999

gkc opened this issue Apr 17, 2023 · 1 comment
Assignees
@gkc
Labels
enhancement New feature or request

Comments

@gkc
Copy link
Contributor

gkc commented Apr 17, 2023
edited
Loading

Note:

@gkc spiked this in PR59 and will create a pull request during PR60 to make this feature available as @experimental i.e. API not finalized

Is your feature request related to a problem? Please describe.

Currently the AtClient does not enable apps to easily choose to use different symmetric encryption keys for different data when sharing with some other atSign - we rely on a single default symmetric key e.g. @bob:shared_key@alice which is created under-the-hood when first needed, and used thereafter.

Describe the solution you'd like

AtClient should allow apps to explicitly create new symmetric keys and use them in put requests. Similarly, AtClient should see (from the encKeyName field in the metadata) when symmetric keys other than the default have been used, fetch that key, decrypt it, and use it to decrypt the data which was shared.

Thus for example an AtClient could create a symmetric key called 12345.__symmetric_keys.namespace@alice. As with the current default shared symmetric key, this symmetric key would be encrypted with @alice's public encryption key for storage so that @alice can retrieve it later. @alice should then be able to use this symmetric key when sharing data with @bob by creating @bob:12345.__symmetric_keys.namespace@alice, encrypting it with @bob's public encryption key as with current default shared symmetric keys, and should also be able to use the same key when sharing data with @charlie if they wish by creating @charlie:12345.__symmetric_keys.namespace@alice

The name of the shared key used should be placed in the encKeyName metadata field so that recipients can know that they need to fetch that symmetric key and use it to decrypt. Note that the encKeyName in this example would be 12345.__symmetric_keys.namespace and must not include either the sharedWith atSign nor the sharedBy atSign since they will be the same as the key for the record being shared (e.g. from @bob:some_data.namespace@alice we can see that sharedWith is @bob and sharedBy is @alice.

Additional context

Giving apps direct control over creation of additional symmetric keys enables app developers to use the atPlatform to cut new encryption keys, and share them using the existing platform key exchange mechanisms, for any purposes they wish - including encryption / decryption of data outside of the atServer - for example streaming, encryption of files for many recipients, storing encrypted data in other datastores, and generally, enabling use of atPlatform for key management and key exchange alongside other platform ecosystems.

More briefly: app developers can add end-to-end encryption into their existing applications without requiring them to completely adopt the atPlatform
@gkc gkc added the enhancement New feature or request label Apr 17, 2023
@gkc gkc self-assigned this Apr 17, 2023
@gkc
Copy link
Contributor Author

gkc commented May 16, 2023

Going to backlog this until next spring

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gkc gkc

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@gkc