Proposal: add generic interface for external key registries #215
Comments
|
Hi, this looks similar to an open PR in biscuit-go biscuit-auth/biscuit-go#130 The token format still requires to have access to the private key for non-authority blocks, but I think that would be okay in this scenario, we only care about delegating signature to a KMS for the authority block (and third-party blocks, but that's similar). Agree on putting it behind a feature flag because this increases the risk of misuse a lot. |
|
Adding an external I would add a stretch goal to ensure that Some users will want to use their key management service's verify functionality, and some will want to cache public keys locally rather than making that network request on each verification. Thanks for the work you do 🙏 No urgency from our side to accommodate this use case- we may return to biscuits for our use case at a later time |
We are evaluating biscuits and the project is extremely appealing for our use case, save for the requirement that the implementing system requires access to the private key itself, which precludes usage with managed key services like AWS KMS.
I'm not deeply familiar with the project history, future goals, and codebase, but it does look possible technically to add an interface for externalizing the signing & public key download responsibilities of
KeyPairas an optional feature in the crate, where implementations of these responsibilities would be implemented.The integration with providers would be a non-goal, other than providing a best-effort example.
If this proposal is consistent with the direction of the project we can work around this limitation in the interim and I can offer to contribute to the implementation if desired
The text was updated successfully, but these errors were encountered: