Multi-user signing

[makew0rld]

It would be useful for AA to support multiple signers within one database. On a schema level this is possible, but the API doesn't support it.

Library changes

• Add keystore functionality, storing signing keys per database ID
  • Can be key pairs or just public keys (for syncing a third-party database)
  • Should keys have names?
• Remove setSigningKey
• Change validating functions like dbGet to support the keystore
• Change writing functions like dbPut to use the keystore
• Change demo files, update lib docs, examples

HTTP API

• No changes, except the JWT is examined and the appropriate key is used
• Old JWTs with no key indicator are not accepted instead of using a default key

Rationale

The idea behind this setup is to keep the keys with the server. Overall this would be a major breaking change on the library side, but shouldn't require changes for any HTTP API users, other than updating their JWT.

Pros

• Secret keys are kept safe
• Clients don't have to:
  • Sign data themselves (complex), or
  • Send private keys to the server (insecure)

Cons

• Less client agency since they don't hold their own keys (do we care about this?)

[benhylau]

Any client can use any key unless we map JWTs to keys

imo this breaks the whole security model. We must tie JWTs to usage of keys.

Does this mean user must send data to server in order to hash, or they are hashing on client and sending just the hash for "cloud signing". The latter seems more reasonable.

So basically the functionality is a server API that signs arbitrary text provided by a JWT-authenticated user. Correct?

[makew0rld]

The user can't send "just the hash" to the server because the server holds the database, it needs the data to be able to store anything.

I wasn't proposing creating a signing API over HTTP. I wanted to augment the existing CRUD API with the ability to set a specific signer. If JWTs are tied to keys then we don't even need to do that though, the API can remain the same. The client just provides the data they want to write and their JWT, and then the server processes it with the appropriate key.

I've edited the original comment to reflect this.