Are SigningKeyPairs meant to be ephemeral inside of dryoc?

[juliusl]

I was wondering if intention for the SigningKeyPair is to create it at process start so that you can establish a trust with the process but then not allow any lingering trust on any identity once the process goes away. (I use the term process loosely; this could be a container for example)

Or is the SecretKey portion of the pair something that can/should be stored on the local filesystem, vault service, etc?

[brndnmtthws]

There are a few ways to use it, but generally speaking if you want to be able to authenticate messages over long periods of time (i.e., you want to be able to verify authenticity between two clients/actors over some extended period) then you'd need to store the secret key somewhere, such as in a database. The public keys need to be exchanged between parties to perform the authentication.

If you lose (or discard) the secret key, it just means that you won't be able to sign any new messages with that secret key, but you can still verify any messages that were previously signed with that key so long as you still have the public key.

Like you already mentioned, one way to use the signing keypair is to perform a handshake (when initiating a connection, or performing some sort of authentication/authorization process), exchange public keys, and then use that public key to verify all the messages going forward. Once the connection is closed or the session is terminated, the keys are forgotten and never reused. You would only do this if you want a little more control over the process, as opposed to, say, using the DryocStream interface.

Hope that helps!

[juliusl]

Yep that helps. I was wondering, I couldn't find any api from the SigningKeyPair type that can be used to store/load from the filesystem. Is there an example we should be following? On macos, ssh-keygen doesn't support ecdh currently so I was looking for a Rustacean oriented example.

[brndnmtthws]

The keys are public fields in the SigningKeyPair struct, so you can just access them directly as any other field. You probably want to convert the bytes into base64 (or some other friendly format, you could use the serde crate). You'll need to create the secret key first (which is just a 32 byte array), and then you can create a new SigningKeyPair from the secret key. You don't need to store the public key, only the secret key (the public key can be derived from the secret key).

Admittedly, it's a bit confusing how to do this, but here is an example:

https://gist.github.com/brndnmtthws/8b3a8704ed973d4707bc8200a7ddbb10

If you do cargo new signing-keypair-b64 && cd signing-keypair-b64 && cargo add dryoc base64, then add the code above into main.rs, it should work as expected when you do cargo run with the example.

FWIW, there are a couple somewhat similar examples in the docs, such as this one: https://docs.rs/dryoc/latest/dryoc/kdf/index.html#rustaceous-api-example

[juliusl]

Thanks a bunch! This guidance is very helpful