Robin Brown (Jan 27 2023 at 15:47): Robin Brown (Jan 27 2023 at 15:47):Now that we have a prototypes and some demos, I want to start solving some of the remaining UX questions.
In the demo I gave Wednesday at the SIG-Registries meeting, the user private key was supplied by an environment variable, but that isn't really how we'll want to do that in the long run.
Is there a good password-manager style key store that we could connect to so that a user can run the CLI and authenticate with the store to pull down the key, sign their log records, and then immediately get rid of it?
Lann Martin (Jan 27 2023 at 15:58):https://docs.rs/keyring/1.2.1/keyring/ is popular; I haven't used it though
Robin Brown (Jan 27 2023 at 16:00):Keyring would be a good thing to support, but I'd also like a way for people to pull down a key from an external store or even send the record to some key vault and have it signed without the key coming down the machine at all.
Robin Brown (Jan 27 2023 at 16:00):I know this is something that e.g. Azure Key Vault could do, but I don't know of any user-facing services that would fit the profile
Lann Martin (Jan 27 2023 at 16:04):Its kind of a rabbit hole; a mature system would support https://en.wikipedia.org/wiki/PKCS_11 modules for example. As long as we expect it to be extensible in the future I wouldn't try to boil this particular ocean
Robin Brown (Jan 27 2023 at 16:08):Filed as https://github.com/bytecodealliance/registry/issues/67
Last updated: Nov 22 2024 at 17:03 UTC