Public method for signing a transaction

[ghost]

We are developing a software in .NET for interacting with IC using the EdjCase.ICP.Agent nuget package (https://www.nuget.org/packages/EdjCase.ICP.Agent). Our software basically consists of two components: the server side app (webapi) and the client side app (a console app), that securely holds the private key.

In our flow, the transaction submission process is divided into 4 steps: 1) on the server side - prepare the transaction to be signed, 2) on the client side - retrieve the (nonsigned) transaction from the server side, sign it and send the signed transaction back to the server-side, 3) on the server side - submit the signed transaction to the IC using HTTP.API, 4) on the server side - check the status of the transaction.

In the EdjCase.ICP.Agent library, steps 1-3 are performed within a private SendAsync method: https://github.com/BoomDAO/ICP.NET/blob/93072497d0ea15e1460bb4161c4e39b7066c5851/src/Agent/Agents/HttpAgent.cs#L229.

What we would need to accomplish our flow, is to split this private method into 3 separate public methods:

Can this functionality be added to the EdjCase.ICP.Agent nuget package?

[Gekctek]

Its possible, i think I would need a bit more information The hardest part would be allowing access to these lower level APIs and keeping the library abstracted from HTTP

From what I understand, you really just are sending it with an identity that is on a different computer, so it just needs to be signed somewhere else. There are 2 ways I can think of maybe implementing this

• Delegated Identity would be the easiest, because that can be done now. Essentially you generate a key on your api server, then that is sent to your client, which then signs a delegation chain to allow the api server key to send the request(s) using its private key with a limited scope/time.
• Remote identity. This would have to be added, but essentially we could make it so that there is a new identity type that makes a call to the client to sign the request, then on response, the server could use that signature and send it off. This would require more work and maybe API changes but i think it would be possible.

I guess a question is how much is the client checking, or is it just signing whatever it is given, just to have the key seperate. Or is there high security validation that the request is perfectly correct by the user?