puria
commented
6 months ago We also have to double check the flow on iOS that is slightly different! The mobile zencode scripts should abstract and hopefully work for both android/ios
Closed andrea-dintino closed 3 months ago
puria
commented
6 months ago We also have to double check the flow on iOS that is slightly different! The mobile zencode scripts should abstract and hopefully work for both android/ios
Regarding the keyring in the TEE: although it is an excellent idea, be aware that (as far as I know) we are out of specification with respect to EUDI-ARF, because it says that the sk(s) must be generated in TEE (which then does not never exits, even if you are root on the machine). Also consider that TEE manages 2 types of signatures (and therefore keys): RSA (God forbid) and what we call es256 (ecdsa on P256 curve).
Ergo, to be in line with the EUDI-ARF specs (then I'll make an issue) you should: 1) generate the keyring with Keypairoom, throwing away the es256 2) generate a sk es256 with TEE 3) export the pk of the es256 with TEE 4) generate the Keypairoom keyring pk 5) merge the output of 3) and 4) 6) use the output of 5) to request the DID
Subsequently, all es256 signatures will be made by the TEE, so we have to modify the Mobile Zencode scripts and the entire wallet flow, but this is in the future.