So as of right now, Vaksina is using a very simplistic design which has a JSON file with all know keys from the VCI issuers list. This doesn't handle key revocation (which is a custom rolled thing in SHC and is semi-complex), but essentially, we need to do the following.
Each SHC has a specific signing key in the iss field, but that doesn't specifically denote who actually issued a given card, and that should be available in plain text if possible (this will also be true for other card types later) through the API. For fully offline operation, we need to be able to generate a datafile that has all the information in a single go, and then load it as needed.
In practice, the key management tool needs to do the following:
Could potentially put the JWS + Metadata (if there is any) into a sqlite db so it can just do a connect instead of loading an entire file to memory it will access as needed and do a query?
So as of right now, Vaksina is using a very simplistic design which has a JSON file with all know keys from the VCI issuers list. This doesn't handle key revocation (which is a custom rolled thing in SHC and is semi-complex), but essentially, we need to do the following.
Each SHC has a specific signing key in the
iss
field, but that doesn't specifically denote who actually issued a given card, and that should be available in plain text if possible (this will also be true for other card types later) through the API. For fully offline operation, we need to be able to generate a datafile that has all the information in a single go, and then load it as needed.In practice, the key management tool needs to do the following:
/.well-known/jwks.json
, and are represented as a JSON Web Keyset formatcrlRevision: 1
is present in the JWK object), then we need to do additional stepsrid
object on a given card.While we could dynamically fetch a pubkey for an unknown issuer, I question if that's really a door I want to open ...
The following tools need to be implemented:
We need to test the following scenarios to make sure we're handling this properly
There's probably more I'm forgetting, but this is a relatively good baseline in which to start