Add a DTS Endorser Service for BC Gov issuers based on a BPA

[swcurran]

Suggest that we build a DTS Endorser Service for BC Gov issuers, with a user interface that could be based on a BPA.

The endorser service would be used by all BC Gov issuers that need to write to an Indy ledger using the Endorser Signature capability in ACA-Py. The service would have a user interface to approve requests, using a process something like the following:

1. Issuers would be configured to know about the DID of the endorser service and on initial startup/writing, would prepare a transaction and connect to the endorser service and request the signature.
2. The endorser service would have a DID known to others. It's DID could be resolved to find it's endpoint, a connection made (all would be accepted) and the request made for an endorser signature.
3. An endorsement request from a previously unknown issuer would always go to "help desk" type queue for manual processing, and those authorized to allow approve endorsements notified via email or the new entry in the queue.
4. An authorized individual will access a user interface to approve or reject the request.
5. An authorized individual will access a user interface to define the handling additional requests from the requesting issuer, such as to approve all future requests, approve some number of future requests, or to require confirmation of all future requests. Perhaps a notification option could also be set on the requests, allowing notification (or not) of future requests. Nice to have -- a user getting a digest of notification showing what endorsements have been done.
   1. The goal of the "approve some number of future requests", and the "digest of notifications" is to ensure that the system is being monitored and the writes by the issuer are not excessive -- or there is detection if they are excessive. Recall the case of the OrgBook issuer repeatedly updating Sovrin MainNet every few minutes.
6. An audit log of endorsements would be accessible to authorized users to query.
7. The Endorser Service BPA would support issuing VCs to authorized users, and those VCs would control access to the BPA User Interface.

The open questions on this before getting started:

• Is the BPA a good basis on which to build functionality like this? Or would building this as a "from scratch" issuer/verifier/signer app be a better idea?
  • What would be the design?
• What is the an effective separation between the core BPA capabilities and the business purpose of the service.
• Do we want to have a Rules engine product built into this -- e.g. Camunda

[swcurran]

@ianco -- per discussion, here are my notes on the DTS Endorser service. Talked to @esune after our discussion and he does have a simple endorser stood up and working, so that should be consider in case BPA is a bridge too far. But lots of benefits if BPA is a viable way to go.

[ianco]

hackmd doc with BPA evaluation: https://hackmd.io/RZvvrAioQGO6lmYyOblmSw?view

[esune]

Added reference in dedicated endorser repository, closing this issue.