Open hmedlinphocas opened 5 months ago
there's currently work going on to add support for ECDSA signatures, and we plan to add it to the spec soon. The main issue right now is finding key and signature serialization formats that would be broadly usable across languages (with existing implementations, etc).
Support for KMS and other HSMs would definitely be useful. What would you have in mind on the API side? Maybe we could move to something like the rust implementation's RootKeyProvider
, which can look up a key from the id in token, and then provides an abstraction that can sign
Thanks for the context and linking the existing work. I do appreciate your purview is broader with support for multiple languages, maintainability etc; it makes sense using Rust in the long term. My team is fortunately only concerned with Java. We have decided to take the protobuf changes for P256
from the draft PR, and write an implementation in Java. It is still in progress. We can propose it upstream when ready. We will have more capacity once we have an MVP solution for our use case.
We are looking at using Biscuit auth in our application but we are currently blocked with only
Ed25519
being supported for signing and verification. The reason we would like other algorithms is so we can have our keys managed by AWS KMS and KMS currently does not supportEd25519
.Is there anything in the roadmap to have more algorithm support? If not, we can submit a PR to add support for the
ECC_*
algorithms in KMS along with external signing provider support. However we can only add this to the Java implementation. Would this be something that would be accepted and released or do you require the changes made to the other supported languages?