If this feature is about key component export ceremony or procedure, be sure to include a dual-control process state change mechanism in the UI.
If the use case is a single device screen displaying the key components, the procedure should incorporate a required independent observer of the ceremony or procedure to validate process controls and ensure the integrity of the overall process.
The independent observer, or "MC" (Master of Ceremony), provides the independent auditing of the overall process, and can attest to the integrity of the execution of the process upon completion. The role of the MC is to detect process control failures, terminate the process if there has been a process integrity failure, and begin again (causing the generation of new shares).
What I mean by the "dual-control process state change mechanism" is something like an interstitial screen before and after each component is displayed to the component holder. This gates the process for the MC to ensure that the component holder has been authenticated, and is prepared to receive their component, they initiate a successful or failed completion of receiving the component, where control of the UI is returned to the MC for repeating the process with the next component export steps.
This allows the MC to authenticate the component holders, shepherd them into the secure viewing area where the sensitive component material will be displayed to that person alone, where they then indicate when they have completed their task and the display of the sensitive component matierial has been cleared, summon the MC to verify with the component holder the process completed successfully (via the indicator input by the component holder during their viewing period), and escort the component holder out of the secure viewing area, before proceding to repeat the process with the next component holder.
In this way you have independently verifiable attestations at each step of the process for each export ceremony for each component being exported, as well as the audit trail for the overall process to ensure that the components have been securely exported and distributed into the custody of the component holders.
By "dual control mechanism" I mean something that requires at least two (2) separate input events. Such as toggling a check box (event 1) and pressing a button (event 2). This is to prevent inadvertent 1-step progressions to the next step, potentially interrupting and invalidating the entire component export ceremony as a result. It is the proverbial "Are you sure?" Yes/No dialog.
Supporting remote access by component holders in such a ceremony is a completely different thing, and far more complicated to ensure the secure display and secure viewing of sensitive component materials for each component holder.
If this feature is about key component export ceremony or procedure, be sure to include a dual-control process state change mechanism in the UI.
If the use case is a single device screen displaying the key components, the procedure should incorporate a required independent observer of the ceremony or procedure to validate process controls and ensure the integrity of the overall process.
The independent observer, or "MC" (Master of Ceremony), provides the independent auditing of the overall process, and can attest to the integrity of the execution of the process upon completion. The role of the MC is to detect process control failures, terminate the process if there has been a process integrity failure, and begin again (causing the generation of new shares).
What I mean by the "dual-control process state change mechanism" is something like an interstitial screen before and after each component is displayed to the component holder. This gates the process for the MC to ensure that the component holder has been authenticated, and is prepared to receive their component, they initiate a successful or failed completion of receiving the component, where control of the UI is returned to the MC for repeating the process with the next component export steps.
This allows the MC to authenticate the component holders, shepherd them into the secure viewing area where the sensitive component material will be displayed to that person alone, where they then indicate when they have completed their task and the display of the sensitive component matierial has been cleared, summon the MC to verify with the component holder the process completed successfully (via the indicator input by the component holder during their viewing period), and escort the component holder out of the secure viewing area, before proceding to repeat the process with the next component holder.
In this way you have independently verifiable attestations at each step of the process for each export ceremony for each component being exported, as well as the audit trail for the overall process to ensure that the components have been securely exported and distributed into the custody of the component holders.
By "dual control mechanism" I mean something that requires at least two (2) separate input events. Such as toggling a check box (event 1) and pressing a button (event 2). This is to prevent inadvertent 1-step progressions to the next step, potentially interrupting and invalidating the entire component export ceremony as a result. It is the proverbial "Are you sure?" Yes/No dialog.
Supporting remote access by component holders in such a ceremony is a completely different thing, and far more complicated to ensure the secure display and secure viewing of sensitive component materials for each component holder.