Closed samlown closed 2 years ago
A few random questions here:
id_xxx
and id_xxx.pub
as the filenames? Or should we use *.jwk or some other extension? Not sure what's standard hereBy points:
id_
prefix is for kudos to SSH, and implies some sort of identity. We could add the extension, like .jwk
, might be useful, but it's not official. Also, the current suggestion is to use es256
in the filename, technically, this gives an indication of usage, as the Key itself is technically "EC using the P-256 curve"..jwk
or .json
to the file to make them distinguishable.)Google SDK uses the .json
extension. I don't think those keys are actually JWKs, though. So maybe .jwk
and .pub.jwk
would make sense for us to disambiguate from SSH and Google?
Google SDK uses the
.json
extension. I don't think those keys are actually JWKs, though. So maybe.jwk
and.pub.jwk
would make sense for us to disambiguate from SSH and Google?
True... .jwk
does seem like a kind of norm: https://whatext.com/jwk Let's do that then. I like the simplicity without, but .jwk
does add meaning.
I think this issue has now been implemented. Are there any details I've overlooked that still need attention, @samlown ?
This was going to be put inside an RFC, but the reality is that it's pretty short.
The CLI needs to be able to support signing envelopes, otherwise it's not very useful as all gobl documents require at least one signature to be valid. The main complication around this is where and how to store the JSON Web Keys.
There are two main options we've come up with so far:
~/.gobl/config.yaml
file with a configuration containing private keys (this is what Invocli does)~/.gobl
directory likeid_es256.jwk
for the private key and optionallyid_es256.pub.jwk
for the public key.The SSH-like option is perhaps the most interesting as it opens up a set of possible commands on the interface:
-i ~/.gobl/test_es256.jwk
option to specific a new identify file works easily.gobl keygen
command can create a key and output it to the~/.gobl
directory.GOBL already contains everything required to generate signatures inside the
dsig
package, so this is just a question of creating an interface.We're expecting users to be able to upload their public keys to Invopop for storage, they should be easy to get to either by looking at the
~/.gobl/id_es256.pub.jwk
file, or by generating it from the private key via the command line.Key files are always in JSON format. Is it useful to add a
.jwk
or.json
extension to each?