Tink is a multi-language, cross-platform, open source library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse.
Due to the nature of secure repositories, whom handle credit card information and do not want to expose external calls to API's among other security considerations, this change exposes the visibility level of getTrustedSigningKeysJson, so that the root signing keys may be fetched at any time, and passed to where needed.
The service in question handles encrypted credit card data, lives in a separate VPC than other services, and does not want to expose external API calls to the Google signing keys API.
Per transaction, the use case better supports fetching only the keys downstream and passing them into Tink using the senderVerifyingKeys method.
If there are better alternatives used at Google, please advise!
Does Google recommend using the KeysDownloader class directly instead as an alternative?
Due to the nature of secure repositories, whom handle credit card information and do not want to expose external calls to API's among other security considerations, this change exposes the visibility level of getTrustedSigningKeysJson, so that the root signing keys may be fetched at any time, and passed to where needed.
The service in question handles encrypted credit card data, lives in a separate VPC than other services, and does not want to expose external API calls to the Google signing keys API.
Per transaction, the use case better supports fetching only the keys downstream and passing them into Tink using the senderVerifyingKeys method.
If there are better alternatives used at Google, please advise! Does Google recommend using the KeysDownloader class directly instead as an alternative?