Signing Key Management

[nickmonad]

I just recently noticed the upgrade made to the docs in the past few weeks. The diagrams in particular have been very helpful! Thanks for that.

With that said, it seems the general practice outlined in the documentation is to store and ship your application's signing key in the web page served to the user, effectively exposing it to anyone who can download the page. Unless I'm overestimating the importance of that key, this seems like a huge security risk to both the end user and the application owner.

For our application, we are planning to host the connection process on a dedicated server, that will simply generate QR codes and send them back to our frontend. But, one of my concerns is that new developers to this space won't see that as a possible solution, and simply follow the guidelines that have been set for them, opening up a seemingly large security vulnerability.

Are there any plans to address this issue in the documentation, or am I just overestimating the impact of exposing an application's signing key?

[localredhead]

@ngmiller You're absolutely correct, we should do a better job at clarifying how to handle the signer key.

We have changes pending for our libraries that will not require the signer key for many of the examples, and documentation updates to reflect this.

We recognize we can do a better job at guiding developers how to handle this key and we will be providing some updates to address this soon.

[localredhead]

I'm attempting to address this in #11

[localredhead]

@ngmiller New docs are out. The getting started section contains a note about this: https://developer.uport.me/gettingstarted#2-get-an-application-identity

As well as server side tutorial: https://developer.uport.me/uport-js/guides/server-side-credentials-example#register-an-app

Thank you so much for your feedback. We will continue to improve on this as we update our documentation.

[nickmonad]

@localredhead Looks great! Thanks!