Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • createProfile:  This API creates user's wallet profile and returns info of profile created (ID and any other information needed by client). It returns error if wallet profile is already created or if profile creation fails.
    Here are the arguments that can be passed to create user profile
    • username: unique loginname to identity user. This parameter will also be used as db namespace,
    • authURI: webkms key server URI, if not provided then this profile will use localkms.
    • authString: secret in case of localkms or auth token in case of webkms
      (Note: in case of localkms a masterkey will be generated and will be encrypted by user's secret)
  • getProfile: Takes a username string and returns profile info containing profile ID or any other information needed for client. 
Lock & unlock APIs (need naming suggestions):

Since profile KMS requires locking/unlocking features, it is not a good idea to expect user kms secret/token in each wallet api calls due to below reasons.

  • complexity of handling secrets in each API calls.
  • not user friendly
  • creating KMS instance by user for each API call is expensive operation.


Solution: client has to unlock the wallet before calling any wallet interface APIs and lock the wallet back when he/she is done. Wallet will also auto lock if unused for certain amount of time.
This leads to introduction of 2 more APIs given below: 

  • unlock: accepts user `secret/token` used to create profile, creates kms instance, keeps it in cache (with expiry) and returns a token which can be used for any subsequent operations.
    This token will be used by VC wallet to fetch kms instance from cache and also will be used to correlate user profile. Once token expires cache gets cleared and kms instance will be destroyed.
    This token has to be supplied by client while calling each VC wallet APIs.

  • lock: Can be called by user to lock the wallet back.