[Tracker] APKAM: PKAM per app & device, with namespace access control capability

[gkc]

Is your feature request related to a problem? Please describe.

• atSign owners are too involved in actual management of private keys
• Current permissions approach is all-or-nothing - you either have access or you don't

Describe the solution you'd like

• Limit likelihood of compromise of private keys
  • Limit private keys required by apps to the bare minimum - a single keypair (whose
    private key may be held on a TPM / secure element)
  • No more exporting of keys files for import by other apps+devices
  • Easy-to-use management of app access and app namespace permissions
• Limit blast radius if private keys are compromised
  • Apply access controls to apps' use of the atSign's namespace
  • Easy-to-use modification / revocation of app access and app namespace permissions

Tasks

Preview Give feedback

Tasklists will be sunset on April 30th, 2025

We encourage you to migrate your issue tasklist items to sub-issues. Learn more in our Changelog.

1. APKAM: Draft detailed design #30
   0 SP In review enhancement +3
   
2. APKAM: Spike #31
   +0
   
3. APKAM: Finalize design
4. APKAM: Full implementation
5. APKAM namespace access control changes - scan, update and lookup verbs at_server#1357
   enhancement +1
   
6. APKAM - changes in at_onboarding_cli at_libraries#367
   enhancement +1
   
7. APKAM - client side changes for authenticate using apkam keypair at_client_sdk#1078
   enhancement +1
   
8. APKAM - OTP design discussion and changes in implementation at_server#1423
   enhancement +1
   
9. APKAM - ability to receive offline notifications at_client_sdk#1076
   enhancement +1
   
10. APKAM - info verb to include APKAM namespace access details at_server#1356
    enhancement +1
    

[gkc]

Completed draft detailed design in PR53

[gkc]

Moving to PR57 as will not get to it in PR56

[gkc]

Closing as complete