📝 PLAT-897 Allow separate signing and wrapper keys (#24)

- Add a second 'signerPublicKey' field to an EO - This is an ephemeral public key a client may use to sign rewrap and other requests associated with the EO. - This is required as some algorithms and key types are more suited for encryption and others for signatures. Notably, we must support this for the smaller keys and restricted set of algorithms that NanoTDF will likely impose - Implementation(s): - Client [nanotdf for javascript](virtru/eternia#78) - Client [c++](virtru/tdf3-cpp#193) - Service [OpenStack EAS and KAS (python)](virtru-corp/etheria#295)
virtru · Mar 16, 2021 · 0b7a7d4 · 0b7a7d4
1 parent 68c5698
commit 0b7a7d4
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,15 @@
 ## Added
   * _patch_: ([#17](https://github.com/virtru/tdf3-spec/pull/17))
     Add KAS swagger 
+  * _patch_: ([#24](https://github.com/virtru/tdf3-spec/pull/24)), PLAT-897: `EntityObject.signerPublicKey`
+    - Add a second 'signerPublicKey' field to an EO
+    - This is an ephemeral public key a client may use to sign rewrap and other requests associated with the EO.
+    - This is required as some algorithms and key types are more suited for encryption and others for signatures. Notably, we must support this for the smaller keys and restricted set of algorithms that NanoTDF will likely impose
+    - Implementations:
+      - Client [nanotdf for javascript](https://github.com/virtru/eternia/pull/78)
+      - Client [c++](https://github.com/virtru/tdf3-cpp/pull/193)
+      - Service [OpenStack EAS and KAS (python)](https://github.com/virtru/etheria/pull/295)
+
 ## Changes
 * 1.3.4 (2019-08-05)
   * _patch_: ([#20](https://github.com/virtru/tdf3-spec/pull/20))

diff --git a/schema/EntityObject.md b/schema/EntityObject.md
@@ -40,10 +40,11 @@ When an entity wishes to decrypt a file, the following steps using the Entity Ob
 |`attributes`|Array|An array of signed [Attribute Object](AttributeObject.md)s. At most one of these may be a _default_ AttributeObject.|Yes|
 |`attributes.jwt`|String|An [Attribute Object](AttributeObject.md) that has been signed with the EAS private key as a [JWT](https://jwt.io/).|Yes|
 |`publicKey`|String|The entity's public key, in a PEM-encoded format.|Yes|
+|`signerPublicKey`|String|A second public key used for signing KAS requests, in a PEM-encoded format. When using TDF3 with elliptic curve cryptography, the public key may use ECDH and the signing key ECDSA.|Optional, depends on choice of algorithm|
 |`cert`|String|The [Entity Object](EntityObject.md) contents (without `cert`) that has been signed with the EAS private key, as a [JWT](https://jwt.io/). The KAS uses this field to validate the authenticity of the Entity Object. |Yes|
 |`schemaVersion`|String|Version number of the Entity Object schema.|No|
 
 
 ## Version
 
-The current schema version is `1.1.0`.
+The current schema version is `1.1.1`.