Our public/private key pair are created on the server during the registration process.
Is it possible to securely pass the private key to the client to use for signing?
Thanks in advance
Ray
No, unfortunately the server must retain custody of the keys, since there are many situations where the client might sign something that would be disallowed by the server’s policies or infringe on the privacy / security of another user on the same server, which HTTP Signatures is ill-equipped to handle
2 Likes
@socialatm You can use a second key to sign objects and activities on the client side and let the server sign federation requests with custodial key. See FEP-ae97 for details.
Thanks so much. I’ll give this a read.
Thanks for this. I’m still new and in the research stage.
Is there a standard way of doing this? Point me towards any articles? Thanks