SKB Distribution

SKB can be distributed to one or to multiple Readers at the same time, requiring only a single DIDcomm message to be added to the bucket index. Readers must provide a public encryption key PKUser, typically via the keyAgreement section of their DID Documents.

Bucket Admin Prepares a DIDcomm Message:
1. SKB is the content of the message
Message Encryption as a DIDComm Encrypted message:
1. The message content is encrypted using a unique CEK, resulting in an opaque ciphertext value.
2. The CEK in turn is encrypted asymmetrically, once for (each) PKUser and once for PKB.
3. The ciphertext, the two encrypted CEK* as well as information on which algorithms and keys to use for decryption is combined into a DIDComm/JWE message.
4. The intended recipient can decrypt the CEK and hence the message content using their corresponding private key (SKUser).
5. Readers with access to SKB can also decrypt the message content to verify the message content, providing a record of key distribution to all with read access to the bucket.
Distribution:
1. The encrypted message is stored in the storage layer.
2. The Admin submits a transaction to add the message to the bucket index, choosing an appropriate tag for admin/system level messages.
3. Readers are notified via direct messages or by subscribing to pallet events and can decrypt the message with their SKUser

PreviousOperations NextRead revocation

Last updated 8 months ago