proposal: Key Store Admin #282
Conversation
…encryption-sdk-specification into tony/change-key-store-admin
framework/branch-key-store-admin.md
Outdated
| The Operation behaves identically to the [Key Store Client's CreateKey](../branch-key-store.md#createkey), | ||
| with the following caveats: |
There was a problem hiding this comment.
Do we want to move the operation here, and then point the key store here?
There was a problem hiding this comment.
I am not against that, but not willing to do it today.
Co-authored-by: Lucas McDonald <[email protected]> Co-authored-by: seebees <[email protected]>
Co-authored-by: Lucas McDonald <[email protected]> Co-authored-by: seebees <[email protected]>
texastony
force-pushed
the
tony/change-key-store-admin
branch
from
e8c9f98 to
af1bccf
Compare
…encryption-sdk-specification into tony/change-key-store-admin
| ### AWS KMS ReEncrypt (default) | ||
|
|
||
| `AwsKmsReEncrypt` dictates the Key Store Operation use | ||
| AWS KMS' ReEncrypt Operation to |
There was a problem hiding this comment.
maybe a link to the API docs?
| `AwsKmsDecryptEncrypt` is a structure that holds two `AwsKms`, | ||
| one designated for Decrypt, | ||
| one designated for Encrypt. |
There was a problem hiding this comment.
| `AwsKmsDecryptEncrypt` is a structure that holds two `AwsKms`, | |
| one designated for Decrypt, | |
| one designated for Encrypt. | |
| `AwsKmsDecryptEncrypt` is a structure that holds two `AwsKms` clients, | |
| one for Decrypt, and one for Encrypt. |
There was a problem hiding this comment.
Hmm... I like the term designated,
as later we will use the Encrypt client for GenerateDataKey and Decrypt.
Maybe I will change the wording to "Primarily but not exclusively for"
|
|
||
| #### [Branch Key and Beacon Key Creation](./branch-key-store.md#branch-key-and-beacon-key-creation) | ||
|
|
||
| The `AwsKmsReEncrypt` configuration MUST be treated as if it were the Key Store's `AwsKms`. |
There was a problem hiding this comment.
not sure what this means
There was a problem hiding this comment.
I can re-word this.
| - An optional [Key Management Strategy](#key-management-strategy) | ||
|
|
||
| At this time, | ||
| the [Key Management Strategy](#key-management-strategy) MUST be `AwsKmsReEncrypt`. |
There was a problem hiding this comment.
| the [Key Management Strategy](#key-management-strategy) MUST be `AwsKmsReEncrypt`. | |
| the default [Key Management Strategy](#key-management-strategy) MUST be `AwsKmsReEncrypt`. |
There was a problem hiding this comment.
No... only ReEncrypt is supported for Version and Create.
I do not have the capacity to implement Decrypt/Encrypt for Version and Create;
When we have a customer asking for it,
then we should take it on.
And default is tricky;
Smithy-Dafny does not support the Default trait.
There was a problem hiding this comment.
If this is not blocking, I would like to leave this as is.
| <!-- LocalWords: MRK AwsKms grantTokenList kmsClient ReEncrypt --> | ||
| <!-- LocalWords: AwsKmsReEncrypt keystore AwsKmsDecryptEncrypt --> | ||
| <!-- LocalWords: Admin ReEncrypt Changelog aws arn createkey --> | ||
| <!-- LocalWords: AwsCryptographyKeyStoreOperations versionkey GenerateDataKeyWithoutPlaintext --> |
There was a problem hiding this comment.
| <!-- LocalWords: MRK AwsKms grantTokenList kmsClient ReEncrypt --> | |
| <!-- LocalWords: AwsKmsReEncrypt keystore AwsKmsDecryptEncrypt --> | |
| <!-- LocalWords: Admin ReEncrypt Changelog aws arn createkey --> | |
| <!-- LocalWords: AwsCryptographyKeyStoreOperations versionkey GenerateDataKeyWithoutPlaintext --> |
There was a problem hiding this comment.
If this is not blocking, I would like to keep these here;
I will need to write the Mutation Spec,
and these spelling hints will help me.
Co-authored-by: José Corella <[email protected]>
Co-authored-by: José Corella <[email protected]>
There was a problem hiding this comment.
I am not sure what is blocking vs what are nits,
but I have responded to some of @josecorella comments.
| <!-- LocalWords: MRK AwsKms grantTokenList kmsClient ReEncrypt --> | ||
| <!-- LocalWords: AwsKmsReEncrypt keystore AwsKmsDecryptEncrypt --> | ||
| <!-- LocalWords: Admin ReEncrypt Changelog aws arn createkey --> | ||
| <!-- LocalWords: AwsCryptographyKeyStoreOperations versionkey GenerateDataKeyWithoutPlaintext --> |
There was a problem hiding this comment.
If this is not blocking, I would like to keep these here;
I will need to write the Mutation Spec,
and these spelling hints will help me.
| - An optional [Key Management Strategy](#key-management-strategy) | ||
|
|
||
| At this time, | ||
| the [Key Management Strategy](#key-management-strategy) MUST be `AwsKmsReEncrypt`. |
There was a problem hiding this comment.
If this is not blocking, I would like to leave this as is.
|
|
||
| #### [Branch Key and Beacon Key Creation](./branch-key-store.md#branch-key-and-beacon-key-creation) | ||
|
|
||
| The `AwsKmsReEncrypt` configuration MUST be treated as if it were the Key Store's `AwsKms`. |
There was a problem hiding this comment.
I can re-word this.
Issue #, if available:
Description of changes:
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
Check any applicable: