How to communicate signing keys?

There was a discussion with @jehunter5811 and @tautvilas in the slack channel that I would like to continue here:

The question was how to sign a text with the main blockstack private key (ownerKey) such that 3rd parties can verify the signature using the blockstack name. It should be simple, using an app private key seems to be too difficult because the signer has to communicate the app domain additionally.

Only the CLI has access to the ownerKey.

Should the blockstack browser have a feature to reveal the ownerKey?
Should a user use the ownerKey for signing at all? If not, which keys could be used for signing? Where would the blockstack browser publish these signing keys? In the DID Document in the publicKey property? Then the verifier can go through the list of keys and try them to verify the signature. Does that make sense?

1 Like

The more I think about this, the more I think the signProfileToken function from blockstack.js can be used for this. You will need to be able to fetch your ownerKey which is simple enough using the CLI. I don’t know that anyone has built a UI around making this onerKey accessible via a browser, but it wouldn’t be hard to do.

Once you have the ownerKey you can sign the data and share it. Verification would require the recipient to look up your Blockstack ID profile either with the names endpoint or the query endpoint and then verify the signature by using the publicKey exposed in the your profile.

Are you not concerned to use the ownerKey of your blockstack id for the purposes of signing a text?

Well if I understand the use case, when signing arbitrary data that is not tied to any app I’ve used, it would make sense to use my ownerKey. The ownerPubKey is already exposed, and my guess is it is exposed for this very reason.

But maybe I’m not understanding what issues this might cause?