Binding CCF Application Certificate to CCF instance

[prakashngit]

@achamayou This is a follow up from our conversation last day about getting CCF APP keys certified by CCF instance root keys.

Problem Statement:

Our CCF APP (https://github.com/hyperledger-labs/private-data-objects/tree/main/ccf_transaction_processor) maintains singing keys to sign results of certain read requests to serve application level receipts. This feature is useful in our project because, the CCF client could share these "app receipts" to a third party as "Proof of commit", where the third party might not have a direct access to the CCF APP to verify the receipt. For this to work, there must be a mechanism for the third party to bind the CCF APP keys to the CCF instance CERTs, preferably ccf network certificate. As of now, we treat this out of band, since we are not aware of whether CCF providers a provision to bind APP keys to CCF instance root keys.

Possible Solution

It would be great if CCF App has a native CCF API that it could use to request an APP generated public key to be certified by CCF network key or at least CCF node keys. Network key based certification is preferable from a third party perspective (since third parties need not be aware of CCF "nodes"), even though these are rotated after disaster recovery. (Applications I imagine would have their own protocols to reset keys/certs after a disaster recovery, and so I would leave it to the application to handle re-certifying the key after disaster recovery).

Thanks Prakash