Edge

architecture/security/accounts.class.puml

@@ -36,16 +36,12 @@ Account "client" *--> "*" Project
 
 class UserAccount {
   email : string [1..*]
-  keyid : string [*]
+  key : UserKey [*]
 }
 note left of UserAccount::email
   Registered email, used
   for account activation
 end note
-note left of UserAccount::keyid
-  Matches ""ably.key""
-  Can be revoked
-end note
 UserAccount --|> Account
 
 class OrganisationAccount {
@@ -123,6 +119,22 @@ note bottom on link
     account<sub>p</sub>.vf:primaryAccountable
 end note
 
+class UserKey {
+  public : base64Binary
+  private : base64Binary
+}
+note top of UserKey
+  Matches ""ably.key""
+  Can be revoked
+  ""@id = ".${keyid}"""
+end note
+note left of UserKey::private
+  encrypted with
+  AblyKey.secret
+end note
+
+UserAccount "1" -- "*" UserKey
+
 package Ably <<service>> {
   class AblyKey {
     keyid
@@ -139,7 +151,7 @@ package Ably <<service>> {
     timesheet access
   end note
 
-  UserAccount "1" -- "*" AblyKey
+  UserKey "1" -- "1" AblyKey
 }
 
 @enduml

architecture/security/register-cli.seq.puml

@@ -3,16 +3,12 @@
 hide footbox
 
 User -> CLI ++: open account/timesheet
-alt No ""ably.key"" or expired
-  alt No user configured
-    note over CLI
-      configured user is account<sub>u</sub>.
-      Not always the same as requested timesheet
-      account<sub>p</sub> (which may be an organisation).
-    end note
-    CLI -> User: "your account?"
-    User --> CLI: account<sub>u</sub>
-  end
+alt No Ably Key (AbK) or expired
+  note over CLI
+    configured user is account<sub>u</sub> (required).
+    Not always the same as requested timesheet
+    account (which may be an organisation).
+  end note
   CLI -> User: "pls enter email"
   User --> CLI: email
   CLI -> Gateway ++: jwe(account<sub>u</sub>, email)
@@ -31,19 +27,21 @@ alt No ""ably.key"" or expired
   CLI -> CLI: decrypt jwt<sub>a</sub>
   ' TODO: replay attack within JWT validity period
   CLI -> Gateway ++: key(jwt<sub>a</sub>)
+
   Gateway -> Gateway: create Account\nif required
-  Gateway <-> Ably: create/update key\n& capabilities
-  Gateway -> Gateway: store keyid\nin Account
-  return ""ably.key""
+  Gateway <-> Ably: create/update Ably key\n(AbK) & capabilities
+  Gateway -> Gateway: generate RSA key\npair for signing\n⦉ SK, PK ⦊
+  Gateway -> Gateway: encrypt SK with AbK\n{ SK }<sub>AbK</sub>
+  Gateway -> Gateway: ⦉ AbK.id ↦ { SK }<sub>AbK</sub>, PK ⦊\nstored in Account
+  return AbK, SK
 end
 
 CLI -> Gateway ++: config(account/timesheet, jwt<sub>u</sub>)
 note left
-  jwt<sub>u</sub> (user jwt)
-  is ⦉ account<sub>u</sub>, keyid ⦊
-  signed with ""ably.key""
+  jwt<sub>u</sub> (user jwt) has
+  { account<sub>u</sub>, AbK.id }<sub>AbK</sub>
 end note
-Gateway -> Gateway: check account<sub>u</sub>\ncorresponds to keyid
+Gateway -> Gateway: check account<sub>u</sub>\ncorresponds to AbK.id
 Gateway -> Gateway: check account<sub>u</sub> has\naccess to timesheet
 Gateway -> Gateway: update key capability
 return config