Skip to main content
Essential security practices for production deployments.

Key Management

Private Key Storage

Development: 
mkdir -p ~/.beltic/keys
chmod 700 ~/.beltic/keys
chmod 600 ~/.beltic/keys/*.pem
Production:
  • Use HSM or KMS (AWS KMS, Azure Key Vault, GCP KMS)
  • Never store keys in code or environment variables
  • Implement key rotation (90-day schedule)

Key Rotation

// 1. Generate new key
const newKey = await generateKeyPair('EdDSA');

// 2. Update DID document with new key
await updateDIDDocument(newKey.publicKey);

// 3. Re-sign active credentials
await reissueCredentials(newKey.privateKey);

// 4. Securely delete old key after grace period
await secureDelete(oldKey);

Credential Issuance

Verification Before Signing

  1. Identity verification - KYC/KYB checks complete
  2. Schema validation - All required fields present
  3. Business logic - Conditional rules pass
  4. Security checks - No prohibited content

Appropriate Expiration

  • Developer credentials: 6-12 months
  • Agent credentials: 3-6 months
  • High-risk use cases: 3 months with renewal

Credential Verification

Always Check

  1. Signature - Cryptographic validity
  2. Issuer - From trusted issuer list
  3. Expiration - Not expired or not-yet-valid
  4. Revocation - Check status list
  5. Policy - Meets requirements

Trusted Issuer List

const trustedIssuers = [
  'did:web:beltic.com',
  'did:web:issuer.example.com'
];

if (!trustedIssuers.includes(result.issuer)) {
  throw new Error('Untrusted issuer');
}

Audit & Monitoring

Log All Verifications

await logVerification({
  timestamp: new Date(),
  credentialId: result.credential.credentialId,
  issuer: result.issuer,
  subject: result.subject,
  outcome: 'accepted',
  policy: policyResult
});

Alert on Anomalies

  • Revoked credential usage attempts
  • Failed verification spikes
  • Unexpected issuer appearances
  • Policy violation patterns

Compliance

Data Handling

  • PII in credentials: Minimize or hash
  • Audit logs: Retain for compliance period
  • GDPR: Right to erasure for credential subjects

Regulatory Alignment

  • NIST AI RMF: Map fields to controls
  • SOC 2: Document verification processes
  • ISO 27001: Include in ISMS

See Also