You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've been trying to use this library to replace cvm-reverse-proxy for Flashbox. And needing to have the collateral already in cache for verification to pass is quite annoying. In the end i decided its safest to use the older EKM-based protocol for Flashbox.
The proxy client is generally targeting a single host (the proxy server) so it doesn't make sense to do a full PCCS 'pre-warm' and fetch all available collateral when we will only need one of them. So we rather have to do a failed connection (missing collateral), and then keep waiting and retrying. With a one second delay between retries, i currently need to wait till the third attempt to get a successful connection.
This feels cumbersome, inefficient and error prone, and like there must be a better way.
Worse still, we have planned additions to verification which will also require network fetch:
Just doing a synchronous fetch during the verifier function. This is not ideal, but its made slightly better with dcap-qvl's new ColleratalClient api which allows us to pass in a custom HTTP client (eg: ureq) and still use dcap-qvl collateral fetch code. Implemented in Pccs - sync cache get should do network fetch #63
Do collateral fetching on the attester side. That is, when generating an attestation, we also fetch collateral and include it in the payload. Good because we do just one fetch regardless of how verifications, even if the verifications are by different peers. Bad, because this is an API breaking change, increases payload size/complexity, diverges from standards, and is quite opinionated / use-case-specific.
I've been trying to use this library to replace
cvm-reverse-proxyfor Flashbox. And needing to have the collateral already in cache for verification to pass is quite annoying. In the end i decided its safest to use the older EKM-based protocol for Flashbox.The proxy client is generally targeting a single host (the proxy server) so it doesn't make sense to do a full PCCS 'pre-warm' and fetch all available collateral when we will only need one of them. So we rather have to do a failed connection (missing collateral), and then keep waiting and retrying. With a one second delay between retries, i currently need to wait till the third attempt to get a successful connection.
This feels cumbersome, inefficient and error prone, and like there must be a better way.
Worse still, we have planned additions to verification which will also require network fetch:
Related issue: #2
Possible solutions i am considering:
dcap-qvl's newColleratalClientapi which allows us to pass in a custom HTTP client (eg:ureq) and still use dcap-qvl collateral fetch code. Implemented in Pccs - sync cache get should do network fetch #63cc: @0x416e746f6e