Beltic logo
Advanced Topics

Security Best Practices

Production security guidance for key management, credential issuance, and verification.

Essential security practices for production deployments.

Key Management

Private Key Storage

Development:

mkdir -p ~/.beltic/keys
chmod 700 ~/.beltic/keys
chmod 600 ~/.beltic/keys/*.pem

Production:

  • Use HSM or KMS (AWS KMS, Azure Key Vault, GCP KMS)
  • Never store keys in code or environment variables
  • Implement key rotation (90-day schedule)

Key Rotation

// 1. Generate new key
const newKey = await generateKeyPair('EdDSA');

// 2. Update DID document with new key
await updateDIDDocument(newKey.publicKey);

// 3. Re-sign active credentials
await reissueCredentials(newKey.privateKey);

// 4. Securely delete old key after grace period
await secureDelete(oldKey);

Credential Issuance

Verification Before Signing

  1. Identity verification - KYC/KYB checks complete
  2. Schema validation - All required fields present
  3. Business logic - Conditional rules pass
  4. Security checks - No prohibited content

Appropriate Expiration

  • Developer credentials: 6-12 months
  • Agent credentials: 3-6 months
  • High-risk use cases: 3 months with renewal

Credential Verification

Always Check

  1. Signature - Cryptographic validity
  2. Issuer - From trusted issuer list
  3. Expiration - Not expired or not-yet-valid
  4. Revocation - Check status list
  5. Policy - Meets requirements

Trusted Issuer List

const trustedIssuers = [
  'did:web:beltic.com',
  'did:web:issuer.example.com'
];

if (!trustedIssuers.includes(result.issuer)) {
  throw new Error('Untrusted issuer');
}

Audit & Monitoring

Log All Verifications

await logVerification({
  timestamp: new Date(),
  credentialId: result.credential.credentialId,
  issuer: result.issuer,
  subject: result.subject,
  outcome: 'accepted',
  policy: policyResult
});

Alert on Anomalies

  • Revoked credential usage attempts
  • Failed verification spikes
  • Unexpected issuer appearances
  • Policy violation patterns

Compliance

Data Handling

  • PII in credentials: Minimize or hash
  • Audit logs: Retain for compliance period
  • GDPR: Right to erasure for credential subjects

Regulatory Alignment

  • NIST AI RMF: Map fields to controls
  • SOC 2: Document verification processes
  • ISO 27001: Include in ISMS

See Also

Status Lists & Revocation

Complete guide to Status List 2021 implementation and revocation checking.

Integration Patterns

Common patterns for integrating Beltic credentials with frameworks and platforms.

On this page

Key ManagementPrivate Key StorageKey RotationCredential IssuanceVerification Before SigningAppropriate ExpirationCredential VerificationAlways CheckTrusted Issuer ListAudit & MonitoringLog All VerificationsAlert on AnomaliesComplianceData HandlingRegulatory AlignmentSee Also