Hello @AdriaanB ā I forked this off to a new discussion because it felt like a separate topic; hope youāre okay with that. If not, let me know and Iāll re-merge.
Holo Host is a weird situation. Sovereignty is the big selling point of Holochain, so we want Grandma to preserve her sovereignty. This is all about who has access to her private key, because thatās the key to her source chain. Thatās easy with Holochain proper, because her private key lives on her device. But with Holo Host, if we let a host store her private key, it could impersonate her. So what do we do?
The browser generates the private key and keeps it in memory. When the tab is closed, the private key ceases to exist. So to answer half of your question, the private key is not stored anywhere.
But wait! With all those private keys being generated, how do we maintain a consistent identity? Easy: the key is always the same every time itās generated, using a āseedā made out of:
- Grandmaās email address
- Grandmaās password (which never gets transmitted over the wire)
- A public āsaltā value provided by Holoās semi-centralised infrastructure
Read more in this dense but interesting article about Holochain, Holo, and DPKI.
Now for the second half of your question: where is data stored?
Itās stored on the host ā in alpha, thisāll be one host per Grandma; in beta itāll be five hosts per Grandma. Public data doesnāt need to be encrypted (and canāt, because the peers in that app need it), but private data is tricky. The host technically doesnāt need to be able to read it; only Grandma needs to. So I think the Holo dev team is exploring at-rest encryption for private entries.
Each app stores its own private data on its own source chain per agent, whether Holo or Holochain. As for HoloVault (now called Personals & Profiles), itās just another app with its own source chain ā itās just a handy way to store data.
I think capability tokens are a perfect way to access private data. Consider a medical records app:
Healthcare providers and patients both live in the same public DHT. Dr Alice wants Bobās medical records from a previous doctor. Hereās how it could work:
- Dr Alice asks Bob for a certain set of medical records.
- Bob creates a capability grant for the specific records she wants, then stories it as a private entry on his source chain. He shares the hash of the grant entry with Dr Alice; this is her capability token.
- Dr Alice stores this token on her source chain as a capability claim. Whenever she needs to, she requests records from Bob and presents the token to him.
- Bob checks the token against the privileges he granted to her. If all checks out, he retrieves the records and sends them back to Dr Alice.
This happens through node-to-node messaging, which means that both Dr Alice and Bob need to be online. I suppose you could do it async via encrypted public entries too.