# TODO

There's lots of things to add.

- TLS
  - Autorenew this with an ACME server (eg, Boulder; use the Lego library)
  - self-host the Boulder server & add the main CA pubkey to the client
  - Work with self-signed stuff for now tho
- Authentication
  - Give each client an API key
  - Limit decryption keys that client can access?
- Admin UI on the server
  - Manage client accounts
  - Import public keys
  - Add/Remove keys
- Private Key autorotation
- PGP Public Key Server
  - a la keys.openpgp.org
  - two servers?  one public (company pub keys), one internal (customer pub
    keys)
- Encryption groups
  - Add a number of public keys to a group.  When the client encrypts to a
    group, use all the keys.
  - Auto-remove expired keys from groups

## Technical TODO

More specific stuff

- Wrap keys in Armor when sending over the wire
  - Figure out sending multiple keys in the same request.  Wrap in json?  Can
    Armor handle multiple keys?  Can I just concatinate multiple Armored keys?
- Auto-generate self-signed certs for testing TLS
- Password protect private keys?
  - Where would this password be stored?
  - Keys would ultimately need to be stored on disk *somewhere*, and they can't
    be unprotected there.
- Reorganize code to split client and server and a common lib
- Look at KMIP.  Do I want to implement this?