-
Type: Spec Change
-
Resolution: Unresolved
-
Priority: Minor - P4
-
None
-
Component/s: Client Side Encryption
-
None
-
Not Needed
Summary
In this PR comment thread for DRIVERS-2017, I realized that keyVaultClient is a required option of ClientEncryptionOpts (see: ClientEncryption in the CSFLE spec). The CSFLE spec never explicitly discussed how ClientEncryption objects should be created, but one can infer that by requiring keyVaultClient they should be constructed independently of a MongoClient object.
In PHPC, ClientEncryption objects have historically been constructed through the client object (i.e. MongoDB\Driver\Manager::createClientEncryption()). Therefore, keyVaultClient is optional and defaults to the parent client, similar to AutoEncryptionOpts.
If PHPC is not alone in allowing ClientEncryption objects to be constructed through a MongoClient, I'd propose that the spec allow ClientEncryptionOptions.keyVaultClient to be optional in such an API. If not, we can close this out and I'll open a PHPC ticket to allow ClientEncryption to be constructed directly (with a required keyVaultClient option).
Motivation
Is this issue urgent?
No.
Is this ticket required by a downstream team?
No.
Is this ticket only for tests?
No.
- is related to
-
DRIVERS-2017 Add ClientEncryption entity and Key Management API operations to Unified Test Format
- Closed