I was going through the getting started documentation of Hyperledger Indy SDK.
Step 4 goes through the process of onboarding new members through a steward. I have particularly three broad queries for the procedure outlined in the documentation.
What does the call to the ledger for the creation of NYM transaction mean? Is it not, that pairwise DID's were supposed to be stored in the wallet and not made public.
Which key of the Steward does Faber query the ledger for, is it Stewards legal DID or the one that it created for Faber.
For the case of private DID's stored in the wallet. How does an entity like Faber obtain the encryption key of the entity sending the invitation for a connection?
Your confusion is righteous and what pointed you out also have confused me now. I've turned to Indy community and got to know that this part of the walkthrough tutorial is a bit outdated. Quoting Stephen Curran from Hyperledger Indy's RocketChat channel:
The pairwise DID concept had not been fleshed out enough and so all DIDs in code were being written to the ledger.
To elaborate on public and pairwise DIDs bit more:
NYM Transaction write a DID with associated Verkey (a public part of keypair). You have to however distinguish between public DID and pairwise DID.
Public DID - is identifier which you publish out there for everyone to know. If you are an institution, you want to have such identifier. People/their devices can then use it to establish the initial secure connection with the institution.
Pairwise DID - is DID which identifies secure channel you've establish with someone. For example, if once you've contacted an institution using their public DID, they would generate pairwise DID (a key pair and DID identifier) for talking with you. You would also generate pairwise DID to identify connection to them (and to encrypt the communication using the keys associated with the pairwise DID)
Faber asks the ledger for the Verification key of the Steward's DID by calling did.key_for_did.
So here Faber reads Steward's DID and its associated verkey (a public key) from the ledger. Faber then uses this key to encrypt the message - the message won't be decryptable by anyone but the Steward, holder of the private part for that verkey.
Here's how connections are typically established:
Some secure channel is assumed to be established by which one party receive connection invite from the other. You could get for example invite via HTTPS, or simply by employee of a bank presenting you a QR code containing the invite for connection from a Bank. When generating the connection invite message, the inviting party generates pairwise DID with verkey. This is included in the invite message, so assuming you got this invite secured delivered by any means, it's safe to say you can send encrypted messages to the inviting party. At this point, you would generate your pairwise DID and Verkey for this connection and send this data to the inviter. At this point, you have established secure connection because you both securely exchanged each other's pairwise DIDs/Verkeys for the session.