Deriving child keys in the Skynet Registry

I am working on an application in which several users will share access to a registry keypair. In this model, users are added by encrypting the registry secret with the user’s key and sharing it with that user. In this model ,adding new users is as simple as sharing a secret, but removing users requires generating a new secret and sharing it with the new trusted user set.

However, I notice in the Skynet docs that a registry secret can be used to derive child keypairs. So what if, instead of sharing the same secret with each party, I derived a child key per user and shared that? What advantages would this confer? If a child key were to be compromised, would there be any way to use the parent key to revoke the child key?

The biggest disadvantage to deriving a child key per user is that you have to encrypt whatever you want to share one time per person you shared the key with. That doesn’t necessarily mean that you have to re-encrypt the whole file, you could have one encryption key per file, and then encrypt that key once per person you share it with. If you do it that way, you will not be able to revoke a file once shared, but you will be able to stop a user from receiving new files.

On Skynet you can’t really revoke someone’s access to a file anyway. Once they have it they can pin it themselves to retain access.

Hopefully this post made sense, it’s pretty late here. Happy to clarify anything that didn’t.