My understanding about swarm key is that it can not be changed after generation and all member in swarm has to have the same swarm key. Is it possible to have a dynamic swarm key similar to JWT token? Every node in a swarm have its own swarm key and the validity of a swarm key can be checked by other nodes in the same swarm?
Your intuition is correct. A swarm key is not an authorization mechanism per-se (although it can be used a very basic one), it’s an additional pre-shared-key encryption for connections which primarily provides isolation from other networks.
The one key requirement for swarm is a single point of authorization and key on every node is very hard to manage from security point of view. If a swarm key is compromised, then replacing it for a swarm in a timely manner would be extremely difficulty even if doable. Any viable solution for that?
As you probably notice, authorization becomes a difficult problem when you want it to happen in a distributed fashion. You could have central server, but otherwise, agree-ing on who has access and for how long points to have some form of distributed consensus.
JWT token provides an example of centralized token verification and authentication process. How about getting a swarm key from a central server (swarm key differs from peer to peer) for each peer and send the key to the same central server for verification and authentication as needed?
There will be no single swarm key for the whole swarm. Also individual key compromise only affects the key holder and does not affect others in the swarm. There is a single place to manage the security of swarm key.
the private ipfs network can setup its own swarm key server for that purpose. There is no need for swarm key on public ipfs network.