Modify the authorized key signature process when the pre-rotation fea… #129
Conversation
…ture is enabled. Commited keys must be used directly in the next log entry Signed-off-by: Michel Sahli <michel.sahli@bj.admin.ch>
|
The text you have added is how I was originally thinking about it. Maybe I had made assumptions about the specification that weren't true. The current implementation in |
If you want a secure linked list of hashes, you will need to sign a new did log entry with the previous The difference with pre-rotation keys, is that you commit to a new key with tldr: without pre-roration keys, you need to link with the signature of the previous |
|
That is very confusing — I didn’t really understand the change based on the PR. I think I now get the idea (questions, summary below), but I think it will take a bigger update to the specification to make it clear. I think the core idea of what you are saying is that because of the pre-commitment, there is no need to wait until after “updateKeys” published to use them — we can sign the record with a key from the list in the current record. I don’t think it really reduces the threat significantly. From what you had above, we now have:
That is only a slight variation on the risk that is motivating the change. Is the following an accurate description of your proposal: No Prerotation:
Preotation:
Question — In your scheme, is it a requirement that the “updateKeys” and “nextKeys” list are in every record (first bullet above), or can multiple records be signed by keys in the same “updateKeys” list? |
|
Thanks for clarifying my description, yes it is accurate. For your question, most other technical specification of pre-rotation I have seen forces the concept of The main protection that people want from pre-rotation keys is that even if the I would recommend to force |
|
Decided to adapt the pre-rotation text with the global understanding discussed during the last meeting: https://hackmd.io/k4cIK9vQSlaeg2pdHE51IQ. |
|
I am still struggling to grok this so I have made diagrams to understand the process proposed AFTER this change has been accepted. Please correct me if I'm misunderstanding things. Of note: In the third image you see what I was concerned about on the call which is the unused key c which is likely not an issue.. |
TLDR: Modify the authorized key signature process when the pre-rotation feature is enabled. Commited keys must be used directly in the next log entry.
Hi everyone,
During IIW 39b, I talked to Stephen Curran and Patrick St-Louis about a potential issue I see with key pre-rotation as it is stated now in the specification. There is a case that an attacker could create a malicious version of the DID Document because the commited
updateKeyis only enforced AFTER the publication of the log entry. Normally in the key pre-rotation concept, if you commit tonextKeyHashes, you must use it to sign the next log entry.But the security risk is extremely low right now because you need to fulfill those two conditions:
updateKey(theft or PQC)nextKeyHashes(theft or data leak)Even if the risk is low, i would propose to fix the pre-rotation concept now. better safe than sorry :)
We will need to also adapt the examples and I would argue to jump to version 0.5, as it is a breaking change.