-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How should authorizers handle key rotation? #150
Comments
@divarvel, would you be amenable to a patch that introduced a sibling method to Perhaps it could be called |
That’s a great point, the biscuit spec actually takes this use-case into account, it’s just that the go lib does not surface it yet. biscuit tokens carry an optional key id (an integer) that allows the verifying party to select the expected key within the set of accepted keys. So in the rust implementation for instance, you can either pass a I would welcome a patch that exposes this behaviour (not sure it would be possible to have a polymorphic function taking both public keys and closures, but a variant would be fine) |
Does your That would still leave open the ambiguity as to which public key to try in the face of the rotation scenario that I described. In between—or at the intersection of—these ideas is a projection function with signature While we're here, how does one associate a key ID with a token at minting time? That looks like something that |
Alternately, I could understand taking the stance that if callers fail to provide a key ID, then they're not opting into a tenable rotation approach, so they'd have to suffer calling |
yes, it should be added to the biscuit builder (just for the authority block, attenuation blocks are not affected |
yes, for seamless key rotation you are expected to include an id in the token |
Can you clarify that last point? If we accepted an optional key ID when constructing a I'm not sure yet whether it's possible or desirable to try using a |
I was not sure whether the same builder could be used to build an authority block and an attenuation block, but it seems it’s two different interfaces, so it’s fine, there is no risk of confusion |
I wrote this part, but the
I'm inclined to introduce the unexported function first, after which we could decide whether we wish to promote it and commit to it as an exported function. |
Please see #151, which pursues the third option proposed in #150 (comment). |
Please see #154 for matching more closely to the Rust library's projection from key ID to public key, per #150 (comment). |
Say that I have a root private key that I've been using for a while, and now I wish to rotate it, replacing it with a different key that I'll use to sign root blocks. Ideally I'd be able to create that key, and distribute its corresponding public key for use in my authorizers early, getting them ready to start receiving and trusting tokens signed with the new public key. After all of my authorizers have that new public key in use, I'd then be able to swap the root private and start signing token blocks with it.
As it stands today, though, the
(*Biscuit).Authorizer
method accepts only a singleed25519.PublicKey
parameter. That method will returnErrInvalidSignature
if any of the blocks in the token aren't signed correctly, but it's hard to tell if it we may have used the wrong root public key, or whether we have the correct root public key, but one of the other blocks in the token suffered tampering.Have you considered accepting more than one root public key in this method, or in a newly introduced method to sit alongside it? By analogy, within the age library, the
age.Decrypt
function accepts one or more "identities"—private keys—with which to try to decrypt the file. (The variadic parameter in the signature tolerates a caller supplying zero identities, but the function panics at run time if there aren't any identities available to use.)The text was updated successfully, but these errors were encountered: