-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add iss
and kid
field to receipts
#25
Comments
iss
and kid
field to receiptsiss
and kid
field to receipts
If I understand correctly the proposed The way to pull all public keys at the moment is to get them through And for the |
Yes that's correct. In the longer term, we will probably provide a |
We're headed towards using a DID for the server's identity. This will require a few parts, but the first step is to add iss and kid fields to the receipt's protected headers. The iss value is be copied from an optional field in the configuration file. If the field is missing, we omit the iss and kid altogether. The kid should represent the current service's certificate/public key and will change on disaster recovery. For now, we use the same value we use for service_identity, ie. the hash of the DER certificate, but may revisit this in the future (eg. a hash of just the public key). The old service_identity field does not get removed just yet, so as to not break tooling that uses it while we are still transitioning to DIDs. In particular, pyscitt and our functional tests still depend on it. Fixes #25 Co-authored-by: Maik Riechert <maik.riechert@microsoft.com>
We're headed towards using a DID for the server's identity. This will require a few parts, but the first step would be to add
iss
andkid
fields to the receipt's protected headers.The
iss
value would be copied from an optional field in the configuration file. If the field is missing, we'll omit theiss
andkid
altogether. Thekid
should represent the current service's certificate/public key and will change on disaster recovery. For now, I think we can use the same value we use forservice_identity
, ie. the hash of the DER certificate, and revisit this in the future.Even though it will be redundant with the
kid
, I think we shouldn't remove theservice_identity
field just yet, so as to not break tooling that uses it while we are still transitioning to DIDs.The text was updated successfully, but these errors were encountered: