Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add iss and kid field to receipts #25

Closed
plietar opened this issue Nov 24, 2022 · 2 comments · Fixed by #35
Closed

Add iss and kid field to receipts #25

plietar opened this issue Nov 24, 2022 · 2 comments · Fixed by #35
Assignees
@plietar

Comments

@plietar
Copy link
Contributor

plietar commented Nov 24, 2022

We're headed towards using a DID for the server's identity. This will require a few parts, but the first step would be to add iss and kid fields to the receipt's protected headers.

The iss value would be copied from an optional field in the configuration file. If the field is missing, we'll omit the iss and kid altogether. The kid should represent the current service's certificate/public key and will change on disaster recovery. For now, I think we can use the same value we use for service_identity, ie. the hash of the DER certificate, and revisit this in the future.

Even though it will be redundant with the kid, I think we shouldn't remove the service_identity field just yet, so as to not break tooling that uses it while we are still transitioning to DIDs.
@plietar plietar changed the title Add an iss and kid field to receipts Add iss and kid field to receipts Nov 24, 2022
@ivarprudnikov
Copy link
Member

If I understand correctly the proposed kid already exists in the receipt as a serviceId.

The way to pull all public keys at the moment is to get them through /app/parameters/historic and filter them based on serviceId in the receipt. Which as I understand will not change.

And for the iss field, the suggestion is to provide a way to configure it with fqdn which should host /.well-known/did.json. did.json should then expose all of the /app/parameters/historic keys. Is my understanding correct?

@plietar
Copy link
Contributor Author

plietar commented Nov 24, 2022

Yes that's correct.

In the longer term, we will probably provide a /.well-known/did.json endpoint hosted directly in the ledger, but for now that responsibility will be outside of the ledger. It is up to the operator to correctly configure the service to the externally hosted DID document.

@plietar plietar self-assigned this Nov 24, 2022
@plietar plietar mentioned this issue Dec 7, 2022
Merged
plietar added a commit that referenced this issue Dec 15, 2022
@plietar @letmaik
Add iss and kid fields to receipts. (#35)
8f31402 
We're headed towards using a DID for the server's identity. This will
require a few parts, but the first step is to add iss and kid fields to
the receipt's protected headers.

The iss value is be copied from an optional field in the configuration
file. If the field is missing, we omit the iss and kid altogether. The
kid should represent the current service's certificate/public key and
will change on disaster recovery. For now, we use the same value we use
for service_identity, ie. the hash of the DER certificate, but may
revisit this in the future (eg. a hash of just the public key).

The old service_identity field does not get removed just yet, so as to
not break tooling that uses it while we are still transitioning to DIDs.
In particular, pyscitt and our functional tests still depend on it.

Fixes #25

Co-authored-by: Maik Riechert <maik.riechert@microsoft.com>
@letmaik letmaik mentioned this issue Dec 20, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@plietar plietar

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add iss and kid fields to receipts. microsoft/scitt-ccf-ledger
2 participants
@ivarprudnikov @plietar