-
Notifications
You must be signed in to change notification settings - Fork 95
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Split up rotation, revocation and recovery #548
Conversation
* Use hyphens instead of camelcase for equivalent and canonical id, to be consistent with other DID Doc metadata * resolution: change all metadata properties to camelCase * Fix typo Co-authored-by: Markus Sabadello <markus@danubetech.com> Co-authored-by: Markus Sabadello <markus@danubetech.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I cannot sign off on a characterization of revocation as undoing the past. Revocation means stopping the use of something in the future, and cannot be used to repudiate past actions.
It is FINE for DID methods to not support revocation. It is not FINE for us to define out of existence a feature that's important for some of them.
<p> | ||
A controller performs a rotation when they change | ||
<code>publicKeyJwk</code> or <code>publicKeyBase58</code>, or other verification material | ||
without changing the <code>id</code> of the verification method. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We don't constrain an id
to always point to an item of the same type, let along the same verification method. That is, #key1
could be a service endpoint in one version of a DID doc, a signing key in another version, and an encryption key in another version. What you mean here, I think, is that we change only the value of a key, but none of its associated semantics/role/purpose.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I'm not a fan of this approach either -- and it's not really what I consider "rotation" either. Rather, I'd expect rotation to involve adding new verification methods to the DID Document without removing existing ones (and thus, their proofs continue to be valid). Internally/privately, the private key material/access to it is changed such that it is either made inactive or destroyed (but this is the private aspect of rotation, having nothing to do with the DID Document). I don't think we should encourage swapping key materials while keeping IDs the same -- I think that's a recipe for confusion.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree with both your comments, perhaps I should remove this section on rotation... its telling that the word "rotation" does not appear once here: https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
However what I wrote is in line with
|
||
<p> | ||
Unlike revocation, rotation allows for new verifications associated with the <code>id</code>, | ||
to be valid, while invalidating old verifications that were produced with the older material. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't agree that key rotation invalidates old verifications. That is not the case with passwords or SSH keys; why should we claim it is true of DID keys? You are wanting to use verification methods to produce ephemeral tokens and are claiming that is a general property of the entire DID ecosystem. I disagree.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
removing an ssh key or a jwk from the associated collection does cause a verifier to reject them... perhaps you can propose some alternate language that applies equally to SSH / GPG / OIDC?
GitHub will not accept commits from "rotated" ssh keys.
</p> | ||
|
||
<p class="advisement"> | ||
Cryptographic verifications associated with revoked verification methods should be considered invalid |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I could possibly live with the following rewording:
Cryptographic verifications associated with a revoked verification method are not valid. However, knowing whether a verification was made with a revoked verification method is trickier than it may seem.
Some DID methods provide the ability to look back at the state of a DID at a point in time, or at a particular version of the DID document. When such a feature is combined with a reliable way to determin the time or DID version that existed when a cryptographically verifiable statement was made, then revocation does not undo that statement. This can be the basis for using DIDs to make binding commitments (e.g., to sign a mortgage). If these conditions are met, revocation is not retroactive; it only nullifies future use of the method.
But in order for such semantics to be safe, the second condition -- an ability to know what the state of the DID document was at the time the assertion was made -- MUST apply. Without that guarantee, someone could discover a revoked key and use it to make cryptographically verifiable statements with a simulated date in the past.
Some DID methods only allow the retrieval of the current state of a DID. When this is true, or when the state of a DID at the time of cryptographically verifiable statement cannot be reliably determined, then the only safe interpretation of revocation is to make it apply both forward and backward in time. DID ecosystems that take this approach essentially provide cryptographically verifiable statements as ephemeral tokens that can be invalidated at any time by the DID controller.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dhh1128, I agree with your reword. I think it's a little strange to talk about the "state of a DID" (which is just an identifier), so we should perhaps instead talk about DID Documents or resolution. That's just an editorial quibble though. A slightly more important suggestion, I think, would be such that we don't so strongly state that if a DID method only allows retrieval of the current state of a DID that there are no alternative solutions to preventing undesirable "retroactive revocation". We shouldn't be so prescriptive -- instead of saying:
Some DID methods only allow the retrieval of the current state of a DID.
We can say:
In some cases, it may only be possible to obtain a current DID Document.
That way, future clever solutions that layer on top of DID methods that do not support versioning directly are not needlessly discouraged.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point about "state of a DID." I once poked a colleague about that very error, so I'm being inconsistent to get sloppy now. :-)
I agree that the rewording you suggested improves the text.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't believe the proposed language is an improvement.
However, I hope I have captured its spirit in my latest change set, by stating that revocation and rotation only apply to the latest version of a did document.... and clarifying how revoked material is commonly treated by other software systems.
|
||
<p class="note"> | ||
An attacker can trivially back date signatures to a period before the verification method was revoked, | ||
this is the reason that revocation applies to verifications for all time, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suggest removing this paragraph in favor of the wording I provided in a previous comment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have made changes attempting to address your concern with this paragraph.
Co-authored-by: Ted Thibodeau Jr <tthibodeau@openlinksw.com>
Co-authored-by: Ted Thibodeau Jr <tthibodeau@openlinksw.com>
Co-authored-by: Ted Thibodeau Jr <tthibodeau@openlinksw.com>
Co-authored-by: Ted Thibodeau Jr <tthibodeau@openlinksw.com>
Co-authored-by: Ted Thibodeau Jr <tthibodeau@openlinksw.com>
Described two possible cases where 1) there is no update, and 2) an update performed within less than one second after creation. Part of the text by Amy Guy. thanks.
Co-authored-by: Amy Guy <amy@rhiaro.co.uk>
Co-authored-by: Justin Richer <github@justin.richer.org>
Co-authored-by: Ted Thibodeau Jr <tthibodeau@openlinksw.com>
@dhh1128 thanks for your comments, I intend to address them, I am hoping to see more comments from others before a try (hopefully this weekend).... one area of concern I have is aligning 'revocation' in did core, with TLS and PGP revocation... because if we do things differently I worry we may make things more confusing (its possible my PR is making this worse).
^ these are from google, I would welcome better links to add to did core for informative references. As I understand TLS and PGP, revocation destroys verification. I think you have said you don't want that to be true of DIDs... This is the primary issue we need to address in this PR. Perhaps we should use Solar Winds as an example: https://www.solarwinds.com/trust-center/new-digital-certificate
|
since I am. not a git wizard, and this branch has git issued beyond my skill I will be reimplementing it. |
Originally this branch was meant to replace:
with:
|
This PR attempts to address the mega thread on #386
Preview | Diff