Key rotation within continuation #85
Comments
|
See my comment on pull request #132 |
|
This is close to what I was thinking about. I would also add as a reference what KERI is doing on key rotation, for discussion purposes. |
|
Key rotation is now handled on the continuation access token, not as part of the grant update. See #435 |
|
Could you answer on #435 (comment) and other comments in this PR? Thank you. |
|
what do you mean by "more or less gracefully" ? |
|
@fimbault, you can omit "more or less gracefully", I wanted to know if GNAP allows to address the use case I provided
and
|
|
Indeed the idea currently is that previous-key is replaced by the new key, for all what's coming afterwards. |
|
There are plenty of systems where both, or even more versions coexist until an administrator or a client itself decides to remove/invalidate previous keys. That's correct. The same approach arguably is even way more valuable for RSs. BTW, are you planning to allow them to rotate their own keys? You are writing these specs, and IMO, you still have time to add & embed these features into the core of GNAP. |
§5 Continuing a Grant Request: Editor's note:
We need to have a secure way to rotate the key used for the continuation here. In most cases this will be a rotation for the client instance, since a client without an instance record would likely just present a new key for a new request. In that case it could go with the client management, above - but it doesn't necessarily have to be.
The text was updated successfully, but these errors were encountered: