How to rotate key pairs? #52

maxmouchet · 2020-04-12T11:16:45Z

How should the developer update the public key in a server application?
Manual or automatic update?
If automatic, it must be secure (e.g. MITM attacks ...)

See #51 and https://stackoverflow.com/questions/39471872/jwt-rs256-is-it-safe-to-fetch-public-key-over-https.

jrebecchi · 2020-04-12T12:20:56Z

Tough question indeed! From what I understand: HTTPs solves this question and if using HTTPs is not possible we would have to add a certificate.
It is beyond the scope of this middleware but it is not for the docker image of Krypton. We must force using HTTPS with this Docker image.

maxmouchet · 2020-04-12T16:45:52Z

I don't think we should enable HTTPS in the Docker image, as this would require putting certificates inside the container (doable, but not very convenient).
Usually Docker containers are exposed behind a reverse-proxy which does TLS termination.

But the importance of this should be emphasized in the documentation!

jrebecchi · 2020-04-13T13:34:54Z

You make a point! We should emphasize that aspect in the documentation: using HTTPS to ensure the back-end's identity when fetching the public key.

maxmouchet added the discussion label Apr 12, 2020

jrebecchi added the documentation Improvements or additions to documentation label Apr 13, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

How to rotate key pairs? #52

How to rotate key pairs? #52

maxmouchet commented Apr 12, 2020

jrebecchi commented Apr 12, 2020

maxmouchet commented Apr 12, 2020

jrebecchi commented Apr 13, 2020 •

edited

Loading

How to rotate key pairs? #52

How to rotate key pairs? #52

Comments

maxmouchet commented Apr 12, 2020

jrebecchi commented Apr 12, 2020

maxmouchet commented Apr 12, 2020

jrebecchi commented Apr 13, 2020 • edited Loading

jrebecchi commented Apr 13, 2020 •

edited

Loading