Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

introduce key identifier #717

Closed
strantalis opened this issue May 1, 2024 · 3 comments
Closed

introduce key identifier #717

strantalis opened this issue May 1, 2024 · 3 comments
Assignees
@dmihalcik-virtru
Labels
comp:kas Key Access Server comp:sdk A software development kit, including library, for client applications and inter-service communicati

Comments

@strantalis
Copy link
Member

To help support key rotation within KAS a key identifier must be introduced. This will involve work in the kas service itself. Along with any sdk.
@strantalis strantalis added comp:sdk A software development kit, including library, for client applications and inter-service communicati comp:kas Key Access Server labels May 1, 2024
@dmihalcik-virtru dmihalcik-virtru added this to the Platform hardening milestone May 29, 2024
@dmihalcik-virtru dmihalcik-virtru self-assigned this May 29, 2024
@dmihalcik-virtru
Copy link
Member

This is a feature where KAS can store multiple key pairs, and is essential for supporting key rotation, necessary for a production platform, and would enable other advanced key management capabilities.

We need to

  1. Allow KAS to load multiple keys of different types, and associate them with KIDs
  2. Update all clients to embed the kid in their documents (both nanotdf and ztdf)
  3. Perform any changes to the protocol required to enable these features.

Due to the way TDF is currently structured, once a file is created it is pinned to the given public key itself. There are extensions that allow some degree of forward secrecy around this -

Questions:

  1. Should we support JWKS from the public key endpoint? If so

@dmihalcik-virtru
Copy link
Member

I'll look into extending the configuration format to allow supplying a matrix of key types and identifiers.

@cassandrabailey293 cassandrabailey293 removed this from the Platform hardening milestone Jun 11, 2024
@dmihalcik-virtru
Copy link
Member

We still need to add kid to the nanotdf file format, but I have code testing it in #969

@pflynn-virtru pflynn-virtru mentioned this issue Jul 2, 2024
Open
This was referenced Jul 22, 2024
Draft
Draft
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dmihalcik-virtru dmihalcik-virtru

Labels
comp:kas Key Access Server comp:sdk A software development kit, including library, for client applications and inter-service communicati
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@strantalis @cassandrabailey293 @dmihalcik-virtru