Caching public keys

What’s the best practice for caching public keys?

If you fetch the key every time you need it you won’t be able validate deletes to an actor, plus the cost of fetching the actor for every message. If you use the cached version you risk accepting messages signed with an old key, and rejecting messages signed with a new key.

Do we need something like: attempt to validation with cached key, and check for a newer version if that fails. Periodically check for updated keys and/or check for an updated key if the cached version is too old?

Are there any good documents on this?

I did not found documentation of this topic but from what I remember from some implementations (mastodon, nextcloud social) they adopted the “refresh on fail” strategy.

Periodically refreshing the user profiles might also be useful to keep other Actors’s metadata up to date too.

1 Like

refresh on fail is what we are doing in pleroma. In general, keys don’t change much.

1 Like

Thanks! I’ll implement retry on fail for now.

While keys don’t change often, it’s kind of concerning that an old compromised key will continue to be accepted forever. At least with retry on fail any server that receives a message with the new key should discard the old.

we only keep one key around, we throw away the old one as soon as we have a new one.

I mean that old keys can continue to live on instances that aren’t receiving messages with the new key. In practice any instances with followers should get new key quickly, so it’s probably not a real worry. Ideally we’d attach an expiry date to keys and expect instances to re-fetch expired keys.

In Pleroma we prevent that by forcing a key refresh every 48 hours, no matter the validity

1 Like