Newbie: lifecycle of keys

francis · December 30, 2023, 10:03am

Hi,

I am starting to design an ActivityPub service, and I was wondering:

1 - When I create private keys for my users, are they expected to be permanent, or can they be changed?
2- Or, in other words, when I store a public key of a remote user, is there any mechanism I should check for revocation? Should I attempt to fetch a new key in case decrypting didn’t work with the one I cached?

Best,
Francis

trwnh · December 31, 2023, 3:33am

They can change, and they can change at any time (blind rotation). If a signature doesn’t validate with a cached key, you should refetch the profile in case the key changed.

francis · December 31, 2023, 7:11am

Thanks @trwnh . So no proper occasion to rotate them?

trwnh · December 31, 2023, 7:27am

You may receive an Update that rotates the keys, but this is not required.

helge · January 3, 2024, 7:33am

This is only correct for actors you have rarely contact with. Actors, you talk to regularly, e.g. followers and following, should send you an Update when rotating keys.

Requiring the above behavior would ensure that the entity behind an actor stays the same. Here entity means as something controlling a cryptographic identity.

Unfortunately, how to do key rotation and the implications of http signatures have not been documented. I have some ambition to fill this hole.

trwnh · January 3, 2024, 9:14am

may send an Update when rotating keys. There is a concept known as “blind key rotation” which provides deniability to any previously-delivered signed message. It works something like this:

Alice POSTs a Create activity to Bob with key A1.
Bob validates that the activity was signed with A1.
Alice Deletes the object, and changes to key A2 without telling anyone.
Bob can now no longer prove that Alice sent the original activity with A1. Anyone who observes Alice can see that Alice’s key is clearly A2, and the prior signature will fail to validate against key A2.

If instead Alice sent a signed Update to Bob that was signed with key A1 and updated to key A2, the deniability would go away, because there is a clear lineage and history linking key A1 and A2 to the same controller.

helge · January 5, 2024, 9:08am

As I said earlier: Without having somebody write a specification what we get out of using signatures, opinions will differ on what signatures mean, and what one can expect.

francis · May 5, 2024, 1:10pm

@trwnh and @helge

But what is the status today on the main AP servers like Mastodon & Co.? Do they issue an update when changing keys? Do they understand the update command? Or do they simply fetch a new key when checking the signature fails?

devnull · May 5, 2024, 1:47pm

From an implementor point of view you can’t rely on a remote server to send you the Update to rotate a key.

Best bet is to be flexible and if key check fails when validating an incoming activity, retrieve a new actor object and see if the key changed.

If it didn’t, then the content failed signature check. If it did change, then rerun validation…