search

fedi-e2ee / public-key-directory-specification

Specification for a Fediverse Directory Server for Public Keys
Other
41 stars 2 forks source link

Consider TOTP / Multi-Factor Authentication for BurnDown by Instance Admins #43

Open soatok opened 2 months ago

soatok commented 2 months ago

The Fediverse Instance and the Public Key Directory server could negotiate a shared secret, that only instance administrators possess. Then, every successful BurnDown would require this OTP in addition to a valid signature.

Operationally, this is reasonable, as the intent for BurnDown was to always require a deliberate administrative action.

Related to #42.

This would have revocation issues, naturally. If someone's server gets hacked, the attacker would need a valid TOTP to reset the secret. But if the legitimate admin loses the secret, they can no longer issue BurnDowns for the instance.

(Suggestion from @raphaelahrens.)

raphaelahrens commented 2 months ago

The threat that would be mitigated is https://github.com/fedi-e2ee/public-key-directory-specification/blob/f7113a6b84218a5fb5f9129fc55696b36c2b59d3/Specification.md?plain=1#L523-L542

From PR #41