Question: Key Revocation?

sdmp / sdmp.github.io

The main front-page and docs for the sdmp project.

https://sdmp.io

2 stars 2 forks source link

Question: Key Revocation? #9

Closed jmhobbs closed 8 years ago

jmhobbs commented 9 years ago

Is there any details for key lifetimes, rotation and revocation?

I know session keys are short lived, but what about node and user keys?

saibotsivad commented 9 years ago

You can always set an expiry date on a user/node identity using the sdmp.identity.expires property, but creating a node/user is essentially the act of creating a node/user identity resource, and since you can publish updates to any resource (via the sdmp.updates property) you could simply publish a resource with a new public key, thereby replacing the existing one, or with no public key, thereby revoking the existing one.

This is one area I want to keep simple, but I had written down better guides and I think they must have been lost during one of the updates. I'll add that as a task, because I would really like it to be more clear how to update or revoke keys.

jmhobbs commented 9 years ago

Ah ha! That makes sense.

So, would a single server be able to represent any number of nodes? Seems like there's nothing wrong with that.

Thanks!

saibotsivad commented 9 years ago

You are correct: a single physical server could indeed represent any number of nodes.

Each connection is signed by a node's key, so if a server were to represent several nodes it would need to create a new connection to communicate on behalf of another node/user. Does this make sense? I might talk about it a bit more in the docs.

jmhobbs commented 9 years ago

Makes sense! A basic network diagram might help clear things up in the docs. This look right-ish?

+--------------------------+   +--------------------------+
| SERVER 1                 |   | SERVER 2                 |
|  192.168.0.1             |   |  192.168.0.2             |
|                          |   |  192.168.0.3             |
| +----------------------+ |   |                          |
| | NODE 1               | |   | +----------------------+ |
| |                      | |   | | NODE 3               | |
| | +-----------------+  | |   | |                      | |
| | | USER 1          |  | |   | | +-----------------+  | |
| | +-----------------+  | |   | | | USER 4          |  | |
| |                      | |   | | +-----------------+  | |
| +----------------------+ |   | |                      | |
|                          |   | +----------------------+ |
| +----------------------+ |   |                          |
| | NODE 2               | |   +--------------------------+
| |                      | |                               
| | +-----------------+  | |                               
| | | USER 2          |  | |                               
| | +-----------------+  | |                               
| |                      | |                               
| | +-----------------+  | |                               
| | | USER 3          |  | |                               
| | +-----------------+  | |                               
| |                      | |                               
| +----------------------+ |                               
|                          |                               
+--------------------------+

saibotsivad commented 8 years ago

I believe this is fixed now, in https://github.com/sdmp/sdmp.github.io/pull/22