scitt-ccf-ledger icon indicating copy to clipboard operation
scitt-ccf-ledger copied to clipboard
verified publisher icon microsoft

Include transaction ranges in historical service identity keys

Open letmaik opened this issue 3 years ago • 1 comments

(Follow-up from https://github.com/microsoft/scitt-ccf-ledger/issues/53)

The DID document contains the current but also historic service identity keys. A given service identity key is only valid to be used with a a certain range of transactions (sequence numbers, really). It would be better to include those ranges in some way for each key and then use them during receipt validation.

There are roughly two places where extra properties could go:

  • Inside the verification method object
  • Inside the JWK object

Given that the JWK object already supports a "use" field to determine intended use (e.g., signing, encryption), it seems natural to add another field in there and potentially register it at some point in https://www.iana.org/assignments/jose/jose.xhtml#web-key-parameters.

The other piece, validation, is a little more tricky, since SCITT currently does not expose CCF's transaction id in the receipt in a sensible way.

letmaik avatar Jan 25 '23 17:01 letmaik

Subject to changes in the receipt content which needs to include more information about the running enclave and the transaction

ivarprudnikov avatar Jan 12 '24 12:01 ivarprudnikov