[pubcookie-dev] Graceful rotation of granting key pair?
emumpowe at akamai.com
Tue Aug 5 09:35:10 PDT 2008
Currently, rotation of the granting key pair requires a flag day;
all clients which do not immediately download the new granting cert
will be unable to authenticate new users until they do so. Any site
with more than a handful of Pubcookie clients will find this sort
of rotation prohibitively disruptive. (I suspect most sites
have probably never rotated their Pubcookie granting key pair.)
I would like to submit a patch to permit graceful key rotation,
or at the very least a patch which allows key rotation to occur
in some fashion which does not disrupt end-users.
To support key rotation, I propose the setting of an additional
granting cookie (e.g. "pubcookie_old_g"). Under normal operation,
this cookie either would be unset, or would be identical to the
regular granting cookie (pubcookie_g). During the window for
granting-keypair-rotation, the pubcookie_old_g cookie would be
signed with the old granting cert; any client which was unable
to verify its regular granting cert would try using the
pubcookie_old_g cookie instead.
Currently, I have a field-tested patch which implements the
above proposal, but my changes were written for ease of
re-integration with future Pubcookie releases (instead of
aiming for elegance and readability). If my above
proposal (or some equally usable proposal) were approved by
the Pubcookie developers, I would be happy to develop and submit
a patch implementing the approved solution.
What do folks think?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 844 bytes
Desc: This is a digitally signed message part
Url : http://mailman1.u.washington.edu/pipermail/pubcookie-dev/attachments/20080805/ca02cf57/attachment.bin
More information about the pubcookie-dev