Re: [GNAP] Key Rotation

Thomas Hardjono <> Wed, 07 July 2021 14:14 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 51F383A193B for <>; Wed, 7 Jul 2021 07:14:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id yKnzd9CZg2DE for <>; Wed, 7 Jul 2021 07:14:51 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B6C133A193A for <>; Wed, 7 Jul 2021 07:14:51 -0700 (PDT)
Received: from (OC11EXEDGE1.EXCHANGE.MIT.EDU []) by (8.14.7/8.12.4) with ESMTP id 167EEWZH000537; Wed, 7 Jul 2021 10:14:47 -0400
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1497.18; Wed, 7 Jul 2021 10:14:37 -0400
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 7 Jul 2021 10:14:37 -0400
Received: from ([]) by ([]) with mapi id 15.00.1497.015; Wed, 7 Jul 2021 10:14:37 -0400
From: Thomas Hardjono <>
To: Justin Richer <>, Fabien Imbault <>
CC: GNAP Mailing List <>, Aaron Parecki <>
Thread-Topic: [GNAP] Key Rotation
Thread-Index: AQHXcq30x3d65dOot0G/DKz6SzbJvas2yuKAgAEC+gD//8EV1w==
Date: Wed, 07 Jul 2021 14:14:37 +0000
Message-ID: <>
References: <> <> <>, <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [GNAP] Key Rotation
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 07 Jul 2021 14:14:57 -0000

As much as I like the direction of GNAP, is key-rotation (i.e. key management) even part of the GNAP charter? 

Key-rotation is a common problem for everyone, starting from the early days of IPsec/IKE.



From: TXAuth [] on behalf of Justin Richer []
Sent: Wednesday, July 7, 2021 9:57 AM
To: Fabien Imbault
Cc: GNAP Mailing List; Aaron Parecki
Subject: Re: [GNAP] Key Rotation

Aaron, that’s a great point about static registration. That leaves ephemeral or otherwise runtime keys, which might be good enough to just start a new request when needed?

Ben had previously posited a functional approach like sign(k2, sign(k1, (k2))): you use the old key (k1) to sign the new key (k2), then use the new key to sign that signature and present it. The thing that I get hung up on is having a way to do the key proofing for a new key that works consistently for all the different key types in use. The outer signature, signing with the new key, is easy: that’s the GNAP key proofing mechanism. The trick is carrying a signed object with the key material internally somehow — is there a way to handle that consistently across different proofing types?

There are a bunch of ways that it could be done with different proofing mechanisms and that might be the right approach. HTTP Message Signatures can attach multiple signatures. JWK-based-keys could use JWS to wrap the key content as part of the payload (so you’d get something like a nested JWT). MTLS is a strange one, but if you’re in certificate space you have other options like CA’s and OCSP to help manage your keys at a different level. So maybe GNAP just specifies the functional requirement at a high level and each proofing mechanism or deployment has to fill that somehow in its definition?

Still, something in me says that we should be able to do this in one consistent pattern, and I’d love to hear more ideas on how that could be handled. If we can crack that, then it becomes a matter of applying that to a bunch of different requests: grant update, token rotation, initial request, etc. This piece, at least, I believe can be applied pretty generically.

 — Justin

On Jul 6, 2021, at 6:30 PM, Fabien Imbault <<>> wrote:

Hi there,

As far as I know, key rotation remains a cumbersome process in most cases, to say the least. It's quite impressive how often that breaks (usually when a certificate expires somewhere).

The exception is caddy server, that does it really well. Works fine in production.

And then, as a proof of concept, there's DIF Keri that embeds key rotation as a primary requirement.


Le mar. 6 juil. 2021 à 23:29, Aaron Parecki <<>> a écrit :
I do think it's important that a client instance should be able to rotate its keys, as this is a pretty common practice in other related specs.

You mentioned pre-registered clients which I think is an interesting case. I would expect in those cases the client instance wouldn't actually be rotating its keys on its own, instead the developer/administrator would go into the management console to rotate the keys there, and deploy the new keys to the client instance, more like how typical OAuth clients work today.

Coming up with the actual rotation method is definitely an interesting challenge, but there must be some prior art to draw from here. Wouldn't existing specs like Mutual TLS or even PGP have some mechanism that could be reused?


On Tue, Jun 15, 2021 at 10:52 AM Justin Richer <<>> wrote:
In the GNAP protocol, most requests are bound to a key. There are pretty solid mechanisms for establishing those keys as part of the request, both dynamically and as part of some pre-registration step.

However, over time those keys could be rotated out by the parties that control them, and GNAP needs to be able to handle this.

        • Access tokens are bound to keys
                • We allow rotation of the token value at client instance request...
                • Should we allow rotation of the key also?
        • Grant transactions are also bound to keys
                • Specifically: the continuation access token is bound to a key
                • The key is initially the client instance’s key
                • Should the client be able to rotate this key separately?
        • Some client instances have registered keys
                • What happens when a client’s registered key rotates?

Secure rotation of a key would require some way for the presenter to prove possession of both the old and new keys simultaneously. It could be a matter of signing the request with the new key and include some artifact signed by the old key in the request, or the inverse of that. There are likely other methods out there, but this seems simplest.

What situations are people looking at for handling key rotation?

 — Justin
TXAuth mailing list<>
TXAuth mailing list<>