Skip to content
This repository was archived by the owner on Aug 15, 2025. It is now read-only.

Commit 2c3c0e5

Browse files
bitfl0werbitfl0wer
committed
Update message re-signing security model
Add "allowed" pubkey list for re-signing messages
1 parent 163a1e9 commit 2c3c0e5

File tree

1 file changed

+7
-5
lines changed
  • docs/Protocol Specifications

1 file changed

+7
-5
lines changed

docs/Protocol Specifications/core.md

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -952,10 +952,11 @@ Additionally, servers must verify the following things about re-signed messages:
952952
- The new signature matches the messages' contents, and is valid
953953
- The ID-Cert corresponding to the new signature is a valid ID-Cert, issued by the correct home
954954
server
955+
- The ID-Cert corresponding to the new signature has a public key that was specified in the
956+
`allowedResigningKeys` property sent to the server when message re-signing was requested.
955957
- The contents of the message have not been changed during the re-signing process
956-
957-
The amount of keys that can be used to re-sign messages must not exceed the amount of keys sent in
958-
the servers' key trial, but can be less.
958+
- The `expires` UNIX timestamp, specified when the server replied to the re-signing request,
959+
has not been reached or passed when the re-signed message was received by the server.
959960

960961
Below is a sequence diagram depicting a typical re-signing process, which transfers ownership of
961962
messages from Alice A to Alice B.
@@ -968,10 +969,10 @@ actor aa as Alice A
968969
actor ab as Alice B
969970
participant sc as Server "C" with stored<br/>messages from Alice A
970971
971-
aa->>sc: Request allow message re-signing for Alice B
972+
aa->>sc: Request allow message re-signing for Alice B + list of "allowed" pubkeys
972973
sc->>aa: List of keys to verify + challenge string (Key trial)
973974
aa->>sc: Completed challenge for each key on the list
974-
sc->>sc: Verify challenge, unlock re-signing for Alice B
975+
sc->>sc: Verify challenge, unlock re-signing for Alice B (only "allowed" pubkeys)
975976
sc->>aa: Re-signing of messages for Alice B allowed
976977
loop Do, while there are messages left to be re-signed
977978
ab->>sc: Request message re-signing<br/>for Alice A's messages
@@ -981,6 +982,7 @@ loop Do, while there are messages left to be re-signed
981982
ab->>ab: Re-sign messages with own keys
982983
ab->>sc: Send new messages
983984
sc->>sc: Verify that only FID and signature related fields have changed
985+
sc->>sc: Verify that key used to produce signature is on "allowed" list
984986
sc->>ab: Acknowledge successful re-signing of batch
985987
opt
986988
ab--)ab: Pause for arbitrary amount of time

0 commit comments

Comments
 (0)