You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: text/0000-cargo-asymmetric-tokens.md
+6-6Lines changed: 6 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -32,7 +32,7 @@ After the time window has expired, the data sent over the network can be made pu
32
32
Different registries will have different users in mind and have different use cases. Therefore, they will need to have different behaviors. So, there are many decisions a registry has to make that this RFC has no opinion on. Some examples:
33
33
34
34
- Bootstrapping trust: how does the registry decide to trust a new user?
35
-
- Key generation: where and how the key pair is made?
35
+
- Key generation: where and how is the key pair made?
36
36
- Key rotation: how often do existing users need to make a new key pair?
37
37
- Revocation: how does the registry decide to stop trusting an existing key pair?
38
38
@@ -49,7 +49,7 @@ Private registries that require authentication use asymmetric cryptography as a
49
49
50
50
There are credential processes for using key pairs stored on hardware tokens. Check crates.io to see if there's one available for your hardware. Each one is a little different, but the general workflow is:
2.run`cargo credential-process-for-your-hardware-token setup registryURL` to get your public key.
52
+
2.Run`cargo credential-process-for-your-hardware-token setup registryURL` to get your public key.
53
53
3. Go to the registries log in page, upload your public key and get your user ID.
54
54
4. Edit `credentials.toml` to have a `credential-process` field as described by `credential-process-for-your-hardware-token` docs. (The credential process command may help do this for you.)
55
55
@@ -69,7 +69,7 @@ A keypair can be generated with `cargo login --generate-keypair` which will:
69
69
- print the public key and the path to the file.
70
70
(See unresolved questions section.)
71
71
72
-
There is also a field called `user-id` which is a string chosen by the registry, which is intended to be non-secret and used for identifying the user. Cargo requires it to be non-whitespace printable ASCII, registries that need non-ASCII data should base64 encode it.
72
+
There is also a field called `user-id` which is a string chosen by the registry, which is intended to be non-secret and used for identifying the user. Cargo requires it to be non-whitespace printable ASCII. Registries that need non-ASCII data should base64 encode it.
73
73
A registry could use something human-readable like the name of the user or the name of the role. It could also use something arbitrary like the GUID associated with the row in the permissions table.
74
74
75
75
Both fields can be set with `cargo login --registry=name --private-key-path=path userId`.
@@ -86,13 +86,13 @@ The "footer" will include the user ID and the registry base URL. (The footer is
86
86
- The PASETO is in v3.public format.
87
87
- The PASETO validates using a public key for that user ID.
88
88
- The URL matches the registry base URL (to make sure a PASETO sent to one registry can't be used to authenticate to another, and to prevent typosquatting/homoglyph attacks)
89
-
- The PASETO is still within its valid time period (to limit replay attacks) 15 minutes will be recommended. but a shorter time can be used by a registry to further decrease replayability. Or a longer one can be used to better accommodate clock skew.
89
+
- The PASETO is still within its valid time period (to limit replay attacks). We recommend a 15 minute limit, but a shorter time can be used by a registry to further decrease replayability. Or a longer one can be used to better accommodate clock skew.
90
90
- If the server issues challenges, that the challenge has not yet been answered.
91
91
- If the operation is a mutation, that the package, version, and hash match the request.
92
92
93
93
## Credential Processes
94
94
95
-
Credential Processes as defined in [RFC 2730](https://github.com/rust-lang/rfcs/pull/2730) are outside programs cargo can call on to change where and how secrets are stored. That RFC defines `special strings` which go in the `credential-process` field to describe what data the process needs from cargo. This RFC adds `{claims}`. If used Cargo will replace it with a json encoded set of key value pairs that should be in the generated token. Cargo will check that the output of such a process looks like a valid PASETO v3.public token that Cargo would have generated, and that the PASETO token includes all the claims Cargo provided. The credential process may add additional claims (e.g. 2fa, TOTP), as long as they are nested in `custom`.
95
+
Credential Processes as defined in [RFC 2730](https://github.com/rust-lang/rfcs/pull/2730) are outside programs cargo can call on to change where and how secrets are stored. That RFC defines `special strings` which go in the `credential-process` field to describe what data the process needs from cargo. This RFC adds `{claims}`. If used Cargo will replace it with a JSON encoded set of key value pairs that should be in the generated token. Cargo will check that the output of such a process looks like a valid PASETO v3.public token that Cargo would have generated, and that the PASETO token includes all the claims Cargo provided. The credential process may add additional claims (e.g. 2fa, TOTP), as long as they are nested in `custom`.
96
96
97
97
## Note on stability
98
98
@@ -133,7 +133,7 @@ Without the private key an asymmetric cryptography token can only be used for th
133
133
134
134
This gets Cargo involved in the cryptographic standards used by registries, which puts a lot of complexity on ourselves. Now rust teams need to be involved in conversations about what cryptographic standards alternative registries choose to use.
135
135
136
-
Furthermore this RFC attempts to make a start on solving several problems at the same time. It may be that in time we discover these problems need to be solved separately. If we end up with a separate system for code signing and a separate system for authorization, then a simpler more direct method of authentication might have been a better choice.
136
+
Furthermore, this RFC attempts to make a start on solving several problems at the same time. It may be that in time we discover these problems need to be solved separately. If we end up with a separate system for code signing and a separate system for authorization, then a simpler more direct method of authentication might have been a better choice.
0 commit comments