|
| ▲ | nijave an hour ago | parent | next [-] |
| How can the key be stolen easily? That really depends on the security of the Redis setup. Redis is typically not internet accessible so you'd need some sort of server exploit. Would have been good if the article example showed a Redis server with TLS and password auth. |
| |
| ▲ | time4tea an hour ago | parent [-] | | Private key material should not be kept in the clear anywhere, ideally.
This includes on your dev machine, serialised in a store, in the heap of your process, anywhere.
Of course, it depends on your threat environment, but the article did mention pci-dss.
If you put it in redis, then anyone that has access (internal baddies exist too!) can steal the key and sign something. Its hard to repudiate that. |
|
|
| ▲ | a_random_name an hour ago | parent | prev [-] |
| (glanced at it so I could be wrong) They're talking about a public key that can be used to validate the JWT's authenticity. AFAIK there is no need to keep these secret, and it's not possible to (without breaking public key crypto) forge them so it should be safe to store them wherever. |
| |
| ▲ | time4tea an hour ago | parent [-] | | From article: Private key redis key public static string PrivateKey(string kid) => $"{Root}:jwks:private:{kid}"; // full private material (short life)
| | |
|
