| ▲ | glitchc 3 days ago |
| You're clearly not using these keys in certificates, which would need to be signed by a root or interim CA on every update. |
|
| ▲ | bob1029 3 days ago | parent [-] |
| Correct. The keys are only used for signing JWTs. Trust was established with the vendor out of band from this wire protocol (the URL they scan for public keys). |
| |
| ▲ | SahAssar 2 days ago | parent [-] | | I'm not sure I understand, but haven't you just moved the problem to the out of band layer? And is that layer not secured using the same normal (somewhat) long-lived TLS as most sites? I don't think I understand the threat model you are using here? | | |
| ▲ | bob1029 2 days ago | parent [-] | | Think of the out of band layer as two human executives exchanging URLs and GUIDs in person. You still need a secure transport, but in this model the thing that is being secured on the wire expires within 15 minutes. The only way to break the model is to defeat a transport or protocol key and only before rotation, revocation and expiration can catch up each time. |
|
|
