Unique revocation ids
divarvel opened this issue · 4 comments
Currently, the revocation id for a given block (including the authority) depends only on the block public key, the serialized block representation, and the revocation ids of previous blocks.
While the additional blocks have random public keys, the authority block has a fixed public key. In practice, that means revoking a token with the revocation id corresponding to its authority block will revoke every token emitted with the same authority contents and the same public key, which can be useful, but does not allow revoking a given token.
Thankfully, signing each block (including the authority) involves some randomness, which is stored in the parameters part of the signature. Having revocation ids depend on this part would allow to revoke unique tokens.
So, in addition to the current computation, it would be interesting to include bytes from the parameters part of the signature.
revocation_id(n) = sha256([blockBytes[i] <> pubBytes[i], i <- [0..n]]);
The question is, how to compute it exactly? Since public keys for extra blocs are random, I think using the parameter of the authority block should be enough.
unique_revocation_id(n) = sha256(parameters[0] <> [blockBytes[i] <> pubBytes[i], i <- [0..n]]);
Now, that relies on having the parameters bit impossible to change without invalidating the signature. I do think that's a property we can rely upon, but I'd like to have it confirmed.
another solution would be to just use the parameter for each block, since it's random.
For now, the haskell implementation computes an extra unique_revocation_id computed as such:
unique_revocation_id(n) = sha256(blockBytes[i] <> pubBytes[i] <> parameters[i], i <- [0..n]))
https://github.com/divarvel/biscuit-haskell/blob/main/biscuit/src/Auth/Biscuit/Token.hs#L196
this is now implemented in the rust version as well: biscuit-auth/biscuit-rust@2191b63
Solved by biscuit v2