microsoft/did-ccf

Identifier#controller or #controllerDelegate unreliable under key rotation

Opened this issue · 0 comments

viathefalcon commented

Describe the bug
Identifiers are tied to the id of an AuthenticatedIdentity, but this id in turn is the digest of that entity's public key. If the entity rotates their cert/key pair, then they could lose access to Identifiers of which they are either the controller or the delegate controller, c.f.

did-ccf/src/models/Identifier.ts

Line 42 in c375752

return (authenticatedIdentity.identifier === this.controller ||

To Reproduce

  • Add a member or user to a consortium
  • Create one more more Identifiers with the entity (or on their behalf).
  • Rotate the entity's key
  • Try and perform an authenticated operation with any or all of the Identifiers created with or on behalf of the entity

Expected behavior
A user or member should be able to access their Identifiers subsequent to any number of key rotations