Skip to content

Fix #658: Support blind key rotation in HTTP Signatures

Agate requested to merge 658-blind-key-rotation into develop

Closes #658 (closed)

Cf https://blog.dereferenced.org/the-case-for-blind-key-rotation

When we fail on an invalid signature while authenticating an HTTP request, we'll now:

  1. Catch the error
  2. Refetch the actor object (to potentially load a new public key)
  3. Retry the signature verification with the new public key (and fail for real this time in case of error)

Todo:

  • Regenerate local actor key when a Delete activity occur
Edited by Agate

Merge request reports