Improving OpenIDs use of cryptography 2 - lifespans

[Paul Crowley]

Everything needs an explicit lifespan.  You shouldn't assume a key will 
stay secret forever, and explicitness is the watchword for secure 
cryptographic protocols - see Anderson and Needham, "Programming Satan's 
Computer".

The identity tokens that the ID server produces should include explicit 
expiry times.  And the authentication keys used to sign or MAC them must 
also have expiry times.  The least of these should be used by the client 
as the expiry time of the token.

Giving the keys expiry times introduces a complication in the protocol. 
  Currently we state that we expect the token to be signed by "the" DSA 
key for the identity server.  However, if we're to avoid trouble when 
these tokens expire, a given server must support several authentication 
keys with overlapping lifetimes, which means that the consumer should 
state which key it expects the server to use when signing the token. 
This change is in any case necessary for the change to MACs.

Overlapping keys also means that as well as expiry times, keys need 
"recommended replacement times", after which consumers are recommended 
to fetch a new key from the server ASAP.
-- 
   __
\/ o\ Paul Crowley, paul at ciphergoth.org
/\__/ http://www.ciphergoth.org/