You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As written, the lookup signature is over the bare public key bytes. That message is static and over a value that is itself public, so the signature is a permanent bearer token: anyone who observes it once (mint logs, a TLS-terminating proxy, a MITM) can replay it forever to read that pubkey's quote history.
Change
The signature now commits to a fresh, mint-scoped message:
mint_pubkey (from the NUT-06 info response) binds the signature to one mint, so it cannot be replayed against another mint. The mint pubkey is used rather than the mint URL to avoid URL canonicalization ambiguity. Mints supporting this NUT MUST advertise a pubkey.
nonce (random 16 bytes) dedups within that window, so the mint only retains nonces for max_age. No challenge round trip.
I think it's not worth it to add nonce. it would mean the Mint has to keep track of them and run background tasks to clear them etc... no. A timestamp, with a wide +/-10 minutes tolerance, is enough.
nonce (random 16 bytes) dedups within that window, so the mint only retains nonces for max_age. No challenge round trip.
I think it's not worth it to add nonce. it would mean the Mint has to keep track of them and run background tasks to clear them etc... no. A timestamp, with a wide +/-10 minutes tolerance, is enough.
nonce is time bound by timestamp - it covers the replay protection concern within the time allocation.
The mint only needs to track nonces for max_age seconds. After that, the signature can't be replayed because of age. It removes the need for an extra call to the mint to get a nonce challenge (which the mint would ALSO have to track).
Removing it means we accept replay in the max_age window.
PR updated following offline discussions. Nonce and timestamp now removed as agreed.
@callebtc - this should be ready to merge into #341, making it in ready for final review and NUT numbering.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
robwoodgate
changed the title
Intended to be merged into #341 as an amendment.
Problem
As written, the lookup signature is over the bare public key bytes. That message is static and over a value that is itself public, so the signature is a permanent bearer token: anyone who observes it once (mint logs, a TLS-terminating proxy, a MITM) can replay it forever to read that pubkey's quote history.
Change
The signature now commits to a fresh, mint-scoped message:
mint_pubkey(from the NUT-06 info response) binds the signature to one mint, so it cannot be replayed against another mint. The mint pubkey is used rather than the mint URL to avoid URL canonicalization ambiguity. Mints supporting this NUT MUST advertise apubkey.