Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mishti: implement double hashing (iam, embed, infra) #3187

Open
nutrina opened this issue Jan 21, 2025 · 0 comments · May be fixed by #3247
Open

Mishti: implement double hashing (iam, embed, infra) #3187

nutrina opened this issue Jan 21, 2025 · 0 comments · May be fixed by #3247
Assignees
@lucianHymer

Comments

@nutrina
Copy link
Collaborator

nutrina commented Jan 21, 2025
edited by Jkd-eth
Loading

This request affects the following components:

  • iam
  • embed
  • identity
  • infra for iam & embed

We need to make sure this is resilient to Mishti being down and we can use the current system for a period of time until Mishti is full ready and has had a successful epoch (90 day period).

Summary

  • we will introduce the concept of epochs
  • the VC structure will be changed:
    • we'll replace the hash attribute with nullifiers which will contain an array of 2 hashes:
      • the 1st will be the active hash of the epoch
      • the 2nd will be the future hash (the active hash in the next epoch)
  • each epoch will use 2 private keys
    • active key.- will be used to sign VCs and onchain payloads and create the active hash
    • future key.- will be used to create the future hash. This key will become the active key in the next epoch.
  • the functionality which issues the VCs in the new format should not be enabled by default, but should require a feature flag which is off by default
    • feature flags will be configured both in embed and iam services
  • the configuration specific for this new feature should include the following env vars:
    • CURRENT_EPOCH_KEY
    • CURRENT_EPOCH_START_TIME - start time in iso format
    • NEXT_EPOCH_1_KEY
    • NEXT_EPOCH_1_START_TIME - start time in iso format
    • NEXT_EPOCH_2_KEY
    • NEXT_EPOCH_2_START_TIME - start time in iso format

Depends on:

Acceptance criteria

GIVEN I am start / restart the iam or embed services
WHEN the service start
THEN they load the current and next epoch start date, end date and keys
AND I am able to claim the new credentials on the new /api/v0.0.0/verify endpoint

GIVEN the iam & embed services are running and we have 3 epoch configured (epoch 1 - current, epoch 2, epoch 3)
AND the end of the current epoch (and implicitly the start of the next epoch) is configured to be T
WHEN I make a request to /api/v0.0.0/verify before time T
THEN I get a VC signed with epoch 1 and hashes for epoch 1 and 2
AND WHEN I make a request to /api/v0.0.0/verify starting with time T
THEN I get a VC signed with epoch 2 and hashes for epoch 2 and 3
@nutrina nutrina converted this from a draft issue Jan 21, 2025
@nutrina nutrina changed the title Mishti: implement double hashing Mishti: implement double hashing (iam, embed, infra) Jan 21, 2025
This was referenced Jan 21, 2025
Open
Open
Open
@Jkd-eth Jkd-eth mentioned this issue Dec 9, 2024
Open
@lucianHymer lucianHymer moved this from Prioritized to In Progress (WIP) in Passport New Feb 6, 2025
@lucianHymer lucianHymer self-assigned this Feb 6, 2025
@lucianHymer lucianHymer linked a pull request Feb 7, 2025 that will close this issue
Open
@lucianHymer lucianHymer moved this from In Progress (WIP) to Code Complete in Passport New Feb 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lucianHymer lucianHymer

Labels
None yet
Projects
Passport New
Status: Code Complete
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: basic support for multiple nullifiers, rotating keys passportxyz/passport
2 participants
@nutrina @lucianHymer