stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
main
git.stella-ops.org/docs/security/dpop-mtls-rollout.md
StellaOps Bot f1a39c4ce3
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Notify Smoke Test / Notify Unit Tests (push) Has been cancelled
Details
Notify Smoke Test / Notifier Service Tests (push) Has been cancelled
Details
Notify Smoke Test / Notification Smoke Test (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Details
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Details
Signals CI & Image / signals-ci (push) Has been cancelled
Details
Signals Reachability Scoring & Events / reachability-smoke (push) Has been cancelled
Details
Signals Reachability Scoring & Events / sign-and-upload (push) Has been cancelled
Details
Manifest Integrity / Validate Schema Integrity (push) Has been cancelled
Details
Manifest Integrity / Validate Contract Documents (push) Has been cancelled
Details
Manifest Integrity / Validate Pack Fixtures (push) Has been cancelled
Details
Manifest Integrity / Audit SHA256SUMS Files (push) Has been cancelled
Details
Manifest Integrity / Verify Merkle Roots (push) Has been cancelled
Details
devportal-offline / build-offline (push) Has been cancelled
Details
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
Details
up
2025-12-13 18:08:55 +02:00

2.8 KiB
Raw Permalink Blame History

Authority DPoP + mTLS Rollout Plan (Sprint 100)

Last updated: 2025-11-07

Objectives

  1. Enforce DPoP sender constraints (AUTH-DPOP-11-001).
  2. Bind high-assurance tenants to mTLS tokens (AUTH-MTLS-11-002).
  3. Provide telemetry + runbooks so plugins (SEC2/SEC3/SEC5) can validate enforcement without regressions.

Phase 1 · Config & Telemetry (ETA 2025-11-08)

  • Extend authority.yaml with security.senderConstraints.dpop section (nonce store, allowed algorithms, replay window).
  • Wire structured logs (authority.dpop.request) containing tenant, client, cnf thumbprint, nonce status.
  • Add DPoPNonceStore abstraction + Redis implementation for multi-node deployments.
  • Update integration tests: AuthorityTokenTests.DPoPNonceRequired, AuthorityTokenTests.DPoPMustMatchCnF.

Phase 2 · Enforcement & Fallback (ETA 2025-11-10)

  • Reject /token requests lacking DPoP proof when tenant policy requires it.
  • Persist cnf.jkt and expose through /introspect so downstream services validate sender.
  • Add emergency bypass flag (security.senderConstraints.dpop.allowTemporaryBypass) for sealed recap drills; default disabled.
    • When enabled, Authority logs authority.dpop.proof.bypass, adds authority.dpop_result=bypass telemetry, and issues tokens without cnf so downstream services know sender constraints were relaxed. Reset immediately after the drill.

Phase 3 · mTLS Binding (ETA 2025-11-10)

  • Capture client cert thumbprint on /token (mutual TLS) and store in authority_tokens.senderCertificate.
  • Validate cert hash on /introspect and /fresh-auth.
  • Document bootstrap/rotation in docs/11_AUTHORITY.md + docs/security/dpop-mtls-rollout.md (this file).

Verification Matrix

Scenario Test/Command Expected
DPoP required w/out proof dotnet test Authority.Tests --filter DPoPRequiresProofTest 400 with use_dpop_nonce header.
Nonce replay Replay previous proof within window 401 + audit log entry.
mTLS mismatch Reuse token with different cert 401 + senderCertificateMismatch metric increment.

Telemetry & Alerting

  • Metrics: authority_dpop_nonce_miss_total, authority_mtls_mismatch_total (emitted with reason tags for context-missing, missing-certificate, and thumbprint-mismatch cases).
  • Logs: authority.security.senderConstraint (structured).
  • Alerts: Page DevOps when nonce miss > 5% or mTLS mismatches > 0 over 10 min.

Dependencies

  • Authority Core & Security Guild owners.
  • DevOps to provide sealed-mode CI coverage (DEVOPS-AIRGAP-57-002).
  • Plugin Standard Guild to consume new telemetry once rolled out.

Communication

  • Daily async update in #guild-authority thread referencing this plan.
  • Link this document from docs/implplan/archived/SPRINT_0100_0001_0001_identity_signing.md notes once Phase 1 merges.