stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
4344020dd1d56b7d944d475f128cb8a2c227ff59
git.stella-ops.org/docs/security/dpop-mtls-rollout.md
StellaOps Bot f1a39c4ce3
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Notify Smoke Test / Notify Unit Tests (push) Has been cancelled
Details
Notify Smoke Test / Notifier Service Tests (push) Has been cancelled
Details
Notify Smoke Test / Notification Smoke Test (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Details
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Details
Signals CI & Image / signals-ci (push) Has been cancelled
Details
Signals Reachability Scoring & Events / reachability-smoke (push) Has been cancelled
Details
Signals Reachability Scoring & Events / sign-and-upload (push) Has been cancelled
Details
Manifest Integrity / Validate Schema Integrity (push) Has been cancelled
Details
Manifest Integrity / Validate Contract Documents (push) Has been cancelled
Details
Manifest Integrity / Validate Pack Fixtures (push) Has been cancelled
Details
Manifest Integrity / Audit SHA256SUMS Files (push) Has been cancelled
Details
Manifest Integrity / Verify Merkle Roots (push) Has been cancelled
Details
devportal-offline / build-offline (push) Has been cancelled
Details
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
Details
up
2025-12-13 18:08:55 +02:00

47 lines
2.8 KiB
Markdown
Raw Blame History

# Authority DPoP + mTLS Rollout Plan (Sprint 100)
_Last updated: 2025-11-07_
## Objectives
1. Enforce DPoP sender constraints (`AUTH-DPOP-11-001`).
2. Bind high-assurance tenants to mTLS tokens (`AUTH-MTLS-11-002`).
3. Provide telemetry + runbooks so plugins (SEC2/SEC3/SEC5) can validate enforcement without regressions.
## Phase 1 · Config & Telemetry (ETA 2025-11-08)
- [x] Extend `authority.yaml` with `security.senderConstraints.dpop` section (nonce store, allowed algorithms, replay window).
- [x] Wire structured logs (`authority.dpop.request`) containing tenant, client, cnf thumbprint, nonce status.
- [x] Add `DPoPNonceStore` abstraction + Redis implementation for multi-node deployments.
- [x] Update integration tests: `AuthorityTokenTests.DPoPNonceRequired`, `AuthorityTokenTests.DPoPMustMatchCnF`.
## Phase 2 · Enforcement & Fallback (ETA 2025-11-10)
- [x] Reject `/token` requests lacking DPoP proof when tenant policy requires it.
- [x] Persist `cnf.jkt` and expose through `/introspect` so downstream services validate sender.
- [x] Add emergency bypass flag (`security.senderConstraints.dpop.allowTemporaryBypass`) for sealed recap drills; default disabled.
- When enabled, Authority logs `authority.dpop.proof.bypass`, adds `authority.dpop_result=bypass` telemetry, and issues tokens without `cnf` so downstream services know sender constraints were relaxed. Reset immediately after the drill.
## Phase 3 · mTLS Binding (ETA 2025-11-10)
- [x] Capture client cert thumbprint on `/token` (mutual TLS) and store in `authority_tokens.senderCertificate`.
- [x] Validate cert hash on `/introspect` and `/fresh-auth`.
- [ ] Document bootstrap/rotation in `docs/11_AUTHORITY.md` + `docs/security/dpop-mtls-rollout.md` (this file).
## Verification Matrix
| Scenario | Test/Command | Expected |
| --- | --- | --- |
| DPoP required w/out proof | `dotnet test Authority.Tests --filter DPoPRequiresProofTest` | 400 with `use_dpop_nonce` header. |
| Nonce replay | Replay previous proof within window | 401 + audit log entry. |
| mTLS mismatch | Reuse token with different cert | 401 + `senderCertificateMismatch` metric increment. |
## Telemetry & Alerting
- Metrics: `authority_dpop_nonce_miss_total`, `authority_mtls_mismatch_total` (emitted with `reason` tags for context-missing, missing-certificate, and thumbprint-mismatch cases).
- Logs: `authority.security.senderConstraint` (structured).
- Alerts: Page DevOps when nonce miss > 5% or mTLS mismatches > 0 over 10 min.
## Dependencies
- Authority Core & Security Guild owners.
- DevOps to provide sealed-mode CI coverage (`DEVOPS-AIRGAP-57-002`).
- Plugin Standard Guild to consume new telemetry once rolled out.
## Communication
- Daily async update in `#guild-authority` thread referencing this plan.
- Link this document from `docs/implplan/archived/SPRINT_0100_0001_0001_identity_signing.md` notes once Phase 1 merges.
Reference in New Issue View Git Blame Copy Permalink