|author||Christian Grothoff <firstname.lastname@example.org>||2020-11-22 13:32:28 +0100|
|committer||Christian Grothoff <email@example.com>||2020-11-22 13:32:28 +0100|
document exchange crypto helper design
Diffstat (limited to 'taler-exchange-manual.rst')
1 files changed, 53 insertions, 1 deletions
diff --git a/taler-exchange-manual.rst b/taler-exchange-manual.rst
index b156eb9..74118a7 100644
@@ -152,6 +152,58 @@ components:
only supports Postgres, but the code could be easily extended to
support another DBMS.
+Exchange online signing private key management (v0.9)
+The following text only applies starting with exchange version 0.9.
+To provide an additional level of protection for the private online signing
+keys used by the exchange, the actual cryptographic signing operations are
+performed by two helper processes, the ``taler-exchange-helper-rsa`` and the
+The two helper processes will create the required private keys, and allow
+anyone with access to the UNIX domain socket to sign arbitrary messages with
+the keys or to inform them about a key being revoked. The helper processes
+are also responsible for deleting the private keys if their validity period
+expires or if they are informed about a key having been revoked.
+From a security point of view, the helpers are designed to *only* make it
+harder for an attacker who took control of the HTTP daemon's account to
+extract the private keys, limiting the attackers ability to creating
+signatures to the duration of their control of that account.
+In the future, the helper processes should additionally provide a mechanism to
+track the number of signatures they have made for the various keys.
+The helper processes should be run under a user ID that is separate from that
+of the user running the main ``taler-exchange-httpd`` service. The
+``taler-exchange-httpd`` service's will securely communicate with the helpers
+using UNIX domain sockets. To enable access to the keys, the service's user
+must be in the group of the helper processes (and no other users should be in
+The helpers and the HTTP service need both access to the same configuration
+information. Having divergent configurations may result in run-time failures.
+It is recommended that the configuration file (``-c`` option) is simply shared
+between all of the different processes, even though they run as different
+system users. The configuration does not contain any sensitive information.
@@ -207,7 +259,7 @@ To download and install libgnunetutil, proceed as follows:
- $ git clone https://git.gnunet.org/gnunet/
+ $ git clone git://git.gnunet.org/gnunet
$ cd gnunet/
$ ./configure [--prefix=GNUNETPFX]