Wanted: Security Audit of Key Rotation Semantics

[chrishooooo-netizen]

TRAIL DIDs use EdDSA (Ed25519) with JSON Canonicalization Scheme (JCS). We need a security review of:

• Key rotation mechanism - How agents update their verification methods without breaking existing trust chains.
• Revocation propagation timing - How fast does a revoked key become untrusted across the network?
• Recovery scenarios - Compromised agent key, compromised registry key, partial network partition.

Threat model:

• Malicious agent impersonation
• Registry compromise
• MITM during DID resolution
• Replay attacks with stale DID documents

If you have cryptographic protocol review experience, this is a high-impact contribution.

[AmeyParle]

I reviewed the current did:trail key rotation design against the threat model in Issue #3.

Main conclusion: routine rotation looks directionally fine, but compromised-key rotation needs a stronger recovery path than “current active key signs the next key,” otherwise key compromise can become identity takeover.

Key recommendations:

• add monotonic version / rotation sequence
• distinguish active / retired / revoked / pending keys
• define verifier behavior for retired keys
• require an independent recovery path for suspected compromise
• add freshness/version checks to prevent stale replay and downgrade
• clarify resolver/cache freshness for registry-backed DID modes

I’ve prepared a fuller structured audit draft and will open a PR with it right after this comment so it’s easier to review inline.

[AmeyParle]

I’ve opened a PR with the full structured audit draft for easier inline review: #17

[chrishooooo-netizen]

Closing the loop on the audit work — thank you @AmeyParle for the structured review and PR #17.

The audit draft has been merged as spec/key-rotation-security-audit.md and will inform v1.3 spec work:

• P0 items (monotonic rotation sequence, explicit pending/active/retired/revoked lifecycle states, validity windows, retired-key verifier behavior) are candidates for v1.3.
• P1 items (compromise vs routine separation, registry-signed checkpoints, federation behavior, resolver freshness) feed into the broader v1.3 / v2.0 roadmap.
• Open questions in §7 are good agenda items for community discussion.

Issue #3 stays open as the umbrella tracker until the v1.3 patches actually land in the spec.