FR-13 Deliver Notifications Securely #92
Description
Description:
The system shall ensure that webhook notifications sent between pools are delivered securely, preserving the authenticity and integrity of the notification data.
Use Case:
For example, when a certificate is revoked in one pool, the system must notify all subscribed, relevant pools — ensuring the message:
- Is sent over a secure channel,
- Cannot be altered in transit, and
- Comes from a trusted source.
Current Status - This feature is flagged as possible in OPNC v1.0.
- Webhook-based delivery is already used, and message signing with a unique secret is reportedly supported.
- The IOP impact is high, as secure notification is essential for reliable cross-pool communication.
Assessment:
While technically possible today, we need to:
- Ensure all actors follow the same security pattern (shared secret or signature),
- Clarify whether there's a central relay platform or peer-to-peer model,
- And document this clearly as part of OPNC’s security guidelines.
Discussion Points
- What security scheme is preferred? Shared secret, public key signature, or both?
- Should OPNC define a standard webhook format, including headers for signature and sender identity?
- Is there a replay protection mechanism (e.g., timestamp + nonce)?
- Should we create a Security Annex in the OPNC spec to house this and similar practices?
- Is this already covered in the code as was flagged?