I've noticed a deprecation warning in our DiracX pods:
SecurityWarning: EdDSA is deprecated via RFC 9864
RFC 9864 deprecates the polymorphic "EdDSA" algorithm identifier in favor of fully-specified identifiers like "Ed25519" or "Ed448". This affects our JWT signing and verification code that uses joserfc.
Impact:
- Currently just a warning
- Future versions of joserfc may drop support for "EdDSA"
- No security vulnerability, just a standards compliance update
Required Changes:
- Update key generation code to use
"alg": "Ed25519" instead of "alg": "EdDSA"
- Update
token_allowed_algorithms to support both during migration
- Rotate keys in production environments
If you're running diracx in production, you'll need to perform a similar migration (anyone? CTAO?).
The code will support both EdDSA and Ed25519 algorithm identifiers during the transition period to allow all communities time to migrate their keystores without service interruption. Each community should plan their own key rotation once the updated code is deployed.
I will come up with a migration plan, test it within our LHCb environment, and share the procedure here for other communities to follow.
I've noticed a deprecation warning in our DiracX pods:
RFC 9864 deprecates the polymorphic "EdDSA" algorithm identifier in favor of fully-specified identifiers like "Ed25519" or "Ed448". This affects our JWT signing and verification code that uses
joserfc.Impact:
Required Changes:
"alg": "Ed25519"instead of"alg": "EdDSA"token_allowed_algorithmsto support both during migrationIf you're running
diracxin production, you'll need to perform a similar migration (anyone? CTAO?).The code will support both
EdDSAandEd25519algorithm identifiers during the transition period to allow all communities time to migrate their keystores without service interruption. Each community should plan their own key rotation once the updated code is deployed.I will come up with a migration plan, test it within our LHCb environment, and share the procedure here for other communities to follow.