Abstract
Revoking compromised application programming interface keys in distributed cloud systems can involve a propagation gap, where a revocation may not be instantly effective across all enforcement points, and this process can lack external verifiability. This disclosure describes a framework that can use the domain name system (DNS) as a public ledger to address these potential issues. Upon revocation, a signed status record may be published to a deterministic DNS namespace derived from the key identifier. Concurrently, individual enforcement points can apply the revocation and return cryptographically signed attestations of this action. These attestations may be aggregated into a composite, signed propagation proof record that can also be published to DNS. This dual-record system can enable a relying party to perform DNS queries to independently and cryptographically verify that a key has been revoked and the degree to which that revocation has been enforced across the distributed system.
Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.
Recommended Citation
Liu, Mei Yue, "Verifiable API Key Revocation Using DNS-Based Cryptographic Attestations", Technical Disclosure Commons, ()
https://www.tdcommons.org/dpubs_series/10122