Skip to content

keep-frost-net: wire opt-in strict relay cert pinning to eliminate first-use TOFU #786

Description

@kwsantiago

Problem

Relay certificate pinning trusts the certificate on first use: when no pin exists for a host, verify_relay_certificate (keep-frost-net/src/cert_pin.rs) records the observed certificate as the pin. An attacker who intercepts the very first connection to a relay pins their own certificate, and all subsequent connections then validate against the attacker's key.

Status

The mechanism to close this is in place: verify_relay_certificate takes a require_pinned policy parameter; when true, an un-pre-provisioned host is rejected instead of trusted-on-first-use. It is a per-call policy (not persisted state) so it cannot fail-open on a pin-set reload.

Not yet activated: both live call sites (keep-desktop, keep-mobile) pass require_pinned = false, so default TOFU exposure remains.

Remaining work

  1. Add a config/CLI toggle (mirroring the opt-in --expected-pcr strict attestation) to pass require_pinned = true.
  2. Document provisioning relay SPKI pins out-of-band (the pins JSON) for high-assurance deployments.
  3. Optionally, surface a first-use pin-confirmation prompt (fingerprint) in keep-desktop / keep-android for the non-strict path.

Acceptance criteria

  • A deployment can enable strict pinning so an unknown relay is rejected rather than TOFU-trusted.

Metadata

Metadata

Assignees

No one assigned

    Labels

    nostr-frostNostr FROST coordination protocolp1PriorityrustPull requests that update rust codesecuritySecurity-related issues

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions