Priority: P3 (Low) · Security audit finding · area: relay · documented design tradeoff
agentProofOKLocked (go/internal/signal/server.go) treats a slot with no learned proof as open (trust-on-first-use). The first party to register an owner_id+machine_id sets the registration_secret for that slot; later replacements must match it (constant-time).
The window
Before the legitimate agent ever registers, an attacker who knows (or guesses) an owner_id+machine_id can register first and set their own secret, locking the real agent out of that signaling slot until an operator intervenes. (owner_id is a public key and machine_id is exposed to the relay, so this isn't far-fetched for a targeted victim.)
Why it's Low
This is availability only. The data plane is unaffected: Noise KK with pinned static keys still authenticates the peer end-to-end, so a squatted signaling slot cannot read or drive the shell — it can only deny/redirect rendezvous. This matches the "Availability" residual exposure already in SECURITY.md.
Related
PR #13 (security/p1-signal-bound-agentsecrets) bounds the proof map size (memory DoS), but deliberately does not change this TOFU semantics.
Options to consider
- Accept + keep documenting (current stance).
- Tie first-registration to an out-of-band token issued at pairing (the agent already has a pairing flow), so the relay slot can't be claimed by a party who never paired.
- Operator alerting on first-registration / proof-change events.
Filed from a security audit; see also the companion PRs labeled security.
Priority: P3 (Low) · Security audit finding · area: relay · documented design tradeoff
agentProofOKLocked(go/internal/signal/server.go) treats a slot with no learned proof as open (trust-on-first-use). The first party to register anowner_id+machine_idsets theregistration_secretfor that slot; later replacements must match it (constant-time).The window
Before the legitimate agent ever registers, an attacker who knows (or guesses) an
owner_id+machine_idcan register first and set their own secret, locking the real agent out of that signaling slot until an operator intervenes. (owner_idis a public key andmachine_idis exposed to the relay, so this isn't far-fetched for a targeted victim.)Why it's Low
This is availability only. The data plane is unaffected: Noise KK with pinned static keys still authenticates the peer end-to-end, so a squatted signaling slot cannot read or drive the shell — it can only deny/redirect rendezvous. This matches the "Availability" residual exposure already in
SECURITY.md.Related
PR #13 (
security/p1-signal-bound-agentsecrets) bounds the proof map size (memory DoS), but deliberately does not change this TOFU semantics.Options to consider
Filed from a security audit; see also the companion PRs labeled
security.