[noise] Ideas for PSK with key rotation?

[Seph Gentle]

Hi!

I'm in the process of building a new protocol for an application I'm working on and I'm thinking of using the Noise framework for it. I'm trying to figure out how that would work.

With my protocol, I'd like apps to be able to embed a pre-shared server key and use that to validate the server on connection. But I also want to support key rotation (for both periodic rotation and in the case of a key compromise).

I'm imagining the protocol working something like this:

1. Client connects, tries to authenticate its stored (known) server key
2a. If server key is current, connection is established via a Noise_PSK configuration.
2b. If the server key is out of date, the server responds with the new key and a signature where the new key is signed by the old (known & trusted) key. After validating the signature, the client stores the replacement key and reconnects using it.

The nice thing about this scheme is that the server can discard old keys. When key rotation happens, the server just re-signs the new key with the old key and stores the signature chain.

So my question is: How would this work with the Noise framework? Would this make sense?

1. Optimistically try to connect using a PSK pattern with the embedded key. Run application protocol over this link.
2. If this fails, client reconnects using an ephemeral key pattern. Client sends the known (old) key to the server, and the server responds with the new key & certificate chain from the old key to the new key.
3. Client reconnects using new key, and runs application protocol as normal.

Is this the best way to do this? I'd love some advice before plowing ahead!

-Seph