Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Automatic keypair rotation #3

Open
jglick opened this issue Apr 1, 2022 · 0 comments
Open

Automatic keypair rotation #3

jglick opened this issue Apr 1, 2022 · 0 comments
Labels
enhancement New feature or request

Comments

@jglick
Copy link
Member

jglick commented Apr 1, 2022

We currently use just a single keypair per credentials item. We could instead offer two of them, on a regular basis alternately swapping the one used to sign tokens, and replacing the other one with a fresh keypair.

If we do #2 then it would even make sense to have three keypairs—one new, one old, and one in the middle that is actively used for signing tokens—so that even when there is a lag between when a new keypair is introduced and when it is published, signatures would only come from a keypair which had been advertised for a while in advance, as well as being advertised at least as long as the token’s validity.

Not a particularly high priority since you can already rotate a keypair simply by resaving credentials if you have some reason to suspect the private key might have been compromised.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jglick