Giters

google / exposure-notifications-verification-server

Verification component for COVID-19 Exposure Notifications.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Proposal: Automatically rotate verification certificate signing keys

mikehelmick opened this issue · comments

commented

TL;DR

Automatically rotate verification certificate signing keys

Design

Proposal

  1. Realm opt in to auto rotate keys ever 30 days (they can still do it manually)

    • Big warning that your key server should be using JWKS import

  2. New periodic background job to rotate keys

    • 30 days after last key was created - create a new key
    • 12 hours later - make that new key active
    • 1 hour later - revoke the old key
commented

/assign

commented
  • add db columns
  • add UI to enable disable / flag controlled
  • add background rotation
  • add terraform for scheduling
  • enable auto rotation by default (v0.21.0 or later)