aidansteele
commented
6 years ago Question: Should the lkp host command assume that the instance's keypair is the CA pubkey, or should it only use the pubkey returned by the Lambda?
Open aidansteele opened 6 years ago
aidansteele
commented
6 years ago Question: Should the lkp host command assume that the instance's keypair is the CA pubkey, or should it only use the pubkey returned by the Lambda?
rupertbg
commented
6 years ago If it uses the one of the Lambda then that would make rotations easier as you could ... potentially.. schedule the host signing periodically?
aidansteele
commented
6 years ago I like your thinking
When instances do an
lkp hostsetup, it could install both the "active" CA pubkey and an "inactive" one (or more) ready for rotation when the time comes.