If a key config doesn't cover its expiry time, a client could potentially have checked a key as being valid and continue to use it over time as long as it sees challenges from the origin using that key.
However, if the key had actually rotated for everyone else, a client may be targeted by being the only one in the set still using an old key.
If a key config doesn't cover its expiry time, a client could potentially have checked a key as being valid and continue to use it over time as long as it sees challenges from the origin using that key.
However, if the key had actually rotated for everyone else, a client may be targeted by being the only one in the set still using an old key.