tfpauly
commented
1 year ago Adding a not-after value to a key mitigates this for the scheduled rotation cases.
Open tfpauly opened 1 year ago
tfpauly
commented
1 year ago Adding a not-after value to a key mitigates this for the scheduled rotation cases.
tfpauly
commented
1 year ago Alternatively, the k-check proxy could tell clients about the cadence to check in
If a key config doesn't cover its expiry time, a client could potentially have checked a key as being valid and continue to use it over time as long as it sees challenges from the origin using that key.
However, if the key had actually rotated for everyone else, a client may be targeted by being the only one in the set still using an old key.