[based on the X41 specification and source code audit]
in-toto does not deal with key management and relies on additional channels to distribute and verify the generated keys in a secure manner. Therefore, key expiration and revocation is outside of the project’s responsibility. However, the keys in the specification do not describe fields that can support this. This could be improved upon.
Solution Advice
X41 recommends to use keys and certificates that have key management infrastructure in place instead of generating a new key format. These might contain PGP keys and S/MIME certificates.
[based on the X41 specification and source code audit]
in-toto does not deal with key management and relies on additional channels to distribute and verify the generated keys in a secure manner. Therefore, key expiration and revocation is outside of the project’s responsibility. However, the keys in the specification do not describe fields that can support this. This could be improved upon.
Solution Advice
X41 recommends to use keys and certificates that have key management infrastructure in place instead of generating a new key format. These might contain PGP keys and S/MIME certificates.