We currently use just a single keypair per credentials item. We could instead offer two of them, on a regular basis alternately swapping the one used to sign tokens, and replacing the other one with a fresh keypair.
If we do #2 then it would even make sense to have three keypairs—one new, one old, and one in the middle that is actively used for signing tokens—so that even when there is a lag between when a new keypair is introduced and when it is published, signatures would only come from a keypair which had been advertised for a while in advance, as well as being advertised at least as long as the token’s validity.
Not a particularly high priority since you can already rotate a keypair simply by resaving credentials if you have some reason to suspect the private key might have been compromised.
We currently use just a single keypair per credentials item. We could instead offer two of them, on a regular basis alternately swapping the one used to sign tokens, and replacing the other one with a fresh keypair.
If we do #2 then it would even make sense to have three keypairs—one new, one old, and one in the middle that is actively used for signing tokens—so that even when there is a lag between when a new keypair is introduced and when it is published, signatures would only come from a keypair which had been advertised for a while in advance, as well as being advertised at least as long as the token’s validity.
Not a particularly high priority since you can already rotate a keypair simply by resaving credentials if you have some reason to suspect the private key might have been compromised.