search

spiffe / spire

The SPIFFE Runtime Environment
https://spiffe.io
Apache License 2.0
1.82k stars 478 forks source link

JWT signing key validity period not considered in calculation of bundle "spiffe_refresh_hint" #2256

Open rturner3 opened 3 years ago

rturner3 commented 3 years ago

The spiffe_refresh_hint parameter of a bundle represents a suggestion for when a consumer should consider requesting a new version of the bundle, see SPIFFE Trust Domain and Bundle Section 4.1.2.

SPIRE currently only considers the lifetime of X.509 root CAs in the trust bundle for its calculation of this refresh hint. Today, SPIRE Server X.509 root CA and JWT signing keys have the same validity period, but ideally the refresh hint calculation should not depend on this assumption.

github-actions[bot] commented 1 year ago

This issue is stale because it has been open for 365 days with no activity.

rturner3 commented 1 year ago

This is still a valid issue.

github-actions[bot] commented 3 weeks ago

This issue is stale because it has been open for 365 days with no activity.