stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
bc4318ef971247e18c9c05f8b7838880f6584dc3
git.stella-ops.org/docs2/operations/key-rotation.md
master bc4318ef97 Add tests for SBOM generation determinism across multiple formats 
- Created `StellaOps.TestKit.Tests` project for unit tests related to determinism.
- Implemented `DeterminismManifestTests` to validate deterministic output for canonical bytes and strings, file read/write operations, and error handling for invalid schema versions.
- Added `SbomDeterminismTests` to ensure identical inputs produce consistent SBOMs across SPDX 3.0.1 and CycloneDX 1.6/1.7 formats, including parallel execution tests.
- Updated project references in `StellaOps.Integration.Determinism` to include the new determinism testing library.
2025-12-23 18:56:12 +02:00

50 lines
1.5 KiB
Markdown
Raw Blame History

# Key rotation
Purpose
- Rotate signing keys without invalidating historical DSSE proofs.
Principles
- Do not mutate old DSSE envelopes.
- Keep key history; revoke instead of delete.
- Publish key material to trust anchors and mirrors.
- Audit all key lifecycle events.
Key profiles (examples)
- default: SHA256-ED25519
- fips: SHA256-ECDSA-P256
- gost: GOST-R-34.10-2012
- sm2: SM2-P256
- pqc: ML-DSA-65
Rotation workflow
1. Generate a new key in the configured keystore.
2. Add the key to the trust anchor without removing old keys.
3. Run a transition period where both keys verify.
4. Revoke the old key with an effective date.
5. Publish updated key material to attestation feeds or mirrors.
Trust anchors
- Scoped by PURL pattern and allowed predicate types.
- Store allowedKeyIds, revokedKeys, and keyHistory with timestamps.
Verification with key history
- Verify signatures using the key valid at the time of signing.
- Revoked keys remain valid for pre-revocation attestations.
Emergency revocation
- Revoke compromised keys immediately and publish updated anchors.
- Re-issue trust bundles and notify downstream verifiers.
Metrics and alerts
- signer_key_age_days
- signer_keys_active_total
- signer_keys_revoked_total
- signer_rotation_events_total
- signer_verification_key_lookups_total
- Alerts when keys near or exceed maximum age.
Related references
- security/crypto-and-trust.md
- provenance/attestation-workflow.md
- docs/operations/key-rotation-runbook.md
Reference in New Issue View Git Blame Copy Permalink