JWT signing key validity period not considered in calculation of bundle "spiffe_refresh_hint" #2256
Labels
help wanted
Issues with this label are ready to start work but are in need of someone to do it
priority/backlog
Issue is approved and in the backlog
Comments
rturner3
changed the title
azdagron
added
help wanted
|
This issue is stale because it has been open for 365 days with no activity. |
|
This is still a valid issue. |
|
This issue is stale because it has been open for 365 days with no activity. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The
spiffe_refresh_hintparameter of a bundle represents a suggestion for when a consumer should consider requesting a new version of the bundle, see SPIFFE Trust Domain and Bundle Section 4.1.2.SPIRE currently only considers the lifetime of X.509 root CAs in the trust bundle for its calculation of this refresh hint. Today, SPIRE Server X.509 root CA and JWT signing keys have the same validity period, but ideally the refresh hint calculation should not depend on this assumption.
The text was updated successfully, but these errors were encountered: