Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature to delete individual keys from trust bundle #5375

Closed
keeganwitt opened this issue Aug 12, 2024 · 7 comments
Closed

Feature to delete individual keys from trust bundle #5375

keeganwitt opened this issue Aug 12, 2024 · 7 comments
Labels
triage/in-progress Issue triage is in progress

Comments

@keeganwitt
Copy link
Contributor

There are cases where it might be useful to delete specific keys from the trust bundle. Some examples are

  1. The private key was lost (maybe from a storage failure) and you want to reduce the size of the trust bundle.
  2. Trust in the key has been revoked. For example, because the private key was leaked.

Currently, the only option offered is to delete the entire bundle.
@keeganwitt keeganwitt changed the title Offer feature to delete individual keys from trust bundle Feature to delete individual keys from trust bundle Aug 12, 2024
@keeganwitt
Copy link
Contributor Author

Another case (but a somewhat special case) would be if you decided to change your server config to use a lower TTL than you initially started with, then you're stuck with the keys already created.

@azdagron
Copy link
Member

I believe this would be covered by the ongoing "Forced Rotation and Revocation" work that @MarcosDY has been working through.

@azdagron azdagron added the triage/in-progress Issue triage is in progress label Aug 13, 2024
@azdagron
Copy link
Member

@keeganwitt just to clarify, you're talking about removing keys from the trust bundle from your own trust domain, not from a federated trust domain, correct?

@MarcosDY
Copy link
Collaborator

MarcosDY commented Aug 13, 2024
edited
Loading

If it involves revoking a key within your own trust domain, this will be possible once force rotation becomes available.
Using:

@azdagron
Copy link
Member

👋 hey @keeganwitt, friendly ping on answers to the question above :)

@keeganwitt
Copy link
Contributor Author

keeganwitt commented Aug 27, 2024
edited
Loading

@keeganwitt just to clarify, you're talking about removing keys from the trust bundle from your own trust domain, not from a federated trust domain, correct?

In our case, yes, nested not federated. But I'd think this would apply to federated setups too (but I'd have to read through the code a bit more on that).

If it involves revoking a key within your own trust domain, this will be possible once force rotation becomes available.
Using:

I think this would work, yes. I'm not sure if you were going to delete it from the bundle during revocation or set a revoked flag, but as long as it doesn't get included in the results served up by the OIDC endpoint, either way should work as far as this requirement.

@azdagron
Copy link
Member

Yes, once it has been revoked, it will be removed from the bundle and not show up in the key set advertised by the OIDC discovery provider.

@kfox1111 kfox1111 mentioned this issue Oct 18, 2024
Open
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triage/in-progress Issue triage is in progress
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@keeganwitt @MarcosDY @azdagron