Key cycling
Opened this issue · 1 comments
lvh commented
Example use case: one highly valuable credential, encapsulated in a cap. Many different derivative caps use that cap. Credential is leaked, so is revoked and a new one is created.
Possible answers:
- Nope, sorry, rotate all your caps; improve opsec so you won't leak the credential in the future.
- Mutable caps. This is the obvious easy answer, but also has downsides:
- Fewer guarantees about what caps will do, inability to provide more such guarantees in the future (see #40).
- Performance and availability due to limited constraints on the data store. Since caps are immutable, data stores can e.g. return the first answer they find. This makes both loads and stores incredibly efficient.
- Partially mutable caps, or caps that rely on mutable data bags. This would let us keep immutable caps, but with mutable secrets. (The idea being that an immutable cap with mutable secrets would not suddenly do wildly different things with a bait-and-switch.)