[Babel-users] HMAC: should keys expire?
Gabriel Kerneis
gabriel at kerneis.info
Sun Oct 11 06:39:27 BST 2020
On Sat, Oct 10, 2020, at 23:00, Toke Høiland-Jørgensen wrote:
> I guess it's not quite the same as key expiry (as the keys will
> technically still be around in the configuration file), but it does make
> it possible to have the daemon enforce a time after which they will no
> longer be accepted.
On the one hand, it might be convenient to be able to schedule rotations in advance: the downside of having a lifetime is that it's tied to the moment the keying daemon inserts the key into babeld. But on the other hand, it requires a reliable clock which (I think?) babeld has managed to avoid so far. Key expiry is probably preferable.
In any case, I don't think it should be made mandatory.
Gabriel
More information about the Babel-users
mailing list