You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
tailscale/tka
Anton Tolchanov fd6686d81a tka: truncate long rotation signature chains
When a rotation signature chain reaches a certain size, remove the
oldest rotation signature from the chain before wrapping it in a new
rotation signature.

Since all previous rotation signatures are signed by the same wrapping
pubkey (node's own tailnet lock key), the node can re-construct the
chain, re-signing previous rotation signatures. This will satisfy the
existing certificate validation logic.

Updates #13185

Signed-off-by: Anton Tolchanov <anton@tailscale.com>
3 months ago
..
aum.go all: use new AppendEncode methods available in Go 1.22 (#11079) 10 months ago
aum_test.go
builder.go
builder_test.go
chaintest_test.go all: use Go 1.22 range-over-int 7 months ago
deeplink.go
deeplink_test.go
key.go
key_test.go
scenario_test.go
sig.go tka: truncate long rotation signature chains 3 months ago
sig_test.go tka: truncate long rotation signature chains 3 months ago
state.go
state_test.go
sync.go all: use Go 1.22 range-over-int 7 months ago
sync_test.go
tailchonk.go all: use Go 1.22 range-over-int 7 months ago
tailchonk_test.go
tka.go ipn/ipnlocal: discard node keys that have been rotated out 6 months ago
tka_clone.go cmd/tl-longchain: tool to re-sign nodes with long rotation signatures 3 months ago
tka_test.go