On Sat, Sep 28, 2013 at 10:14 PM, Piotr Sikora <[email protected]> wrote:
> Hi, > > > My patch was designed not to use multiple keyfiles and keynames in nginx > > config so it's able to rotate keys with simple logic, only updating > keyfile. > > IMHO, that makes the key rollover much harder than it should be, that > is: you need to regenerate keyfile with number of older keys + new one > vs just add new key (and optionally remove some of the old ones). > > That depends on key distribution scheme - you can distribute only new keys and store old keys on nginx server only. But with your patch you should also rotate "default" key in nginx config and it complicates the logic (in my schema) a bit. Anyway - I'm not sure if keyname is meaningful parameter in periodic key rotation scheme. For me - it is not. > Best regards, > Piotr Sikora > > _______________________________________________ > nginx-devel mailing list > [email protected] > http://mailman.nginx.org/mailman/listinfo/nginx-devel >
_______________________________________________ nginx-devel mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx-devel
