Key Rotation

Goal:

Rotate control keys (and optionally device keys) without losing the identity. You can replace control and/or auth keys without changing attributes or policies.

Inputs:

• identity_id
• new public keys (control / auth)
• old control key signature (or recovery key if in recovery mode)
• Authenticated session with either:
  • Existing Control Key, or
  • Recovery Key (in compromise scenarios)

Steps:

1. Authorize
   • Validate signature from old control key.
   • Or validate recovery policy if control key is compromised.
2. Update key set
   • Mark old key as rotated or revoked.
   • Add new key(s) as active.
3. Rebuild keys_root

keys_root_1 = MerkleRoot(updated_key_leaves)

Compute new commitment

identity_commitment_2 = H(
version,
keys_root_1,
attributes_root_1,
policies_root_0
)

Emit StateTransition

StateTransition {
previous_commitment = identity_commitment_1
new_commitment      = identity_commitment_2
diff                = "keys_rotated"
signed_by           = old_control_key or recovery_key
timestamp
}

1. Vault generates new Control Key(s).
2. Old keys are marked as expired or revoked in the Key Tree.