Key rotation

Three classes of keys rotate on operational triggers. None of them is the developer’s API key (developers rotate their own at any time through the dashboard).

L2 policy signing keys

The Oris MPC ring signs every policy Merkle root. Rotation cadence: quarterly, or on compromise.

Procedure:

1. New share generation in Vault Transit.
2. Test signature emitted against a known root.
3. New pubkey published on OrisL2PolicyRegistry with a transition event.
4. Verifiers update the recognized pubkey set.
5. Old key continues to verify in-flight bundles for one hour (overlap window).
6. Old key revoked.

Downtime: zero. The overlap window prevents in-flight bundle rejection.

L5 revocation signing keys

Same MPC ring as L2. Rotation procedure mirrors above. The on-chain registry tracks active pubkeys with versioning. Non-membership proofs reference the active root version at proof time.

L6 verifier Ed25519 pubkey

The L6 verifier signs every verdict. Rotation cadence: quarterly, or on compromise.

Procedure:

1. New Ed25519 keypair generated.
2. New pubkey published at GET /verify/pubkey alongside the previous one (during overlap).
3. Webhook verifier.key_rotated fires to subscribed networks.
4. Networks refresh their cached pubkey.
5. Old pubkey served alongside new for one hour.
6. Old pubkey deactivated.

Offline verifiers (using cached pubkeys) get a webhook nudge to refresh. The key_id field on every verdict indicates which active key signed it.

Veris MPC ring (BLS12-377)

Separate ring from Oris MPC. Rotation procedure published in the L3 Veris operator runbook (NDA-only).

Where to go next

• L2 Policy, L5 Revocation, L6 Verifier for the cryptographic context.
• Monitoring for rotation event dashboards.
• Incident response for emergency rotation.