Identity
Key rotation
The practice of replacing a signing key with a new one, adding the new key to the DID document while keeping old credentials valid.
Key rotation is how cryptographic systems handle the reality that keys don't stay fresh forever. Keys might be compromised, lost to personnel changes, or simply aged out under a policy. The challenge with credential signing is that old credentials referencing a rotated key should still verify.
LearnCoin handles rotation via the DID document. When a tenant's signing key is rotated, a new verificationMethod fragment (say, #tenant-ewance-v2) is added to the DID document, and future credentials sign against the new fragment. The old fragment stays in the DID document — verifiers encountering old credentials find it, check the signature, and accept.
If a key is compromised rather than rotated, the old verificationMethod gets removed from assertionMethod. Credentials signed with the compromised key then fail verification, which is the desired behavior. A compromised-key incident is announced via LearnCoin's security disclosure channel and the affected batch gets bulk-revoked.
Key rotation is a scheduled operation. Emergency revocation is a separate operation.