Cryptographic Key Rotation

The OMI Lifecycle & Orchestration Protocol

Objective

Refreshing the security credentials of a Domain Service while maintaining the Chain of Trust and ensuring zero downtime for the application.

The Protocol Workflow

Generation: The Domain Service generates a new Service Key-Pair.
Rotation Request: The service constructs a payload containing the new Service Public Key and signs it with its current (old) Service Private Key.

Registry Submission: The service sends a request to the App Registry.

provisional payload

{
  "version": "1.0",
  "data": {
    "new_public_key": "PUB_KEY_V2_ABC...",
    "rotation_timestamp": 1705412600,
    "nonce": "m5n8b2v1",
    "context": "key_rotation"
  },
  "signature": "e5f6a7b8c9d0..." 
}

Verification: The Registry verifies that the signature was created by the key currently authorized for that service_id.
Commit: The Registry updates the record, archives the old key for a “grace period,” and activates the new key.

Propagation: The Registry broadcasts an invalidation signal to the core services (Auth Provider and the Billing Service).

provisional payload

{
  "version": "1.0",
  "data": {
    "origin": "omiappreg.org",
    "app_id": "org.omiappreg.alice.business_app.7f8a9d",
    "service_id": "cms-article-77",
    "event": "KEY_ROTATION",
    "old_public_key": "PUB_KEY_V1_OLD...",
    "new_public_key": "PUB_KEY_V2_NEW...",
    "grace_period_expiry": 1705412900,
    "timestamp": 1705412610,
    "nonce": "n7b2v9x4"
  },
  "signature": "s8d7f6g5h4j3k2l1..."
}

Zero-Downtime Secret: Because the grace_period_expiry is typically set to 300 seconds (5 minutes), the “handover” is invisible to the end user.

Warning: If the current key is already lost or fully compromised, a “Chain of Trust” rotation is impossible. In such cases, the developer must perform a Master Reset by sending a new Binding Request signed by the Master Private Key.

Service Decommissioning & Revocation Identity Recovery & Guardian Keys