Fixup openshift#1

marun · Feb 3, 2020 · 73e2c77 · 73e2c77
1 parent 74572a8
commit 73e2c77
Showing 1 changed file with 25 additions and 15 deletions.
diff --git a/enhancements/authentication/automated-service-ca-rotation.md b/enhancements/authentication/automated-service-ca-rotation.md
@@ -116,21 +116,31 @@ and the functionality could be separately extracted for operator reuse.
       Red Hat is 12 months.
       - At most 3 OCP releases are supported at one time, and 3 releases are
         expected in a given year.
-    - When the minimum CA duration, *M*, is reached, automatic rotation will
-      be triggered. *M* must be greater than *I* to ensure that an upgrade
-      occurs before the expiry of the pre-rotation CA.
-    - The interval between automated rotations, *R*, must also be greater
-      than *I* to ensure that an upgrade occurs before the expiry of the
-      pre-rotation CA.
-      - Since cross-signing is only supported between the current and
-        previous CAs, rotating before all pods have been restarted to use key
-        material from the current CA risks breaking trust with key material
-        issued by the previous CA.
-    - The total CA duration can thus be computed as follows:
-      - *D* = *M* + *R* > 2 * *I*
-    - Letting *M* = *R* and substituting *I* = 12 simplifies to:
-      - *D* = 2 * *M* > 24
-    - Picking *M* = *R* = 13 will satisfy the relation, resulting in *D* = 26
+    - When the minimum remaining CA duration, *M*, is reached, automatic
+      rotation will be triggered. *M* must be greater than *I* to ensure that
+      an upgrade occurs before the expiry of the pre-rotation CA.
+    - Let the interval between creation of a CA and its rotation be *R*.
+      - *R* must be greater than *I* to ensure that an upgrade occurs before
+        the expiry of the pre-rotation CA.
+      - *R* must be greater than or equal to the minimum remaining CA
+        duration, *M*, to ensure that an upgrade occurs before a subsequent
+        rotation.
+        - Since cross-signing is only supported between the current and
+          previous CAs, rotating before all pods have been restarted to use key
+          material from the current CA risks breaking trust with key material
+          issued by the previous CA.
+    - The interval between creation and rotation, *R*, can be computed as the
+      total duration *D* less the minimum remaining duration *M*:
+      - *R* = *D* - *M*
+    - Reordering to solve for *D*:
+      - *D* = *R* + *M*
+    - Since each of *R* and *M* must be greater than *I*:
+      - *D* = *R* + *M* > 2 * *I*
+    - Since *R* >= *M* should be true, simplify to *R* = *M*:
+      - *D* = 2 * *R* > 2 * *I*
+    - Substitute *I* = 12:
+      - *D* = 2 * *R* > 24
+    - Picking *R* = *M* = 13 will satisfy the relation, resulting in *D* = 26
   - Worst-case timelines with old and new values for CA duration:
     - Let minimum duration *M* = 6 months, total duration *D* = 12 months:
       - T+0m  - Cluster installed with new CA or existing CA is rotated (CA-1)