Skip to content

Fix bug in keymgr Depends function

Matthijs Mekking requested to merge 4552-keymgr-depends-function-bug into main

The Depends relation refers to types of rollovers in which a certain record type is going to be swapped. Specifically, the Depends relation says there should be no dependency on the predecessor key (the set Dep(x, T) must be empty).

But if the key is phased out (all its states are in HIDDEN), there is no longer a dependency. Since the relationship is still maintained (Predecessor and Successor metadata), the keymgr_dep function still returned true. In other words, the set Dep(x, T) is not considered empty.

This slows down key rollovers, only retiring keys when the successor key has been fully propagated.

Closes #4552 (closed)

Merge request reports