Context
The sdk-python README lists this under "Does NOT implement yet (Phase 1+)":
Registry resolution and key rotation
Today, verifying a signed event requires the verifier to know the signer's public key out-of-band. In production, the plane wants to look up the vendor's actor entry in the registry, pin a key by key_id, and handle rotation when the vendor publishes a new key.
Goal
Ship openagp.registry (resolver-side library) with:
- Resolver. Fetch an actor entry from openagp/registry by FQDN (or from a mirror — configurable base URL).
- Verify the entry's signature against a configured trust root before trusting the keys.
- Key cache keyed by
(fqdn, key_id) with a configurable TTL.
- Rotation handling. When a
verify() call fails because the key_id isn't in the cache, re-fetch the actor entry once before returning InvalidSignature.
Out of scope
- Federation between multiple registries (tracked in the registry governance RFC).
- Revocation feeds (separate issue once revocation semantics are decided).
Pointers
Context
The sdk-python README lists this under "Does NOT implement yet (Phase 1+)":
Today, verifying a signed event requires the verifier to know the signer's public key out-of-band. In production, the plane wants to look up the vendor's actor entry in the registry, pin a key by
key_id, and handle rotation when the vendor publishes a new key.Goal
Ship
openagp.registry(resolver-side library) with:(fqdn, key_id)with a configurable TTL.verify()call fails because thekey_idisn't in the cache, re-fetch the actor entry once before returningInvalidSignature.Out of scope
Pointers