Default short-lived attestation TTLs for automatic revocation

[bordumb]

Problem

With OIDC (Sigstore/Fulcio), signing certificates expire in 10 minutes. If a key is compromised, the damage window is at most 10 minutes — after that, the certificate is useless without a new OIDC login.

With auths, device attestations currently have no default expiry. A compromised device that goes offline before the maintainer publishes a revocation attestation can produce valid signatures indefinitely. The expires_at field exists in attestations but isn't set by default.

This is the most commonly cited advantage of OIDC's ephemeral model over long-lived keys. We need to close this gap.

Proposed: short TTLs as the default

Device attestations

# .auths/config.toml
[attestation]
default_ttl = "24h"    # device attestations expire after 24 hours
auto_renew = true       # agent auto-renews before expiry

• Every device attestation gets expires_at = now + default_ttl
• The auths agent (background process) auto-renews attestations before they expire
• If the agent is stopped (laptop closed, offline), attestations expire naturally
• A compromised device that goes offline can only sign for default_ttl

CI attestations (already handled)

CI ephemeral attestations already support --expires-in. Make the default 1 hour:

auths artifact sign --ci --commit HEAD  # expires_at = now + 1h (default)

Configurable per-organization

# .auths/policy.toml
[policy.release]
max_ttl = "1h"          # release signing attestations must expire within 1 hour

Organizations with stricter security requirements can enforce shorter TTLs.

Comparison with OIDC

	OIDC/Fulcio	Auths (proposed)
Default key lifetime	10 minutes (certificate)	24 hours (attestation TTL)
Configurable	No (hardcoded by Fulcio)	Yes (per-org, per-role)
Renewal mechanism	New OIDC login required	Agent auto-renewal (no user interaction)
Offline behavior	Cannot sign at all	Can sign until TTL expires
Compromise window	10 minutes max	Configurable (1h to 30d)

The tradeoff: OIDC's 10-minute window is shorter by default, but requires network access for every signing event. Auths' 24-hour default is longer but works offline. Organizations that need tighter windows can set max_ttl = "1h".

What exists today

• expires_at field in Attestation struct — fully supported
• --expires-in flag on auths artifact sign --ci
• Attestation verification checks expires_at against current time
• Agent infrastructure exists (auths agent start/stop)

What's needed

1. Default TTL in config (not hardcoded — configurable)
2. Agent auto-renewal loop: check attestation expiry, re-sign before it expires
3. CLI warning when signing with an expired or near-expiry attestation
4. auths doctor check for attestation freshness

Success criteria

• A compromised device that goes offline has a bounded damage window (default 24h)
• The agent auto-renews without user interaction
• Organizations can enforce stricter TTLs via policy
• Offline signing still works within the TTL window