As part of our ongoing efforts to strengthen OSSAfrica’s security posture and align with OpenSSF best practices, I have drafted a comprehensive Secret Rotation Policy. This document aims to minimize the risk of unauthorized access by mandating regular updates to our cryptographic keys and credentials.
Scope of Work (What has been drafted)
I have created a v1.0 draft that covers the following key areas:
- Classification: A framework for categorizing secrets (Critical, High, Medium, Low) based on potential impact.
- Schedules: Defined timelines for rotation (e.g., 90 days for Critical keys vs. 365 days for Medium).
- Procedures: distinct workflows for Automated (preferred) vs. Manual rotation.
- Incident Response: Protocols for immediate "Emergency Rotation" in the event of a compromise.
- Audit Mechanisms: Requirements for quarterly compliance checks.
Action Required: Core Team Review
Before we adopt this as an official standard, I need the Core Team to review the draft for feasibility and approval. Please specifically check:
- Are the rotation timelines realistic for our current maintainer capacity?
- Do we have the necessary tooling in place (e.g., Vault, GitHub Secrets) to support the "Automated Rotation" section?
Link to Draft
Develop Secret Rotation Policy for OSSAfrica Infrastructure
Link to Repository
security
Tasks
As part of our ongoing efforts to strengthen OSSAfrica’s security posture and align with OpenSSF best practices, I have drafted a comprehensive Secret Rotation Policy. This document aims to minimize the risk of unauthorized access by mandating regular updates to our cryptographic keys and credentials.
Scope of Work (What has been drafted)
I have created a
v1.0draft that covers the following key areas:Action Required: Core Team Review
Before we adopt this as an official standard, I need the Core Team to review the draft for feasibility and approval. Please specifically check:
Link to Draft
Develop Secret Rotation Policy for OSSAfrica Infrastructure
Link to Repository
security
Tasks
ossafrica/governance(or relevant repo).