ROTATE

Trust invalidation, NOT crypto-shred

A revocation does NOT remove signed Rekor entries from the public log — that's impossible against a public Merkle tree by design. ROTATE publishes NEW signed observations that live alongside the originals. Verifiers MUST consult the compromise ledger before trusting any historical signature from a revoked fingerprint.

This is a feature, not a deficiency. Crypto-shred isn't possible against a public transparency log; pretending otherwise would damage the integrity claim every other Bureau program leans on.

Has this fingerprint been revoked?

Phase 1.5 ships local-only. Phase 2 wires the Kite Event Log so a fingerprint search resolves against ingested KeyRevocation/v1 entries. For now, run the verifier against a Rekor uuid:

pluck bureau rotate verify-rotation <rekor-uuid>

Verb surface

• revoke — publish a KeyRevocation/v1 signed with the OLD key (proves operator owns it).
• re-witness — annotate target uuids against the revocation's compromise window. Signed by the NEW key.
• verify-rotation — fail-closed verification with stable reason codes.
• disclosure-rebuild — anchor a new Disclosure/v1 chain to the previous one + the revocation that triggered the rebuild.

Compromise classifications

The re-witness pass classifies every target uuid:

• before-revocation — votedAt strictly before compromiseWindow.since. Trust the inner signature.
• during-window — votedAt in [since, until). Compromised — ignore the inner signature.
• after-replacement — votedAt at or after until but signed by the previous key anyway. Compromised — the new key should have signed.
• trust-but-flag — pre-window vote on a sensitive artifact (vendor Disclosure / operator key registration). Yellow flag, not red.