identity · keys
def:kms keys
5 keys · threshold-shared across 87 custodians · no single party holds the whole key
KEYS
5
4 TLS · 1 ACME · 1 sign · 1 wallet
CUSTODIANS · TOTAL
87
avg M/N: 7/21
CUSTODIANS · HEALTHY
85/87
2 degraded
SIGNATURES · 24h
63.3k
avg 2,635/hr
CAPS ACTIVE
8
across 4 services
NEXT ROTATION
12d
blog.grid TLS
| KEY | KIND | THRESHOLD | HEALTH | BOUND TO | ROTATION | SIGS · 24h | RECOVERY | |
|---|---|---|---|---|---|---|---|---|
| blog.gridkey:kms:tls:blog.grid | tls-cert | 7-of-21 | 21/21 · 7 metros · 4 providers | def:nie / blog.grid | in 12 days | 14,392 | both paths | |
| app.example.comkey:kms:tls:app.example.com | tls-cert | 7-of-21 | 19/21 · 7 metros · 4 providers | def:nie / app.example.com | in 28 days | 48,820 | 1 of 2 | |
| Let's Encrypt accountkey:kms:le:account | acme-account | 5-of-15 | 15/15 · 6 metros · 4 providers | def:nie / acme bridge | in 4 mo | 48 | both paths | |
| releases · code signingkey:kms:sign:releases | signing | 3-of-9 | 9/9 · 5 metros · 3 providers | manual · ci pipeline | in 2 mo | 0 | seed only | |
| treasury · multisigkey:kms:wallet:treasury | signing | 9-of-21 | 21/21 · 7 metros · 5 providers | manual · governance | in 6 mo | 0 | both paths |
How threshold KMS works
- DKG · Distributed Key Generation. 21 custodians collectively generate a key. Each holds a share of the secret; the public key is on chain. Nobody — including the Foundation — sees the whole key.
- Capability. Your DID issues a token: “edge-pool-us-west may threshold-sign for blog.grid for 60d at 1k sigs/hr.”
- Sign. An edge requests a signature. 7 of 21 custodians produce partial signatures; the result is a real ECDSA sig browsers verify normally.
- Receipt. Each request settles a signed receipt — auditable, anomaly-detectable, billable.
- Rotation. Every 30 days the share-set re-shares. Public key stays the same unless you explicitly rotate.