Consider adding zcap auto-refresh service

[dlongley]

It may make sense to expose an auto-refresh service for zcaps delegated by a profile. A zcap to use the service could be given out to, for example, service instances. Those service instances could hit the refresh service with existing (and unexpired) zcaps and receive new zcaps. The zcaps delegated could be stored to enable future revocation, if desired.

Zcap refresh would be gated based on some threshold, to help prevent misuse / generation of too many zcaps / too frequent regeneration.

[dlongley]

Care would need to be taken to avoid circumventing revocation of any delegated zcaps by issuing new ones. A possible dependency might be the ability to check the revocation status of a zcap prior to refreshing it.

[dlongley]

Some more details:

An endpoint here could be implemented that will refresh any zcap provided by a particular delegator to a particular delegatee provided that the target zcap is "close" to expiration or has expired.

A zcap to use this endpoint can be given out to the delegatee with a longer expiration period (~10 years) than usual and it can be revoked if that delegatee is no longer trusted with auto-refresh. The ability to refresh "any" zcap could also be attenuated by handing out an auto-refresh zcap to an attenuated path or query param for more specific invocation targets only. Then services can be updated to make use of this to get fresh zcaps as needed.

[dlongley]

Another feature to consider: Allow-list controllers of known refresh zcaps; if a refresh zcap is used that isn't known with a controller that doesn't appear in some other refresh zcap, deny access.

This approach helps deal with lost / erroneously deleted refresh zcaps on the verification side, such that an untracked refresh zcap will not be usable unless its controller is presently trusted in another refresh zcap that hasn't been lost.

[dlongley]

Additional considerations:

1. Whether a refresh zcap should be able to refresh itself provided that it has not expired.
2. Whether a refresh zcap can refresh another (different) refresh zcap or if this allows for refresh cycles that pose a threat that can't be easily mitigated via revocation.