Where to retrieve and store the GOOGLE_ROOT_CA_PUB_KEY?

[witrisna]

Do we need to consider key rotation for this key, should we just hardcode the key in our implementation? Is there a way to retrieve the public key through a public URI?

[eranmes]

This is a very apt question. Yes, you should consider key rotation.

We're in the process of publishing a URI with the root certificates for attestation keys. I'll update the issue when we do.

[katimlam]

How often does Google rotate the root cert?