The LTI 1.3 relies on public/private key for security. It is good practice for a platform to rotate its private key on some regular basis.

AC:

• every month (should this be configurable/cron?) the LTI 1.3 key is rotated
• When a key is rotated, the previous key remains active for some hours to avoid transient error

Note:
MDL-66708 has illustrated some caching on the jwks can cause significant trouble. As part of this implementation, explicit caching directive should be added to the key set to avoid rotation to cause failed launches due to caches preventing the tool to discover the newly issued key.
For example, if max-age of 1 hour is decided, then during the 1st few hours of a key rotation, the old key should still be used to sign messages.