Keychains

A certificate is a digitally signed collection of data including an application-level public key (unrelated to the signing key) and other simple meta data such as the cryptosystem that was used to derive the public key

Each public key is derived from application-level private keys that are owned by and maintained by the person who produced the keychain.

The application-level public and private keys are not necesarily related to the public and private keys used to sign the blockchain transactions

In Keychain, a certificate is implemented as a blockchain transaction.

The transaction signature serves as the certificate signature, and the transaction payload holds the public key or a reference to a public key

Keychain certificates do not contain any labels identifying the owner/controller of the certificate

A keychain is a sequence of blockchain certificates, linked by their transaction inputs and outputs.

A keychain whose blockchain certificates store digital signature public keys is called a signature keychain

A keychain whose blockchain certificates store encryption public keys is called an encryption keychain

The certificate in a keychain that has no child certificate is known as the tip ot the keychain

A certificate with no parent certificate in a keychain is called the root of the keychain

A key tree is a set of keychains with a common certificate as an ancestor

A new certificate is mature iff it has sufficient number of confirmations on the blockchains.

Keychains are created only when a persona is created; both a digital signature and encryption keychain is created and put on the blockchain when a persona is created

Blockchain transactions can perform one or both of the following functions

Blockchain certificates have an expiration date

A blockchain transaction whose payload holds an IID public key is called a blockchain certificate

Keychains may be extended, thereby deprecating (a soft form of revocation) the previously current certificate for the purpose of securing new data

The older certificates are still valid with respect to data that was encrypted / signed before the certificate was revoked

So you can still access and verify old data even after the certificate is deprecated

Deprecating a certificate differs from the more common notion of certificate revocation in that deprecated certificates are still valid for data that was encrypted / signed with the associated keys of the deprecated certificate. The Keychain protocol forbids deprecated certificates from being used to encrypt / sign data after it is deprecated.

A certificate is deprecated if and only if an extension (replacement) or termination transaction has achieved sufficient number of confirmations on the blockchain

Regardless of the relationship of any two blockchain certificates in a keychain, the public keys they hold or refer to should be statistically independent of each other and derived from secure PRNG-based process (ie, PNRG-generated private key → pub key) in such a way to be considered uniformly distributed and in a way that confers at most negligible advantage to an adversary who, seeing the blockchain transactions, attempts to deduce any one of the private keys used in the creation of the certificates

Keychains may be deprecated, terminating the certificate sequence and revoking the currently valid cert without replacement with a new cert.

Proof of work economics

Storing a certificate on the blockchain costs a transaction fee paid by the

In order to store your certificate on the blockchain, you must pay a network transaction fee. Currently, the fee is estimated and set for you by default, but you may also specify your own fee when extending a keychain.

The fee is paid to the miners of the network

Supported cipher/standards