Keychains

Keychains

One innovation in Keychain Core is the solution to managing keychains, the sequence of public keys owned by a device over the lifetime of the device. The criteria we needed to meet were

  1. must be easily discoverable given coordinates

  2. must be on a robust medium that is highly tamper-resistent

  3. must not require coordination with the entity beyond the initial exchange of coordinates

  4. must be a non-proprietary protocol or network layer

  5. must expose as little information as possible about the entity

For this, blockchains satisfied all criteria. A blockchain transaction ID can act as a coordinate. Public blockchains can be extraordinarily tamper-resistent, such as the Bitcoin network, and are generally open-source. Transaction outputs can be traced to the next transaction, providing a chain of provenance given the entity is sending to addresses it owns.

Self-signed Certificates

A certificate is a digitally signed collection of data including an application-level public key (unrelated to the signing key) and other simple meta data such as the cryptosystem that was used to derive the public key. Each public key is derived from application-level private keys that are owned by and maintained by the person who produced the keychain. The application-level public and private keys are not necesarily related to the public and private keys used to sign the blockchain transactions.

In Keychain, a certificate is implemented as a blockchain transaction. The transaction signature serves as the certificate signature, and the transaction payload holds the public key or a reference to a public key. Keychain certificates do not contain any labels identifying the owner/controller of the certificate. A keychain is a sequence of blockchain certificates, linked by their transaction inputs and outputs.


Keychain


A keychain whose blockchain certificates store digital signature public keys is called a signature keychain. A keychain whose blockchain certificates store encryption public keys is called an encryption keychain. The certificate in a keychain that has no child certificate is known as the tip of the keychain. A certificate with no parent certificate in a keychain is called the root of the keychain. A key tree is a set of keychains with a common certificate as an ancestor.

Certificate Life Cycle

A new certificate is created in 3 situations:

  1. When a new persona is created, which in turn creates a new digital signature keychain and a new encryption keychain.

  2. When ownership of protocol tokens is transfered to another address or public key

  3. When a keycain is extended, which simultaneously revokes the validity of the current self-signed certificate and replaces it with a newly created independent one

Note that even after extension, older certificates are still valid with respect to data that was encrypted / signed before the certificate was revoked, so you can still access and verify old data.

Certificate Deprecation

Deprecating a certificate differs from the more common notion of certificate revocation in that deprecated certificates are still valid for data that was encrypted / signed with the associated keys of the deprecated certificate. The Keychain protocol forbids deprecated certificates from being used to encrypt / sign data after it is deprecated.

A certificate is deprecated if and only if an extension (replacement) or termination transaction has achieved sufficient number of confirmations on the blockchain. Keychains may be deprecated, terminating the certificate sequence and revoking the currently valid cert without replacement with a new cert.

Regardless of the relationship of any two blockchain certificates in a keychain, the public keys they hold or refer to should be statistically independent of each other and derived from secure PRNG-based processes (ie, PNRG-generated private key → pub key) in such a way to be considered uniformly distributed and in a way that confers at most negligible advantage to an adversary who, seeing the blockchain transactions, attempts to deduce any one of the private keys used in the creation of the certificates.

Proof of Work Economics

In order to store your certificate on the blockchain, you must pay a network transaction fee. Currently, the fee is estimated and set for you by default, but eventually you may also specify your own fee when extending a keychain. The fee is paid to the miners of the network.

Keychain provides the necessary blockchain tokens needed for each on-chain transaction to our clients. This is the faucet server set up in the keychain.cfg file.