Skip to main content

classify_under_revocation

Function classify_under_revocation 

Source
pub fn classify_under_revocation(
    revocations: &[KeyRevocation],
    signing_key_fingerprint: &str,
    receipt_attested_created_at: Option<DateTime<Utc>>,
) -> Result<Option<KeyAuthorization>, AcdpError>
Expand description

Apply the RFC-ACDP-0014 §7 compromise-boundary rule.

Inputs:

  • revocationsverified revocations the consumer has decided to act on (see RevocationPolicy for the §6 trust-class guidance). The §4 earliest-compromised_since rule is applied across every entry naming the fingerprint.
  • signing_key_fingerprint — the RFC-ACDP-0010 §6 fingerprint of the key that signed the context under verification.
  • receipt_attested_created_atcreated_at from a registry receipt verified per RFC-ACDP-0010 §8 (whose step 5 confirms the receipt attests this same fingerprint), or None when there is no verified receipt. The bare body created_at MUST NOT be passed here — it is registry-assigned, unsigned by the producer, and attacker-backdatable (§7 step 1).

Verdicts:

  • Ok(None) — no supplied revocation names this key; the ordinary verification rules apply unchanged.
  • Ok(Some(KeyAuthorization::HistoricallyAuthorizedPreCompromise)) — publish time strictly before the boundary (§7 step 2). The caller must still verify the signature itself, under the RFC-ACDP-0010 §10 historical rule.
  • Err(AcdpError::KeyNotAuthorized) — fail closed: publish time at/after the boundary (§7 step 3), or no verifiable publish time at all (§7 step 4). Per RFC-ACDP-0014 §10 this is a verification verdict, not a wire condition — there is no new wire error code; the key is simply not authorized to speak for the producer in (or without placement relative to) the compromise window.