pub fn classify_under_revocation(
revocations: &[KeyRevocation],
signing_key_fingerprint: &str,
receipt_attested_created_at: Option<DateTime<Utc>>,
) -> Result<Option<KeyAuthorization>, AcdpError>Expand description
Apply the RFC-ACDP-0014 §7 compromise-boundary rule.
Inputs:
revocations— verified revocations the consumer has decided to act on (seeRevocationPolicyfor the §6 trust-class guidance). The §4 earliest-compromised_sincerule is applied across every entry naming the fingerprint.signing_key_fingerprint— the RFC-ACDP-0010 §6 fingerprint of the key that signed the context under verification.receipt_attested_created_at—created_atfrom a registry receipt verified per RFC-ACDP-0010 §8 (whose step 5 confirms the receipt attests this same fingerprint), orNonewhen there is no verified receipt. The bare bodycreated_atMUST NOT be passed here — it is registry-assigned, unsigned by the producer, and attacker-backdatable (§7 step 1).
Verdicts:
Ok(None)— no supplied revocation names this key; the ordinary verification rules apply unchanged.Ok(Some(KeyAuthorization::HistoricallyAuthorizedPreCompromise))— publish time strictly before the boundary (§7 step 2). The caller must still verify the signature itself, under the RFC-ACDP-0010 §10 historical rule.Err(AcdpError::KeyNotAuthorized)— fail closed: publish time at/after the boundary (§7 step 3), or no verifiable publish time at all (§7 step 4). Per RFC-ACDP-0014 §10 this is a verification verdict, not a wire condition — there is no new wire error code; the key is simply not authorized to speak for the producer in (or without placement relative to) the compromise window.