pub struct WitnessSigner { /* private fields */ }Expand description
Witness-side cosignature minting identity: the witness’s signing key plus the DID URL it is published under in the witness’s own DID document (RFC-ACDP-0015 §5, §9).
Deliberately not crate::receipt::ReceiptSigner: the whole
value of a cosignature is that the signer is the witness, under the
witness’s own DID and key — never the registry’s receipt key (§5,
§12). Witnesses are independent parties (§3).
Key lifecycle (RFC-ACDP-0015 §9, the RFC-ACDP-0010 §9 rule applied to
the witness’s own key): retired witness keys remain in the witness DID
document’s verificationMethod indefinitely so historical
cosignatures stay verifiable; rotation removes a key from
assertionMethod only.
Implementations§
Source§impl WitnessSigner
impl WitnessSigner
Sourcepub fn new(
key: impl Into<AcdpSigningKey>,
witness_id: impl Into<String>,
key_id: impl Into<String>,
) -> Result<Self, AcdpError>
pub fn new( key: impl Into<AcdpSigningKey>, witness_id: impl Into<String>, key_id: impl Into<String>, ) -> Result<Self, AcdpError>
Create a witness signer. witness_id MUST be a did:web or
did:key DID; key_id’s DID portion MUST equal witness_id and
carry a non-empty fragment.
Sourcepub fn witness_id(&self) -> &str
pub fn witness_id(&self) -> &str
The witness DID this signer mints under.
Sourcepub fn key_id(&self) -> &str
pub fn key_id(&self) -> &str
The DID URL the witness signing key is published under (e.g.
did:web:witness.example.org#witness-key-1).
Sourcepub fn mint(
&self,
checkpoint: &LogCheckpoint,
witnessed_at: DateTime<Utc>,
) -> Result<LogCosignature, AcdpError>
pub fn mint( &self, checkpoint: &LogCheckpoint, witnessed_at: DateTime<Utc>, ) -> Result<LogCosignature, AcdpError>
Mint a signed cosignature over an observed checkpoint
(RFC-ACDP-0015 §5, §7 step 3): copy the checkpoint’s
{log_id, tree_size, root_hash, timestamp} verbatim into
witnessed_checkpoint, stamp witnessed_at (truncated here to
milliseconds) from the witness’s own clock, and sign with the
witness key.
This is the raw mint — it performs no witness obligation
(§7): it does not verify the checkpoint’s own signature or its
consistency against a retained head. Callers acting as a
production witness MUST use the client feature’s
mint_cosignature_checked (which runs the §7 obligation first),
or run those checks themselves. A witness that cosigns a
checkpoint failing consistency provides negative security value
(§7).