Expand description
Trust Context Token (TCT) — the canonical output of AITP.
A TCT is a signed, audience-bound, capability-scoped grant. Each peer holds the TCT issued by its counterpart in a Mutual Handshake.
In aitp/0.2 the TCT and its companion grant voucher are compact
JWS strings (RFC-AITP-0001 §5.4.5): signatures cover the exact
transmitted bytes, so any off-the-shelf JOSE library can verify them
given only the issuer public key. The revocation snapshot
(RFC-AITP-0008) is protocol-internal and stays JCS-signed.
Re-exports§
pub use builder::TctBuilder;pub use error::TctError;pub use pop::sign_pop_response;pub use pop::verify_pop_response;pub use pop::PopChallenge;pub use pop::PopResponse;pub use revocation::sign_revocation_list;pub use revocation::verify_revocation_list;pub use revocation::RevocationEntry;pub use revocation::RevocationList;pub use revocation::RevocationListEnvelope;pub use revocation::VerifyRevocationListContext;pub use types::Cnf;pub use types::GrantVoucherClaims;pub use types::IssuedTct;pub use types::TctClaims;pub use types::VerifiedTct;pub use verifier::verify_tct;pub use verifier::verify_voucher;pub use verifier::TctVerifyContext;
Modules§
- builder
- TCT + grant-voucher issuance (RFC-AITP-0005 §1 / §8).
- error
- TCT-specific error type.
- pop
- Downstream Proof-of-Possession exchange (RFC-AITP-0005 §6).
- revocation
- Signed revocation snapshots (RFC-AITP-0008 §1.5).
- types
- TCT and grant-voucher claim types (RFC-AITP-0005 /
schemas/json/aitp-tct.schema.json,schemas/json/aitp-grant-voucher.schema.json). - verifier
- TCT and grant-voucher verification (RFC-AITP-0005 §7.2 / §8).
Constants§
- DEFAULT_
TCT_ TTL_ SECS - Recommended TCT TTL (1 hour).