KeychainItem Trait (kcit)

Trait for managing an item in a cryptographic keychain.

Config Properties

c/kcit/iden : Identity

The identity associated with this key.

This field determines what identity to assume when a client uses this keychain item to authenticate.

Default value is anon.

This may be absent if the certificate is not associated with an identity.

Metadata Properties

m/kcit/turi : TraitURI

The URI that uniquely identifies the specification used to implement this trait.

m/kcit/type : Type

Specifies what type of key this item contains.

• 0 = x.509 certificate
• 1 = password
• 2 = AES128 key

m/kcit/ours : Ours

Determines if this certificate item has a private key.

If this item is a certificate without a private key, this value is false. Otherwise it is true. This field is only required when the contained key is asymmetric (public/private).

m/kcit/cert : Certificate

DER-encoded X.509 Certificate.

If the key for this item is asymmetric, then this property contains the public portion. For example, for X.509 keys this would contain the public certificate. If the underlying key is symmetric, then this property is absent.

m/kcit/sha2 : HashSha256

SHA256 hash of the certificate.

m/kcit/sssh : SecretShare

Contains one (of m) shares of the secret.

This property can only be read by someone who has authenticated with the “init” identity. It is only present on keychain items where m/kcit/ours is true. It allows someone to reconstruct the administrative credentials of the network without requiring a factory reset of every device. This allows an administrator to reconstruct their credential by only physically interacting with a subset of the devices in the administrative domain.

m/kcit/sssv : SecretShareVersion

The version of the secret share.

This property MUST be updated every time the secret share is updated.