Effective Capabilities (Tying It All Together)

This document describes how Object-related concepts all work together and interact with one another.

This will be done with a toy example. Let us assume that we are trying to establish a Session with Authentication Key 0xabcd so that it can use the Asymmetric Key 0x1234 to sign some data. The first thing required is to create and authenticate a Session. This requires knowledge of what the long-lived keys are (or what the associated derivation password is). Once a valid Session is established, a series of properties connected with the Authentication Key used to create the Session are inherited by the Session itself. More specifically: the Domains, Capabilities and Delegated Capabilities associated with Authentication Key 0xabcd are now part of the Session we just established.

The first repercussion is that, out of all the different Objects stored in the device, we will only have access to those that belong to the same Domains as Authentication Key 0xabcd.

Assuming that Asymmetric Key 0x1234 is in one such Domain, we can now continue and ask the device to generate a signature. To do so we will send the appropriate command over the Session. For the command to be successfully executed, a series of things have to happen. First of all the arguments of the specific command (Sign Data in this case) have to be valid, i.e., no malformed data has to be sent to the device or an error will occur. Assuming that Asymmetric Key 0x1234 is an RSA 2048-bit key and that we would like to obtain a signature using RSASSA-PSS, both Authentication Key 0xabcd and Asymmetric Key 0x1234 will have to have the Capability sign-pss set. Again, the required capability has to be set on both the Authentication Key used to establish the Session (Authentication Key 0xabcd), and the target Object used to perform the operation (Asymmetric Key 0x1234).

In other words, we define the intersection between the Capabilities of the Authentication Key used to establish the Session, and the Capabilities of the target Object involved in the operation as the Effective Capabilities. An operation with a given target Object over a given Session will then only succeed if the Capabilities required by the operation are included in the Effective Capabilities.

The interaction between Domains and Effective Capabilities allows for flexible setup and roles definition. For example, it is possible to assign a set of Capabilities to an Object, and then spread out the same Capabilities to different Authentication Keys so that each one of them is able to operate with the target Object in a very defined way. Alternatively, it is possible to completely disable specific operations by not assigning Capabilities to an Authentication Key. For example, an "Administrator" Authentication Key could be able to only create keys and a "User" Authentication Key could be able to only use those same keys.