Last active
December 30, 2025 08:46
-
-
Save CMCDragonkai/2e5f3f54eeb9621a6450d6033cc854fa to your computer and use it in GitHub Desktop.
Linux Trust Root
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| +------------------------------+ | |
| | Hardware / OS | | |
| | (TPM/FIDO2, kernel keyring) | | |
| +---------------+--------------+ | |
| | | |
| v | |
| (system services / daemons) | |
| +----------------------+ | +------------------------+ | |
| | systemd-credentials| | | Polykey agent | | |
| | (LoadCredential=, | | | - JWK root keys | | |
| | /run/credstore, fds)| | | - sigchains, claims | | |
| +-----------+----------+ | +-----------+------------+ | |
| | | | | |
| | inject secrets into | uses OS creds (TPM, files) | exports X.509 | |
| | unit's file descriptors | for its own storage | (PEM/P12) for apps | |
| v v v | |
| +----------------------+ +---------------------------+ +----------------------+ | |
| | system services | | Filesystem key stores | | X.509 artefacts | | |
| | (nginx, postgres, | | - /etc/ssl/certs (CAs) | | - cert.pem | | |
| | your infra) | | - /etc/pki (CAs) | | - key.pem | | |
| +----------------------+ | - ~/.pki, NSS DB | | - x.p12 | | |
| | - ~/.gnupg (GPG+S/MIME) | +----------+----------+ | |
| | - ~/.ssh (SSH keys) | | | |
| +---------------------------+ | | |
| readable via | |
| OpenSSL/NSS/QCA | |
| or PKCS#11 | |
| +-------------------------------------------------------------+ | |
| | Middleware / APIs | | |
| | | | |
| | +-----------+ +-----------+ +-----------+ | | |
| | | OpenSSL | | GnuTLS | | NSS | | | |
| | +-----------+ +-----------+ +-----------+ | | |
| | ^ ^ ^ | | |
| | | | | | | |
| | (PEM/P12) (PEM/P12) (NSS DB) | | |
| | | | |
| | +-----------------------------------------------------+ | | |
| | | PKCS#11 / p11-kit hub | | | |
| | | - exposes tokens: gnupg-pkcs11, GNOME keyring, | | | |
| | | smartcards, HSMs | | | |
| | +--------------------+--------------------------------+ | | |
| | | | | |
| +-----------------------|-----------------------------------+ | |
| | | |
| +---------------+-----------------+ | |
| | GNOME keyring | | |
| | (gnome-keyring-daemon) | | |
| | - secrets, some keys/certs | | |
| | - Secret Service (D-Bus) | | |
| | - PKCS#11 module for p11-kit | | |
| +---------------+-----------------+ | |
| ^ | |
| | | |
| +-------+--------+ | |
| | Seahorse | | |
| | (GUI: manages | | |
| | GNOME keyring | | |
| | + sometimes | | |
| | GPG keys) | | |
| +----------------+ | |
| +----------------------+ +------------------------------+ | |
| | GnuPG | | SSH | | |
| | ~/.gnupg, gpg-agent | | ~/.ssh, ssh-agent or | | |
| | - OpenPGP | | gpg-agent w/ ssh support | | |
| | - gpgsm (X.509/S-MIME)| +------------------------------+ | |
| +----------+-----------+ | |
| | | |
| GPGME / assuan / pinentry | |
| | | |
| Apps that speak GPG: git, mail, etc. | |
| +---------------------------------------------------------------------------------+ | |
| | Apps | | |
| | | | |
| | Browsers PDF tools Mailers CLI tools | | |
| | - Firefox - Okular - Thunderbird - curl, git, ssh | | |
| | - Chrome - Master PDF Editor - Evolution - openssl, gpg | | |
| | | | |
| | They pull keys/certs via: | | |
| | - direct file paths (PEM, P12) | | |
| | - NSS DB (Firefox) | | |
| | - PKCS#11/p11-kit (YubiKey, GNOME keyring, etc.) | | |
| | - GPGME/gpg-agent (for OpenPGP stuff) | | |
| +---------------------------------------------------------------------------------+ | |
| Polykey node | |
| +-------------------+ | |
| | private.jwk | | |
| | public.jwk | | |
| | sigchain, claims | | |
| +---------+---------+ | |
| | | |
| "export X.509" | |
| v | |
| cert.pem / key.pem / p12 (for PDF signing, TLS, etc.) | |
| | | |
| imported into: | |
| - Master PDF Editor / Okular (PKCS#12) | |
| - GNOME keyring via Seahorse (PKCS#12 or cert+key) | |
| - systemd-credentials (as opaque secret) | |
| - NSS/OpenSSL-driven apps |
Author
Author
Even now, it's difficult to work with PEM and JWK and p12 files. Like the tooling doesn't exist to connect between them.
Author
The jose works with some of it.
Author
Going this.to try
┌─────────────────────────────────────────────┐
│ CENTER (ADVERSARIAL “ROOTS”) │
│ - Default trust stores (browser/OS/runtime)│
│ - BigTech recovery + phone-number anchors │
│ - Enterprise IdP/MDM/compliance gates │
│ - Fast-moving policy + revocation surfaces │
└─────────────────────────────────────────────┘
▲ ▲ ▲
│ │ │
Frontal siege loses │ │ │ Policy churn
(attrition / upkeep) │ │ │ + “sole discretion”
│ │ │
──────────────────────────────────────────────┼────────────┼────────────┼──────────────────────────────
│ │ │
“GO MOVE”: break edges, island-hop, reroute around the center; build alternative trust-flow
(Overlay → Invert; recovery becomes the true root; legacy anchors demoted to attributes)
──────────────────────────────────────────────┼────────────┼────────────┼──────────────────────────────
│ │ │
▼ ▼ ▼
┌────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ POLYKEY EDGE OVERLAY (FOOTHOLDS) │
│ Many small, low-maintenance edges → compose into a large “net” of capability (not a single root). │
│ │
│ [Existing PK nodes] introduce/join [Target nodes] [Legacy systems] │
│ phone / win / mac ───────────────► laptop / server / iot ssh, browsers, pdf, smime, tls │
│ container / worker container / worker runtimes (java/node), device mgmt │
│ │
│ Each join = scoped capability + receipt + continuity binding (idempotent “apply/verify/reapply”) │
└────────────────────────────────────────────────────────────────────────────────────────────────────┘
│
│ (stable invariants: minimal Rust core)
▼
┌────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ POLYKEY SOVEREIGN CORE (INVARIANT) │
│ - Peer keys + node state │
│ - Sigchain / verifiable memory + cross-chain claims │
│ - Gestalt quorum recovery (the inversion lever) │
│ - Purpose keys + constraints + policy │
│ - Sign/attest API: sign(digest, purpose, constraints) │
└────────────────────────────────────────────────────────────────────────────────────────────────────┘
│
│ emits “plans” + “receipts” (P/S/R/V) + “projections”
▼
┌────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ RECEIPT RAILS + CEP (THE CONTROL SURFACE) │
│ Principal ──grants──► Subject ──acts──► Resource ──receipts──► Verifier │
│ Enforcement Point can sit at edges (Principal-side / Subject-side / Resource-side) │
│ Modes (bridge legacy safely): Mediate / Derive / Reveal │
└────────────────────────────────────────────────────────────────────────────────────────────────────┘
│
│ choose best available “edge rail” (robotic if possible; human-minimal otherwise)
▼
┌────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ BOOTSTRAP / JOIN PLANNER (ADAPTIVE) │
│ Probe → select transport(s) → apply → verify │
│ │
│ Transports (how we “island hop”): │
│ A) Robot rails (enterprise / infra): MDM, cloud-init/ignition, Redfish/BMC │
│ B) Human-minimal rails: passkeys/system keys, QR/short-code, USB │
│ C) Runtime rails: systemd/service manager hooks, container platforms, worker secret APIs │
└────────────────────────────────────────────────────────────────────────────────────────────────────┘
│
│ project capabilities into “legacy-shaped” views ONLY at the edge
▼
┌────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ LEGACY “VIEWS” (DISPOSABLE PROJECTIONS, NOT ROOT) │
│ Packaging strategies: │
│ - X.509 / PKCS#12 (TLS, S/MIME, enterprise) │
│ - CMS signatures (PDF / S/MIME) │
│ - OpenSSH certs │
│ - OpenPGP │
│ - Wallet derivations / chain keys │
│ │
│ Anti-export conduits (reduce weak edges): │
│ - Remote signing APIs (hash-in / signature-out) │
│ - Token-style local signing (where possible) │
└────────────────────────────────────────────────────────────────────────────────────────────────────┘
│
▼
┌────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ MATERIALIZED TRUST “CACHES” (TARGET-SPECIFIC, CHURNY) │
│ OS store | Browser stores | Runtime stores | Enterprise policy stores │
│ Treated as: ephemeral caches that can be re-materialized from Polykey continuity + receipts. │
└────────────────────────────────────────────────────────────────────────────────────────────────────┘
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
One of the key goals of PK is being able to 'polycentrically' unify with the other keys like ssh and gnupg as common "identity sources". It should just be able to consume them and use them as well. There's no real key hierarchy as that's too fixed. Instead you'd want to keep ssh key and gnupg key in PK.