poztter.org
component · 0x0040 / 0x0041
Auth Zone.
The Auth Zone defines authentication trust groups. Sites declare the security level they require; users configure which keys clear that level. POZ separates how strong from which keys.
trust groups
A trust group is a set of keys, all of which must sign the authentication challenge. Group sizes are fixed by the protocol so that sites and clients can negotiate them by name:
| Size | Level | Example composition |
|---|---|---|
| 2 | BASIC | Device + PIN |
| 4 | STANDARD | Device + biometric + PIN + TOTP |
| 8 | SECURE | Multiple devices + biometrics + hardware tokens |
A bank says: "Login requires SECURE." Your client picks a group of size 8 and signs. A blog says: "BASIC is fine." Your client picks a group of size 2. The site doesn't tell you which keys to use; you don't tell the site how you authenticate.
authentication flow
revocation
Revoked keys are listed with timestamps in the Auth Zone itself.
For real-time checks, a revocation_service_hash in the
zone references a REVOCATION-type service in the
Service Zone. Sites
should check the revocation list before accepting authentication —
a key revoked yesterday should not authenticate today.
Because the Master Zone's delegation to the Auth Zone splits grant and deny, a single key with high deny authority can revoke a compromised authentication key immediately, without a quorum. See delegation →
why fixed sizes
Fixed sizes (2, 4, 8) make security level a small enum rather than a number to negotiate. A site doesn't have to express "I want at least these specific assurances" in some complicated policy language. The protocol fixes the rungs of the ladder; users decide what fills each rung.
auth vs. identity
see also
- Service Zone — where the revocation service is registered.
- Identity Zone — the "who you are" companion to "how you prove it."
- RFC POZ-CORE §13